Acceptable Use Policy

Effective March 5, 2026

1. Purpose

This Acceptable Use Policy governs your use of the FlowCheck API and dashboard. It exists to protect the security and integrity of the Service for all users and to ensure compliance with the third-party platforms (Stripe, Plaid) we integrate with.

2. Permitted Use

FlowCheck is designed for:

  • Reconciling your own Stripe payouts against your own bank deposits
  • Monitoring your financial data through the API or dashboard
  • Building internal tools and dashboards that consume the FlowCheck API with your own credentials
  • Receiving webhook notifications about your own payout events

3. Prohibited Use

You must not:

  • Access financial data belonging to another person, business, or tenant without their explicit authorization
  • Share your API keys with unauthorized parties or embed them in client-side code
  • Attempt to reverse-engineer, brute-force, or circumvent authentication, rate limiting, or tenant isolation mechanisms
  • Use the Service to facilitate fraud, money laundering, or any illegal financial activity
  • Scrape, redistribute, or resell financial data obtained through the Service
  • Overload the API with requests designed to degrade service for other users (denial-of-service)
  • Store or transmit malicious code through webhook endpoints or API requests
  • Use the Service in ways that violate Stripe's or Plaid's terms of service or acceptable use policies
  • Connect Stripe accounts or bank accounts that you do not own or are not authorized to access
  • Use sandbox/test API keys to access production data, or vice versa

4. API Key and Credential Security

  • Treat your FlowCheck API keys as secrets. Do not commit them to version control, expose them in browser code, or share them in plaintext
  • Use restricted Stripe API keys with minimum required permissions (read-only access to Payouts and Balance)
  • Revoke and regenerate API keys immediately if you suspect they have been compromised
  • Use sandbox keys (fc_test_*) for development and testing; production keys (fc_live_*) only for production workloads

5. Rate Limits

Each plan has a per-minute rate limit. Exceeding the limit returns a 429 response. Automated retry with exponential backoff is expected. Sustained attempts to circumvent rate limits may result in account suspension.

6. Webhook Responsibilities

If you register webhook endpoints, you must:

  • Only register HTTPS endpoints that you own and control
  • Verify webhook signatures using the signing secret provided at registration
  • Respond to webhook deliveries within 10 seconds with a 2xx status code
  • Not use webhook endpoints to redirect financial data to unauthorized third parties

7. Enforcement

Violations of this policy may result in:

  • Temporary rate limiting or throttling
  • API key revocation
  • Account suspension
  • Permanent account termination

We will attempt to notify you before taking action except in cases of severe or obvious abuse where immediate action is necessary to protect the Service or other users.

8. Reporting

If you discover a security vulnerability or suspect abuse, report it to security@usepopup.com.