AI & Web Scraping Policy

tPay365 Ltd ("tPay365", "we", "us", or "our") publishes this AI & Web Scraping Policy to set clear expectations for how artificial intelligence systems, web crawlers, scrapers, and other automated agents may interact with our platform, content, and data.

This policy applies to all automated access to tpay365.com and any associated subdomains, APIs, and services. It supplements our Terms & Conditions and Privacy & Data Policies.

This policy governs:

• AI model training systems (e.g., GPTBot, ClaudeBot, Google-Extended, CCBot)
• Web crawlers and search engine indexers (e.g., Googlebot, Bingbot)
• Automated scraping tools and bots
• Any software that programmatically accesses tPay365 resources without direct human interaction

Human visitors browsing the website normally are not subject to this policy and should refer to our Terms & Conditions.

The following public marketing pages may be accessed by automated systems, subject to the rules in this policy:

• Homepage — tpay365.com
• Company — /company
• Terms & Conditions — /terms
• Privacy & Data Policies — /policies
• AI Policy — /ai-policy (this page)
• Waitlist — /waitlist

Standard search engine crawlers (Googlebot, Bingbot) are welcome to index these pages in accordance with our robots.txt file.

The following activities are strictly prohibited:

• Scraping, crawling, or indexing any personally identifiable information (PII) that may be exposed through any endpoint
• Accessing, probing, or attempting to access API endpoints (paths beginning with /api/)
• Accessing, probing, or attempting to access vault endpoints (paths beginning with /vault/)
• Accessing demo or internal pages (paths beginning with /demo/)
• Using scraped content to build, train, or fine-tune competing financial services or payroll products
• Misrepresenting scraped content as original work without attribution
• Circumventing rate limits, authentication mechanisms, or access controls
• Sending automated requests at a rate that degrades service for human users

tPay365 is a regulated fintech platform that processes sensitive personal and financial data under the UK GDPR and Data Protection Act 2018.

All PII is encrypted at rest using AES-256 and stored in an isolated PII Vault (Server B) that is accessible only via mTLS client certificates. Our two-server architecture ensures that personal data is never co-located with business logic.

All API and Vault endpoints are protected by multiple layers of security:

• Mutual TLS (mTLS): Client certificate authentication required for all vault operations
• API key: 32-character hex key required via X-Vault-API-Key header
• Rate limiting: 100 requests per second per key, 500 burst
• Audit logging: All requests are logged to an immutable, append-only audit trail

Unauthorised attempts to access these endpoints are automatically logged, and persistent offenders will have their IP addresses blocked. We reserve the right to pursue legal action for deliberate intrusion attempts.

If you use publicly available content from tPay365 in AI-generated outputs, research, or publications, you must:

• Clearly attribute the content to tPay365 Ltd (tpay365.com)
• Include a link to the original page where the content was sourced
• Not imply endorsement by tPay365 unless explicitly agreed in writing

All automated systems accessing tPay365 must comply with the following technical requirements:

8.1 robots.txt

Automated agents must respect our robots.txt file at tpay365.com/robots.txt. This file specifies which paths are permitted and which are disallowed for each user agent.

8.2 Rate Limits

Automated agents must not exceed a reasonable request rate. Crawlers should include a Crawl-delay of at least 10 seconds between requests. Agents that degrade service availability will be blocked without notice.

8.3 User-Agent Identification

All automated agents must identify themselves with a descriptive User-Agent header. Agents that disguise their identity or impersonate human browsers are in violation of this policy.

Content on publicly accessible marketing pages may be used for AI model training, provided:

• The content is sourced only from pages listed under "Permitted Use" (Section 3)
• No PII, API responses, vault data, or internal system information is included in training datasets
• The crawling agent complies with our robots.txt directives
• Attribution requirements (Section 7) are followed in any generated outputs
• The training does not result in a product that directly competes with tPay365's core offering (obligation-first payroll infrastructure)

We reserve the right to update our robots.txt to restrict AI training crawlers at any time.

Violations of this policy may result in one or more of the following actions:

• Immediate IP blocking and User-Agent banning
• Reporting to the Information Commissioner's Office (ICO) for GDPR violations
• Civil action for damages under the Copyright, Designs and Patents Act 1988
• Criminal referral under the Computer Misuse Act 1990 for unauthorised access attempts
• Notification to the AI model operator with a demand to remove improperly collected data from training datasets

We monitor automated access patterns and investigate anomalies proactively. All enforcement actions are logged and auditable.

We may update this policy from time to time to reflect changes in AI technology, regulation, or our business practices. We will update the "Last updated" date at the top of this page. Significant changes will be reflected in our robots.txt and llms.txt files.

For questions about this policy, to report a violation, or to request permission for automated access beyond what is described here: