Legal & Compliance

TERMS & CONDITIONS — TunerBee AS

1. Introduction & Contracting Entity

These Terms govern the use of the TunerBee platform ("Service") provided by TunerBee AS, a company registered in Norway ("TunerBee", "we").

The Service enables interactive AI-driven learning, simulation, and conversational scenarios powered by large language models.

All agreements are entered into with TunerBee AS, regardless of customer location.

By using the Service, you agree to these Terms.

1.1 International Use

The Service is operated from Norway but may be accessed globally. Users are responsible for compliance with local laws.

2. Service Description

TunerBee provides:

AI-driven training and simulation environments
Scenario-based interactions using LLMs
Usage-based consumption via credits
Tenant-based SaaS environment

3. Accounts & Tenants

Each Customer operates a tenant environment. Users act under the Customer's responsibility. Customers are responsible for:

Invitations
Usage consumption
Access control

4. Subscription, Credits & Billing

4.1 Subscription

Subscriptions are billed via Stripe or equivalent provider.

4.2 Credits

Credits represent consumable usage units. Credits are consumed based on:

AI interactions
Scenario executions
Processing workloads

4.3 Credit Rollover

Credits may roll over for a limited period (configurable per plan). Expired credits are forfeited.

4.4 Overages

Pay-as-you-go may be enabled. Spend limits may be configured. TunerBee may allow overuse and bill, or block usage when limits are reached.

4.5 Pre-Consumption Validation

TunerBee may estimate usage per action (e.g. invitations) to prevent over-consumption.

5. Acceptable Use Policy

By accessing or using the Service you agree to comply with this Acceptable Use Policy ("AUP"). Violation of this AUP may result in immediate suspension or termination of your access. TunerBee reserves the right to update this AUP at any time with notice.

5.1 Prohibited Conduct — General

You may not use the Service to:

Violate any applicable local, national, or international law or regulation;
Engage in fraud, impersonation, or misrepresentation of your identity or affiliation;
Harass, intimidate, threaten, or discriminate against any individual or group;
Facilitate or promote illegal activity of any kind;
Distribute, transmit, or store material that is defamatory, obscene, or in violation of any third party's rights;
Infringe any patent, trademark, trade secret, copyright, or other intellectual property right;
Violate the privacy or data protection rights of any individual;
Solicit, collect, or store personal data of other users without their explicit consent;
Engage in phishing, spoofing, or other deceptive practices.

5.2 System Integrity & Security

You may not:

Conduct or facilitate denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks against the Service or any third party;
Attempt to gain unauthorised access to the Service, its infrastructure, or any related systems, accounts, or networks;
Exploit, probe, or test for security vulnerabilities in the Service without TunerBee's prior written authorisation;
Introduce or distribute malware, ransomware, viruses, trojans, worms, or any other malicious code;
Interfere with, disrupt, or degrade the integrity, performance, or availability of the Service or infrastructure;
Bypass, disable, or circumvent any security feature, rate limit, access control, billing control, or usage limit;
Attempt to reverse engineer, decompile, disassemble, or derive source code from any part of the Service, AI models, or underlying infrastructure.

5.3 Third-Party and Automated Access

You may not:

Access or use the Service through any unauthorised third-party application, browser extension, proxy, wrapper, or integration not approved by TunerBee;
Use automated bots, scrapers, crawlers, scripts, or other automated means to access, extract, or interact with the Service beyond what is explicitly permitted by TunerBee;
Scrape, harvest, or systematically copy any content, data, or output from the Service without prior written consent;
Resell, sublicense, rent, lease, or otherwise make the Service available to third parties without TunerBee's written authorisation;
Use the Service to build, train, or improve a competing product or service;
Share login credentials, API keys, or session tokens with unauthorised parties or allow simultaneous access by multiple individuals under a single account;
Exceed rate limits or API call quotas in a manner intended to circumvent service restrictions.

5.4 Content Restrictions

You may not submit, upload, generate, or transmit content that:

Is unlawful, harmful, abusive, threatening, or harassing;
Constitutes hate speech or discriminates based on race, ethnicity, national origin, religion, gender, gender identity, sexual orientation, disability, or age;
Depicts or facilitates violence, self-harm, or exploitation of minors;
Infringes any third party's intellectual property rights;
Contains personally identifiable information of third parties without their consent;
Is designed to deceive, manipulate, or generate disinformation at scale.

5.5 Misuse of AI and Assessment Features

You may not:

Use the Service to artificially inflate, manipulate, or falsify AI-generated assessments, scores, or training results;
Impersonate another candidate, employee, or user during a session or assessment;
Configure scenarios or prompts designed to extract confidential system information, circumvent AI safeguards, or cause the AI to produce prohibited outputs ("prompt injection");
Use AI-generated outputs as the sole and unreviewed basis for consequential employment, educational, or legal decisions (see also section 10 of the DPA below).

5.6 Enforcement

TunerBee may, at its sole discretion and without prior notice where circumstances require:

Investigate suspected violations of this AUP;
Throttle, rate-limit, suspend, or permanently terminate access to the Service;
Remove or disable content that violates this AUP;
Preserve and disclose information to law enforcement, regulators, or affected parties as required by law or to protect TunerBee, its users, or third parties;
Pursue civil or criminal remedies to the fullest extent permitted by applicable law.

Customers are responsible for ensuring their end-users comply with this AUP. A violation by an end-user is treated as a violation by the Customer.

6. AI / LLM Usage Clause (Critical)

The Service relies on AI models, including services from Google and potentially other providers.

6.1 Nature of AI Output

Outputs are probabilistic and non-deterministic. TunerBee does NOT guarantee accuracy, completeness, or fitness for a specific purpose.

6.2 User Responsibility

You are responsible for:

Validating outputs before use
Ensuring compliance with applicable laws
Avoiding reliance in critical decisions without verification

6.3 Prohibited AI Use

You may not use the Service to:

Generate illegal or harmful content
Violate rights of individuals
Perform automated decision-making where prohibited by law

6.4 Model Training & Data Use

Customer Data is NOT used to train, fine-tune, or improve any foundation model or AI system, by TunerBee or any subprocessor, unless the Customer has given explicit prior written consent. All processing of Customer Data by the AI subprocessor (Google Vertex AI) is transient — data is not retained by the subprocessor after inference is complete. TunerBee will, on request, provide written confirmation of the subprocessor's contractual commitment to this restriction.

6.5 Transparency to End-Users

Where the Customer uses TunerBee for any use case that involves AI-driven evaluation, assessment, or scoring of individuals (including but not limited to interview screening, candidate assessment, or performance evaluation), the Customer must:

(a) Inform affected individuals, before they engage with the platform, that they are interacting with an AI system and that their responses will be recorded and assessed;

(b) Identify the Customer as the Data Controller and provide a contact point for data subject rights requests;

TunerBee will provide a recommended disclosure template to assist Customers in meeting this obligation.

7. Data Protection & Privacy

7.1 Roles

Customer = Data Controller. TunerBee = Data Processor. A Data Processing Agreement (DPA) applies (see below).

8. Data Residency

TunerBee enforces regional data isolation:

EU Customers: Data stored and processed in EU (Azure EU regions)
US Customers: Data stored and processed in US (Azure US regions)

Cross-region transfer is restricted unless explicitly agreed.

9. Subprocessors

Our complete and up-to-date list of authorized subprocessors is available on our Subprocessor Registry.

10. Intellectual Property

TunerBee retains all rights to the platform. Customer retains ownership of submitted data. AI-generated output usage rights are granted to Customer (no exclusivity guaranteed).

11. Service Levels

Service provided "as is". No guaranteed uptime unless defined in SLA.

12. Limitation of Liability

To the maximum extent permitted: No liability for AI inaccuracies or indirect damages. Liability capped at fees paid in last 12 months.

13. Termination

We may suspend or terminate for non-payment, abuse or misuse, or legal requirements.

14. Governing Law & Jurisdiction

These Terms are governed by Norwegian law.

For US customers: Mandatory consumer protection laws may apply. Nothing in these Terms limits rights that cannot be waived under applicable law.

15. Minimum Age

The Service is intended for use by individuals aged 13 or over (or such higher age as required by applicable law — 15 years in Norway for information society services under the Personal Data Act 2018).

Customers are responsible for ensuring that end-users of their tenant meet the minimum age requirement and for obtaining any parental or guardian consent required by applicable law. Customers using TunerBee in educational or e-learning contexts that may involve minors must notify TunerBee prior to onboarding and must agree to any additional safeguards TunerBee reasonably requires.

DATA PROCESSING AGREEMENT (DPA)

1. Scope

This DPA governs processing of personal data under the General Data Protection Regulation (GDPR) and applicable US privacy laws (including CCPA where relevant). TunerBee AS acts as a Data Processor under GDPR for all customers because we are established in the EU/EEA. The Customer acts as the Data Controller.

2. Processing Details

Subject Matter: Provision of AI-driven SaaS platform
Duration: For the term of the agreement
Nature: Storage, Transformation, AI processing, Analytics

3. Categories of Data

May include: User account data, Interaction data, Scenario responses, Generated AI content.

4. Subprocessors

Our complete and up-to-date list of authorized subprocessors is available on our Subprocessor Registry.

5. International Transfers

TunerBee AS may transfer personal data outside the EEA or the United Kingdom where necessary to provide the Service. TunerBee ensures that all such transfers are subject to an appropriate safeguard as follows:

(a) EU/EEA Customers: Transfers to third countries are governed by the Standard Contractual Clauses issued by the European Commission (Decision 2021/914, as amended). Where a subprocessor is certified under the EU-US Data Privacy Framework, that framework applies in addition.

(b) UK Customers: Transfers of UK personal data to third countries that are not subject to a UK adequacy regulation are governed by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (as applicable), as issued by the Information Commissioner's Office. Where a subprocessor participates in the UK-US Data Bridge, that mechanism applies.

(c) Intra-EEA and EEA–UK transfers: The European Commission has adopted an adequacy decision in respect of the United Kingdom; no additional safeguard is required for transfers from the EEA to the UK. The UK has adopted adequacy regulations in respect of the EU/EEA; no additional safeguard is required for transfers from the UK to the EEA.

TunerBee maintains an up-to-date record of the transfer mechanisms applicable to each subprocessor in its internal Vendor Register, available on request.

6. Security Measures

Aligned with Azure Well-Architected Framework: Encryption at rest and in transit, Tenant isolation, Role-based access control, Secure ingestion pipelines.

7. Data Subject Rights

TunerBee, as Data Processor, will assist the Customer (Data Controller) in responding to requests from data subjects exercising their rights under applicable data protection law, including but not limited to:

(a) Right of Access — providing a copy of personal data held, in a structured, machine-readable format where requested;

(b) Right to Rectification — correcting inaccurate or incomplete personal data;

(d) Right to Data Portability — providing personal data in a structured, commonly used, machine-readable format (JSON or CSV) where the lawful basis is consent or contract;

(e) Right to Restriction — restricting processing of personal data in the circumstances set out in applicable law;

(f) Right to Object — ceasing processing for direct marketing immediately; considering other objections on their merits.

Where the Customer uses TunerBee for AI-driven candidate evaluation or screening, data subjects additionally have the right to:

(g) Obtain human review of any AI-generated assessment or score;

(h) Express their point of view regarding any automated assessment;

(i) Contest any decision made on the basis of automated processing that produces a legal or similarly significant effect.

The Customer is responsible for communicating these rights to their end-users and for providing a mechanism for data subjects to exercise them. TunerBee will provide a recommended candidate rights notice template on request.

TunerBee will respond to Customer requests for assistance with data subject rights within ten (10) business days.

8. Breach Notification

Without undue delay. Within 72 hours where applicable.

9. Data Retention & Deletion

Data retained only as necessary. Deleted upon termination unless required by law.

10. Automated Decision-Making and AI-Driven Evaluation

10.1 Human Review Obligation

Where the Customer uses TunerBee's interview screening, candidate evaluation, or any AI-driven scoring feature, the Customer acknowledges that AI-generated outputs (scores, assessments, recommendations) are provided as a tool to assist human decision-makers and are not intended to be the sole basis for any decision that produces a legal or similarly significant effect on an individual.

The Customer must ensure that a human reviewer meaningfully evaluates all AI-generated outputs before any decision is made regarding hiring, advancement, rejection, or other action that significantly affects a candidate or employee.

10.2 Special Category Data

The Customer must not configure scenarios, prompts, or questions designed to elicit special category personal data (as defined in Article 9 GDPR / UK GDPR, including health, disability, religion, political opinions, ethnicity, sexual orientation, or trade union membership) unless the Customer has:

(a) Established a valid condition for processing under Article 9(2) GDPR / UK GDPR;

(b) Notified TunerBee in writing prior to such use; and

If a data subject voluntarily discloses special category data in a scenario response, the Customer is responsible for handling that data lawfully.

10.3 Bias and Fairness

The Customer acknowledges that AI-generated outputs may reflect biases present in underlying model training data. The Customer is responsible for reviewing AI outputs critically and is encouraged to conduct periodic audits of AI-generated assessments for demographic bias. TunerBee does not warrant that AI outputs are free from bias and recommends that AI outputs are never used as the sole input to employment or other consequential decisions.

10.4 Purpose Limitation

Evaluation data (transcripts, scores, assessments) generated via TunerBee may only be used for the purpose for which the session was configured (e.g. a recruitment screening session may not subsequently be used for employee performance management without the data subject's knowledge and a fresh lawful basis).

US-SPECIFIC ADDENDUM

1. CCPA Compliance

Under California Consumer Privacy Act: TunerBee acts as a Service Provider. No selling of personal data. Processing limited to service delivery.

2. Liability (US Clarification)

Some states do not allow limitation exclusions. Liability clauses apply to maximum extent permitted.

3. AI Disclaimer (US Emphasis)

AI outputs are not professional advice and must not be relied upon for legal, financial, or medical decisions.

UK-SPECIFIC ADDENDUM

This Addendum applies to Customers and data subjects located in the United Kingdom and supplements the Data Processing Agreement above. In the event of any conflict between this Addendum and the main DPA, this Addendum prevails in respect of UK personal data.

1. Applicable Law

This Addendum is governed by the UK General Data Protection Regulation (UK GDPR) as defined in the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, and the Data Protection Act 2018, as amended from time to time.

2. UK GDPR Representative (Article 27)

TunerBee AS has no establishment in the United Kingdom. In accordance with Article 27 UK GDPR, TunerBee AS has designated a representative in the United Kingdom:

[UK Representative Name / Organisation]
[Address]
[Email]

UK data subjects and the Information Commissioner's Office (ICO) may contact TunerBee's UK representative for matters relating to the processing of UK personal data.

3. International Transfers (UK)

For transfers of UK personal data to countries not covered by UK adequacy regulations, TunerBee relies on:

(a) The UK International Data Transfer Agreement (IDTA), as issued by the ICO; or

(b) The UK Addendum to the EU Standard Contractual Clauses (EU SCCs), as applicable.

Details of the transfer mechanism applicable to each subprocessor are available on our Subprocessor Registry at tunerbee.com/en/subprocessors/.

4. ICO Registration

TunerBee AS is registered with the Information Commissioner's Office (ICO).
Registration number: ZC138494

5. Data Subject Rights (UK)

UK data subjects may exercise their rights under UK GDPR Articles 15–22 by contacting: privacy@tunerbee.com

UK data subjects have the right to lodge a complaint with the Information Commissioner's Office:
Website: ico.org.uk
Telephone: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

6. PECR — Cookies and Electronic Marketing

TunerBee's marketing website (tunerbee.com) uses cookies. UK visitors may manage their cookie preferences via the Cookie Settings link in the website footer. Analytics and marketing cookies are only set with your prior consent. Transactional and strictly necessary cookies do not require consent.

Electronic marketing communications to UK individuals are sent only with prior consent or, in the case of existing customers, in reliance on the soft opt-in provision under the Privacy and Electronic Communications Regulations 2003 (PECR). Every marketing communication includes an unsubscribe link.

7. Governing Law (UK Addendum)

This UK Addendum is governed by the laws of England and Wales in respect of the rights of UK data subjects, without prejudice to TunerBee's obligations under Norwegian law as the primary governing law of the main Terms and DPA.

CREDIT POLICY APPENDIX (TunerBee AS)

This appendix should be referenced from your Terms and treated as binding.

1. Purpose

This Credit Policy defines how usage is:

Measured
Converted into credits
Deducted
Billed

It governs all disputes related to usage and billing.

2. Credit Definition

A Credit is a unit representing consumption of platform resources, including:

AI model inference (LLM usage)
Scenario execution
Processing workloads
Data operations

Credits are an abstract unit and do not map 1:1 to external provider pricing.

3. Credit Conversion Model

3.1 Usage Mapping

TunerBee converts raw usage into credits based on:

Token consumption (LLM input/output)
Execution time
Scenario complexity
System resource usage

3.2 Dynamic Pricing Clause (important)

TunerBee reserves the right to adjust credit conversion rates due to changes in underlying provider costs (e.g. Google or Microsoft Azure), with prior notice.

4. Credit Allocation

Credits are granted via:

Subscription plans
Purchased add-ons
Promotional allocations

5. Credit Consumption Rules

5.1 Trigger Events

Credits are deducted when:

A scenario is executed
An AI interaction is processed
A user engages with a simulation

5.2 Pre-Authorization (Key for your model)

TunerBee may:

Estimate required credits before execution
Reserve credits before action
Reject actions if insufficient credits

6. Rollover Policy

Credits may roll over for one billing cycle only (configurable)
After expiration: Credits are permanently removed, and NO refunds apply

7. Overage Handling

7.1 Disabled (Default)

Usage is blocked when credits are exhausted.

7.2 Enabled

Usage continues, and additional credits are billed.

7.3 Spend Limits

Customers may define maximum overage limits. Service may automatically suspend upon reaching limit.

8. Measurement & Source of Truth

The TunerBee internal metering system is the authoritative source of usage data.

Logs include: Timestamp, Tenant, Action, Credit consumption.

8.1 Dispute Clause (very important)

External measurements (e.g. client-side tracking) are not considered authoritative.

9. Dispute Handling

9.1 Time Limit

Disputes must be raised within 30 days of invoice.

9.2 Review Process

TunerBee will:

Provide usage logs
Explain credit calculation
Validate anomalies

9.3 Final Determination

TunerBee's metering system is final unless a material error is proven.

10. Refund Policy

Credits are:

Non-refundable
Non-transferable
Not redeemable for cash

Exceptions: Proven billing error, Legal requirements.

11. Abuse & Safeguards

TunerBee may:

Detect abnormal usage
Throttle or suspend usage
Prevent automated abuse or cost spikes

Version: 1.1
Last Updated: [date of publication]
Change summary: Added UK-Specific Addendum; updated International Transfers to cover UK IDTA; strengthened AI transparency, automated decision-making, special category data, and minimum age clauses; expanded Data Subject Rights to cover AI evaluation rights.