ESSign In

Acceptable Use Policy

Prohibited practices, enforcement actions, and violation reporting for the Whatalo Developer Platform.

Effective Date: April 1, 2026 | Last Updated: April 1, 2026

This Acceptable Use Policy ("AUP") defines the boundaries of acceptable conduct on the Whatalo Developer Platform. All Developers, Plugins, and API integrations must comply with this AUP in addition to the Developer Terms of Service and all other applicable policies.

1. Prohibited Practices

The following activities are strictly prohibited on the Whatalo Platform:

1.1 Security Violations

  • Malware Distribution — Introducing viruses, trojans, ransomware, spyware, adware, or any malicious code through your Plugin or API integration.
  • Unauthorized Access — Attempting to access data, systems, or accounts that you are not authorized to access, including other developers' Plugins or stores that have not installed your Plugin.
  • Credential Theft — Collecting, storing, or transmitting Store Owner or End User credentials (passwords, API keys, tokens) beyond the scope of your authorized OAuth integration.
  • Cryptomining — Using Platform resources or Store Owner infrastructure for cryptocurrency mining or similar resource-intensive operations without explicit authorization.
  • Vulnerability Exploitation — Exploiting known or discovered vulnerabilities in the Platform, APIs, or other Plugins instead of responsibly disclosing them.

1.2 Data Abuse

  • Unauthorized Data Collection — Collecting Store Owner or End User data beyond the scopes granted by your OAuth permissions.
  • Data Exfiltration — Transferring Platform data to external systems for purposes not disclosed in your Plugin's privacy policy.
  • Data Selling — Selling, renting, or commercially transferring any data obtained through the Platform.
  • Profiling — Building advertising profiles, behavioral profiles, or dossiers on Store Owners or End Users using Platform data without explicit consent.
  • Cross-Store Data Correlation — Correlating data across multiple stores to identify or track End Users without explicit consent from all parties.

1.3 Platform Integrity

  • Rate Limit Circumvention — Attempting to bypass, circumvent, or artificially inflate API rate limits through multiple accounts, distributed requests, or other technical means.
  • Platform Circumvention — Processing payments, subscriptions, or transactions outside the Whatalo billing system to avoid platform commissions, unless explicitly permitted.
  • Reverse Engineering — Decompiling, disassembling, or reverse engineering any part of the Whatalo Platform, APIs, or SDKs.
  • Competitive Intelligence — Using API access to benchmark, analyze, or extract competitive intelligence about the Platform.
  • Resource Abuse — Intentionally consuming excessive API resources, storage, or bandwidth beyond reasonable Plugin needs.

1.4 Marketplace Manipulation

  • Fake Reviews — Creating, soliciting, or purchasing fake ratings or reviews for your Plugin or competitors' Plugins.
  • Review Manipulation — Incentivizing positive reviews with discounts, free services, or other consideration.
  • Plugin Cloning — Copying or closely imitating another developer's Plugin without substantial original functionality.
  • Keyword Stuffing — Inserting irrelevant keywords in your listing to manipulate search results.
  • False Advertising — Misrepresenting your Plugin's features, performance, or compatibility in the listing.
  • Astroturfing — Creating multiple developer accounts to submit similar Plugins or inflate perceived market presence.

1.5 Harmful Content

  • Illegal Content — Distributing content that violates applicable laws in any jurisdiction where the Plugin operates.
  • Hate Speech — Promoting hatred, discrimination, or violence against individuals or groups.
  • Adult Content — Distributing pornographic or sexually explicit content without appropriate age gates and content warnings.
  • Intellectual Property Infringement — Using copyrighted material, trademarks, or patented technology without authorization.

2. What Gets a Plugin Rejected

The following issues will result in Plugin rejection during the review process:

  1. Critical bugs — Plugin crashes, data corruption, or loss of functionality during testing.
  2. Security vulnerabilities — Hardcoded secrets, unverified webhooks, SQL injection, XSS, or other OWASP Top 10 vulnerabilities.
  3. Excessive permissions — Requesting OAuth scopes beyond what the Plugin demonstrably needs.
  4. Missing privacy policy — No published privacy policy, or policy that does not meet minimum requirements.
  5. Non-functional support channel — Support URL leads to a broken page, dead email, or unmonitored channel.
  6. Misleading listing — Description, screenshots, or name do not accurately represent Plugin functionality.
  7. Poor user experience — No loading states, raw error messages, broken layouts, or inaccessible interfaces.
  8. Accessibility failures — Does not meet WCAG 2.1 Level AA minimum requirements.
  9. Platform duplication — Plugin replicates core Platform functionality without adding meaningful value.
  10. Incomplete functionality — Advertised features are not implemented or "coming soon."
  11. External payment flows — Processing payments outside the Whatalo billing system without explicit authorization.
  12. Dependency risks — Critical or high-severity vulnerabilities in third-party dependencies.

3. What Gets a Developer Banned

The following violations may result in immediate and permanent termination of your developer account, forfeiture of unpaid revenue, and referral to legal authorities where applicable.

  1. Malware distribution — Intentionally distributing malicious code through the Platform.
  2. Data theft — Unauthorized collection, exfiltration, or sale of Store Owner or End User data.
  3. Financial fraud — Manipulating billing, submitting false payment information, or money laundering.
  4. Identity fraud — Impersonating another developer, company, or Whatalo employee.
  5. Repeated policy violations — Three or more suspensions for policy violations within a 12-month period.
  6. Review manipulation — Systematic fake review campaigns or bribing for positive reviews.
  7. Legal violations — Using the Platform to facilitate illegal activities.
  8. Retaliatory conduct — Threatening, harassing, or retaliating against Whatalo employees, reviewers, or other developers.

4. Reporting Violations

4.1 How to Report

If you discover a policy violation by another developer or Plugin:

  • Developer Portal — Use the "Report Violation" form in the Developer Portal.
  • In-Marketplace — Use the "Report" link on any Plugin listing in the Marketplace.
  • Security Issues — For urgent security vulnerabilities, contact the Whatalo security team directly through the Developer Portal with the "Security" priority flag.

4.2 What to Include

InformationDescription
Plugin NameThe name and URL of the Plugin in question
Violation TypeCategory of violation (security, data abuse, marketplace manipulation, etc.)
EvidenceScreenshots, logs, URLs, or other documentation supporting the report
ImpactDescription of actual or potential harm
TimelineWhen you first observed the violation

4.3 Reporter Protections

  • All reports are treated as confidential. Your identity will not be disclosed to the reported party.
  • Whatalo prohibits retaliation against good-faith reporters.
  • You will receive acknowledgment of your report within two (2) business days.
  • Outcomes may not be fully disclosed due to privacy obligations, but you will be notified when the investigation is closed.

5. Enforcement Actions

Whatalo applies a graduated enforcement model based on the severity, intent, and frequency of violations:

5.1 Enforcement Ladder

LevelActionTriggerDuration
1 — WarningWritten notice via emailFirst minor violation (listing issues, minor UX problems)N/A — corrective action required within 14 days
2 — Plugin SuspensionPlugin hidden from Marketplace; existing installs continueRepeated minor violations, single moderate violationUntil issue is resolved and re-reviewed
3 — Plugin RemovalPlugin fully removed; existing installs disabledSerious violation, unresolved suspension, security incidentPermanent for that Plugin version
4 — Account SuspensionAll Plugins suspended; API access revokedMultiple Plugin removals, serious policy violations30-90 days, subject to review
5 — Account TerminationDeveloper account permanently closed; all Plugins removedBan-worthy violations (Section 3), persistent non-compliancePermanent
6 — Legal ActionCivil or criminal proceedingsFraud, data theft, malware, illegal activityAs determined by legal process

5.2 Emergency Actions

Whatalo may bypass the graduated enforcement ladder and take immediate action (suspension or removal) when:

  • There is an active security threat to the Platform or its users.
  • A Plugin is actively causing data loss or corruption.
  • Legal compliance requires immediate action.
  • There is credible evidence of fraud or malicious intent.

5.3 Appealing Enforcement Actions

  • You may appeal enforcement actions at Levels 2-5 within fourteen (14) calendar days.
  • Appeals are reviewed by a senior member of the Developer Relations team who was not involved in the original decision.
  • During the appeal process, the enforcement action remains in effect.
  • Appeal decisions are communicated within ten (10) business days and are final.

5.4 Revenue Implications

  • Warning: No revenue impact.
  • Plugin Suspension: Revenue share continues for existing active subscriptions during the suspension.
  • Plugin Removal: Revenue share ceases for new transactions. Existing subscription obligations are fulfilled through their current billing period.
  • Account Suspension/Termination: Unpaid revenue may be held for up to ninety (90) days pending investigation. Undisputed balances are paid after the hold period.
  • Ban-worthy violations: Whatalo reserves the right to forfeit unpaid revenue in cases of fraud, malware, or data theft, subject to applicable law.

6. Good Standing

Maintaining good standing in the Whatalo Developer Program means:

  • Zero unresolved enforcement actions.
  • Consistent compliance with all policies and guidelines.
  • Active support channel with acceptable response times.
  • Timely response to Whatalo communications (within 5 business days).
  • Up-to-date Plugin listings and privacy policies.

Developers in good standing may be eligible for:

  • Priority review times for Plugin submissions and updates.
  • Enhanced Marketplace visibility and featured placement consideration.
  • Early access to new APIs, features, and developer tools.
  • Invitation to developer events and advisory programs.

For questions about this policy or to report a violation, contact the Whatalo Developer Relations team through the Developer Portal.

Privacy & Data Requirements

How Whatalo handles developer data and what developers must do to protect merchant and end-user data.

End User License Agreement Template

A standard EULA template that developers can adopt or adapt for their Whatalo Marketplace plugins.

On this page

1. Prohibited Practices
1.1 Security Violations
1.2 Data Abuse
1.3 Platform Integrity
1.4 Marketplace Manipulation
1.5 Harmful Content
2. What Gets a Plugin Rejected
3. What Gets a Developer Banned
4. Reporting Violations
4.1 How to Report
4.2 What to Include
4.3 Reporter Protections
5. Enforcement Actions
5.1 Enforcement Ladder
5.2 Emergency Actions
5.3 Appealing Enforcement Actions
5.4 Revenue Implications
6. Good Standing