← All guides
AI Governance9 min read29 May 2026

AI Acceptable Use Policy for SaaS: What to Include and Why It Matters

A practical guide to writing an AI Acceptable Use Policy for your SaaS product. Covers EU AI Act Art. 26 obligations, prohibited AI uses, bias disclosures, human oversight levels, and enforcement mechanisms.

AI Acceptable Use Policy for SaaS: What to Include and Why It Matters in 2026

If your SaaS product includes AI features — a writing assistant, code generator, chatbot, recommendation engine, or anything that uses machine learning to produce outputs — you need an AI Acceptable Use Policy.

This isn't optional theory. The EU AI Act, which has been applying incrementally since February 2025, imposes specific transparency and user obligation requirements on both AI providers and deployers. Your Terms of Service alone doesn't cover it. Your existing Acceptable Use Policy (if you have one) probably doesn't cover AI-specific risks. A dedicated AI AUP is the standard — and increasingly the legal minimum.

This guide walks you through what to include, why each section matters, and what EU AI Act and GDPR provisions are driving the requirements.

Why You Need an AI-Specific AUP

A general AUP covers platform abuse — spam, illegal content, hacking. An AI AUP covers a different set of risks that emerge specifically because of how AI systems work:

  • Inputs can cause harm: A user submitting another person's private data, biometric information, or patient records into your AI creates GDPR violations, HIPAA issues, and potential abuse.
  • Outputs can be misused: AI-generated content can be used to deceive, harass, impersonate, or defraud. Your platform becomes the tool — and potentially the liability.
  • Accuracy is not guaranteed: AI systems hallucinate. Users who rely on AI outputs for legal, medical, or financial decisions without a clear disclaimer create liability.
  • Bias can cause discrimination: AI systems trained on historical data can reproduce and amplify biases. Without a disclosure and prohibition on discriminatory use, you may face claims.
  • EU AI Act Art. 50 requires disclosure: Users interacting with AI systems must be told they are interacting with AI — not optional.

An AI AUP addresses all of these. It sets user expectations, limits your liability, establishes the rules for acceptable AI use, and documents your EU AI Act compliance approach.

EU AI Act: What Providers and Deployers Must Do

The EU AI Act creates obligations for two roles: providers (who develop AI systems and place them on the market) and deployers (who use AI systems in a professional context to serve end users). Most SaaS companies are both — you build an AI feature using a foundation model (making you a downstream deployer of OpenAI/Anthropic) and you provide it to your customers (making you a provider).

RoleKey ObligationRelevant to AI AUP
ProviderArt. 13: Transparency and provision of informationDocument AI capabilities, limitations, human oversight level
ProviderArt. 50: Transparency for certain AI systemsDisclose when users interact with AI (chatbots, synthetic media)
DeployerArt. 26(1): Implement appropriate technical and organisational measuresDefine prohibited uses, monitoring, enforcement
DeployerArt. 26(6): Inform individuals affected by high-risk AI decisionsAutomated decision-making disclosure requirements
BothArt. 4: AI literacy obligationsEnsure users have sufficient knowledge to use AI appropriately
GPAI providerArt. 53: Technical documentation and copyright policyModel card / training data transparency

An AI AUP is the user-facing implementation of many of these obligations. It's where you disclose, restrict, and set expectations.

The 12 Sections of a Strong AI AUP

1. Scope and What AI Features Are Covered

Be specific. Don't just say "AI features" — list the actual capabilities: text generation, image creation, code assistance, chatbot, recommendations. This matters legally: if a user misuses a feature that isn't listed, your AUP may not cover it.

Also specify who the AUP applies to: registered users, API developers, contractors with API access, enterprise customers.

2. Permitted Uses

Describe what users ARE allowed to do. This section is often overlooked, but it's important: it sets the baseline expectation and prevents the document from being purely prohibitive. Include the legitimate use cases: professional content creation, code review assistance, data analysis, customer support drafting, etc.

3. Prohibited Inputs — What Not to Submit

This is one of the highest-risk sections. Users must not submit:

  • Personal data of third parties without consent — submitting someone else's email, medical records, or face photo without their knowledge violates GDPR and potentially CCPA
  • Classified or government-sensitive information — national security risk
  • Content infringing third-party IP — AI doesn't magically make copyright infringement acceptable
  • Patient health records without a signed BAA — immediate HIPAA violation
  • Biometric data — GDPR Art. 9 special category data, needs explicit consent
  • CSAM or content involving minors — absolute prohibition, mandatory law enforcement referral
  • Malware or attack payloads — adversarial AI misuse

Each prohibition should be accompanied by the legal basis for it. This is both good practice and useful if you need to terminate an account: the prohibition was clearly stated.

4. Prohibited Output Uses — What Not to Do With AI Results

AI outputs can be misused even when the input was legitimate. Users must not use AI outputs to:

  • Create deepfakes or synthetic identity content to deceive
  • Generate CSAM or sexualised content involving minors — absolute prohibition
  • Produce malware, ransomware, or cyberweapons
  • Create disinformation or election manipulation content
  • Discriminate against individuals based on protected characteristics (race, gender, disability, age, religion)
  • Circumvent legal protections or impersonate individuals
  • Generate mass spam or phishing campaigns

EU AI Act Art. 5 lists prohibited AI practices that are already in force since February 2025. Your AI AUP should reflect these: subliminal manipulation, social scoring, real-time biometric identification in public spaces (with narrow exceptions), exploiting vulnerabilities of specific groups. If your platform could be used to do any of these things, explicitly prohibit it.

5. AI Accuracy Limitations and Hallucination Warnings

This section exists to manage liability. AI systems — even the best current LLMs — produce incorrect, outdated, or fabricated information. Users who rely on AI outputs for consequential decisions without verification create claims that your platform caused harm.

Include:

  • An explicit acknowledgement that AI outputs may be inaccurate
  • A prohibition on relying solely on AI outputs for legal, medical, financial, or safety-critical decisions
  • A statement that AI outputs do not constitute professional advice
  • A no-warranty disclaimer on AI output accuracy

6. Bias and Fairness Disclosure

GDPR Art. 5(1)(a) requires fair processing. EU AI Act Art. 10 requires data governance practices that address bias in training data. GDPR Art. 22 requires safeguards for automated decision-making that produces significant effects.

Your AI AUP should:

  • Acknowledge that AI systems may exhibit bias reflecting training data
  • Commit to ongoing bias evaluation and mitigation
  • Prohibit use of AI to discriminate on protected characteristics
  • Provide a channel to report suspected bias (usually your privacy/legal email)

7. Human Oversight Level

This is a key EU AI Act requirement. Art. 14 requires that high-risk AI systems allow human oversight. Even for lower-risk systems, being explicit about your oversight model is good practice.

The five levels range from full automation (no human review) to human-advisory-only (AI supports, human decides). Your policy should state which applies and — for automated decisions that affect users significantly — how users can request human review (GDPR Art. 22(3) requires this).

8. Data Use and AI Training Transparency

Two questions your users will ask: Does their data train your AI? Can they opt out?

If user inputs are used to improve your AI models, disclose this. Include:

  • What data is used (inputs only, or also outputs?)
  • How it's used (retraining, fine-tuning, evaluation?)
  • What safeguards apply (anonymisation, aggregation?)
  • The GDPR lawful basis for training data use
  • How users can opt out

If user data is NOT used for training, state this explicitly — it's a selling point, especially for enterprise customers.

9. Content Moderation and Safety

Describe your content safety approach: automated content filters, user reporting mechanisms, manual review queues. This matters for EU DSA compliance (if you're an intermediary service) and for EU AI Act obligations on deployers.

Include an emergency contact for urgent safety issues: CSAM, credible threats of violence, imminent harm.

10. Enforcement Actions

Be specific about what happens when a user violates the AUP. A graduated enforcement model is standard:

  1. Warning notice for first-time or minor violations
  2. Temporary feature suspension for repeat or moderate violations
  3. Account termination for severe or persistent violations
  4. Law enforcement referral for criminal content (CSAM, terrorism)

State that no refunds are given for terminations due to AUP violations. Include an appeals mechanism (EU DSA requires this for content moderation decisions).

11. Applicable Law and Regulatory Compliance

List the regulations your AI AUP is designed to address. For EU SaaS companies, this typically includes:

  • EU AI Act 2024 — risk classification, transparency, human oversight
  • GDPR — Art. 5 (fairness), Art. 13/14 (transparency), Art. 22 (automated decisions), Art. 35 (DPIA for high-risk processing)
  • EU Digital Services Act — content moderation, reporting mechanisms
  • EU Product Liability Directive (updated for AI) — liability for defective AI outputs

12. Definitions

Define key terms: AI System, AI Output, GPAI (General Purpose AI), High-Risk AI System, Automated Decision-Making, User Input, Fine-tuning, Training Data. This prevents disputes about what the policy covers.

Children and AI: A Special Case

If your product may be accessed by minors, your AI AUP needs additional provisions:

  • GDPR Art. 8: processing children's data requires parental consent (age threshold 13-16 depending on member state)
  • UK Children's Code: if users under 18 are likely to access your service, you must implement the ICO's 15 standards — including data minimisation, no profiling of children, no nudge techniques
  • COPPA (US): collecting personal data from children under 13 requires verifiable parental consent
  • EU AI Act: AI systems targeting children face heightened obligations — the right to explanation under Art. 86 applies, and manipulation of children is an Art. 5 prohibited practice

If your product is intended for adults only, state this clearly and include a minimum age requirement. If it serves children, create a separate Children's Privacy Policy and review the UK Children's Code standards in detail.

AI AUP vs Terms of Service vs General AUP

DocumentWhat It CoversAI-Specific?
Terms of ServiceContract terms, IP, liability, paymentNo
General AUPPlatform abuse, illegal content, spamPartially
Privacy PolicyData collection, processing, rightsCovers data, not use rules
AI AUPAI-specific prohibited uses, bias, oversight, training transparencyYes — essential for AI features
AI Model CardTechnical system documentation for downstream users/integratorsYes — EU AI Act Art. 53

You need all of these. They serve different purposes and different audiences. Your ToS is a contract. Your AI AUP is a use-rules document. Your Privacy Policy is a data-rights document. Your Model Card (if GPAI-relevant) is a technical transparency document for regulators and integrators.

Build Your AI Compliance Stack

⚠️ This article is for informational purposes only and does not constitute legal advice. The EU AI Act is being interpreted and enforced progressively. Consult qualified legal counsel for advice specific to your AI system and use case.

More guides