DRAFT, pending counsel review. This document is an internal draft prepared on 2026-04-26 by the engineering team. It has NOT been reviewed by external legal counsel. Do not rely on it for legal advice. Effective date is a placeholder pending sign-off. Apostle Pty Ltd makes no representation that this draft satisfies any specific jurisdictional requirement until counsel-reviewed.

PYLON Acceptable Use Policy

This Acceptable Use Policy (the AUP) sets out the conduct that is prohibited on the PYLON streaming service (the Service) operated by Apostle Pty Ltd (PYLON, we). The AUP is incorporated into the Terms of Service; breach of the AUP is a material breach of the Terms of Service and may result in suspension or termination of your account.

The AUP applies to everyone who uses the Service: viewers, subscribers, creators, curators and any other category of user.

Table of contents

1. Scope and purpose
2. Prohibited conduct
3. Reporting violations
4. How we enforce
5. Repeat-infringer policy (DMCA §512(i))
6. Appeals
7. Contact and version

1. Scope and purpose

PYLON is a curated film streaming service. The Service exists to make short and long-form audiovisual works available to paying subscribers in a safe, lawful and high-quality environment for the people who use it and the filmmakers who licence content to us.

The AUP exists to:

• protect users, especially minors, from harm;
• protect the integrity of the catalogue and the rights of the filmmakers we work with;
• protect the Service from technical abuse; and
• protect Apostle Pty Ltd and its operators from legal liability and reputational harm.

We interpret and apply the AUP using common sense and good faith. The prohibitions below are illustrative, not exhaustive. We reserve the right to take action against conduct that is not specifically listed but that is inconsistent with the spirit of the AUP, or that exposes the Service or its users to harm.

2. Prohibited conduct

You will not, and you will not authorise or assist any third party to:

2.1 Unauthorised access and scraping

• Access any portion of the Service that is not made available to you (including admin panels, internal APIs, staging environments, R2 object storage, queues, or other infrastructure).
• Use any automated means, including bots, scripts, scrapers, headless browsers, web-archive crawlers, AI agents or retrieval-augmented-generation pipelines, to access, copy, index, cache, mirror, train on, or otherwise extract Content or data from the Service. Limited indexing by a public search engine is permitted to the extent we allow it in our robots.txt.
• Probe, scan or test the vulnerability of the Service, except through a coordinated disclosure under the Vulnerability Disclosure Policy.
• Attempt to exceed the rate limits or other operational guard-rails we publish or that we apply at the edge.

2.2 DRM circumvention and redistribution

• Circumvent, disable, remove, reverse-engineer or otherwise tamper with any digital-rights-management (DRM), encryption, watermarking, geo-restriction, age-gating, or other security or access-control mechanism we use, including (without limitation) Widevine, FairPlay, PlayReady, HLS AES-128 segment encryption, signed manifests, signed playback URLs, and forensic watermarking. This prohibition is consistent with 17 U.S.C. §1201, EU Directive 2001/29/EC Art. 6, and the Copyright Act 1968 (Cth) §116AN.
• Make, share, distribute or use any tool, browser extension or client modification whose purpose or effect is DRM circumvention.
• Capture or screen-record content streamed by the Service, except where required by accessibility statutes (and only for personal accessibility use, not redistribution).
• Re-stream, re-broadcast, re-host, mirror, embed off-platform, or otherwise redistribute Content; or make Content available to any other person, including by sharing it on a social network, a cloud-storage service, a messaging platform, a P2P network or a pirate streaming site.
• Use the Service for any public exhibition (commercial or non-commercial), including in bars, theatres, hotels, schools, shared offices, conference rooms, public transport, or any place open to the public, without a separate written exhibition licence from PYLON.

2.3 Hate speech, harassment, threats, violence

• Post, transmit or display content that is unlawful, defamatory, obscene, fraudulent, hateful, harassing, threatening, intimidating, bullying, abusive, or that promotes self-harm.
• Engage in conduct that constitutes or promotes terrorism, violent extremism, glorification of violence, or weapons-trafficking.
• Engage in stalking, doxxing or any form of unwanted contact with another user.

PYLON's full safety policy is set out in the Trust and Safety Policy. The Community Guidelines provide a plain-language description of the same principles for the Q&A, watch-party and chat surfaces.

2.4 Child sexual abuse material (CSAM) and child endangerment

We have zero tolerance for child sexual abuse material or content that sexually exploits or endangers a minor. We:

• do not publish such material on the Service;
• act immediately on any report of such material, typically by removing the material, suspending the account that posted it, and preserving evidence;
• report confirmed CSAM to the Australian eSafety Commissioner under the Online Safety Act 2021 (Cth), the US National Centre for Missing & Exploited Children (NCMEC) CyberTipline, the UK Internet Watch Foundation (IWF), and any other legally-mandated authority;
• preserve relevant data for as long as required by law to support investigation; and
• cooperate fully with law-enforcement agencies investigating CSAM.

You must not upload, share, link to, request, distribute, or attempt to obtain CSAM via the Service. Any account that does so will be permanently terminated and reported.

2.5 Account abuse

• Share, sell, rent or transfer your sign-in credentials, magic-link emails, OAuth tokens, 2FA recovery codes, or session cookies.
• Use someone else's account, or allow someone else to use yours, except as expressly permitted by a household feature we may release.
• Create multiple accounts to circumvent suspensions, free trials, promotional pricing, or rate limits.
• Use a VPN, proxy, residential-proxy network, or smart-DNS service to circumvent geographic restrictions on Content. (Use of a VPN for legitimate privacy reasons in a country where the Service is available is permitted; use specifically to defeat licensing-based geo-restriction is not.)
• Misrepresent your age, identity, country of residence or eligibility.

2.6 Botting, click fraud and view-time manipulation

• Generate artificial views, watch time, completion events, Q&A RSVPs, watchlist additions, or any other engagement signal.
• Use any tool that simulates a viewer for the purpose of influencing creator-payout calculations, recommender ranking, or trending lists.
• Coordinate with others to inflate or deflate engagement signals on a specific title or creator.

Detection of botting may result in:

• the offending engagement signals being voided in our analytics;
• the affected creator's payout being recalculated; and
• termination of the account responsible.

2.7 Reverse engineering and derivative works

• Reverse-engineer, decompile, disassemble or otherwise attempt to derive the source code or architecture of the Service, except to the extent expressly permitted by law (e.g., interoperability exceptions in EU Directive 2009/24/EC Art. 6).
• Build a derivative service, dataset, model or product on top of the Service, including by using the Service as a training corpus for any AI/ML model.
• Modify the Service or any client we publish, including patching client binaries.
• Frame, mirror, embed, deep-link or otherwise re-present the Service in a way that misrepresents the source or association.

2.8 Spam and unsolicited commercial use

• Send unsolicited commercial messages via Q&A, watch-party chat, the support inbox, or any other communication channel exposed by the Service.
• Use the Service to promote a third-party product, service, drug, cryptocurrency, security, prize draw or pyramid scheme.
• Use the Service for any commercial activity (including affiliate marketing) that is not expressly permitted under a separate written agreement with PYLON.

2.9 Impersonation and false identity

• Impersonate any person, including a PYLON staff member, a filmmaker, a public figure, or another user, or misrepresent your affiliation with any person or entity.
• Use a profile name, image or bio that misleads other users about who you are.

2.10 Malware, exploits and attacks

• Upload, share, distribute or transmit any malware, virus, worm, trojan, spyware, ransomware, exploit code, or other malicious payload.
• Conduct, attempt or facilitate any denial-of-service attack, amplification attack, credential-stuffing attack, brute-force attack, or other attack against the Service or any user.

2.11 Tampering with notices

• Remove, conceal, alter or falsify any copyright notice, watermark, attribution, AI-disclosure label, classification label, takedown notice, or other notice attached to Content.

2.12 Other unlawful conduct

• Use the Service to violate any applicable law, regulation, court order, or third-party right.

3. Reporting violations

If you see content or behaviour that violates this AUP, please report it. We have a reporting flow in-product (the Report control on titles, comments, watch-party messages and profiles) and an escalation channel for serious matters.

• In-product reporting, surfaces the report to PYLON's Trust & Safety queue.
• Email, for serious or sensitive reports, including CSAM (use [email protected]), copyright (use [email protected]), privacy (use [email protected]), security ([email protected]).

For details about how reports are handled, see the Trust and Safety Policy.

4. How we enforce

We apply enforcement proportionally. Possible actions include:

We may also:

• void engagement signals associated with violating conduct;
• recalculate creator payouts where engagement was manipulated;
• restrict specific features (Q&A posting, watch-party hosting, comments) without affecting streaming;
• reduce playback to lower DRM tiers (preventing offline-download) while a matter is investigated; or
• block a payment method or country code for fraud reasons.

We act on the basis of facts available to us at the time of decision. We do not need a court order to enforce this AUP.

5. Repeat-infringer policy (DMCA §512(i))

We maintain a repeat infringer policy under section 512(i) of the US Digital Millennium Copyright Act and the equivalent safe-harbour provisions in other jurisdictions:

• Three (3) confirmed copyright strikes within a rolling twelve (12) month period results in suspension pending review.
• A confirmed strike is a DMCA takedown notice that is facially valid, has not been successfully counter-noticed, and where a counter-notice (if filed) has not been answered by the rights- holder within ten (10) business days with proof of action.
• Suspended accounts may be reinstated only if the strike count is reduced (for example, by a successful counter-notice) or by written waiver from the rights-holder; otherwise, the account is terminated and the user is barred from re-registering.
• Suspension and termination decisions are recorded in our internal audit log.

See the DMCA Policy for the takedown and counter-notice procedure.

6. Appeals

You may appeal an AUP enforcement decision by emailing [email protected] within thirty (30) days. State the action, the date, and your reason for appeal. We will respond within fourteen (14) business days. Appeals on safety decisions involving minors, CSAM or terrorism are reviewed by a senior reviewer; we may in those cases refuse to discuss specifics for legal-investigation reasons, but we will tell you whether the original decision stands.

If your appeal is rejected and you remain dissatisfied, you may have recourse to a regulator (for example, the EU Digital Services Act out-of-court dispute resolution mechanism for users in the EU under Art. 21 DSA, or your local consumer-protection authority for refund matters).

7. Special-context notes and worked examples

To make the AUP applicable rather than abstract, the following short notes describe how it is applied in common situations. They do not expand or contract the prohibitions in section 2.

7.1 Account sharing within a household

A natural household, typically a couple or a parent-and-children unit living at the same address, is permitted to use a single Subscription on the number of registered devices and concurrent streams that the plan allows. We do not interrogate household relationships and we do not require a household to enrol in a formal "household" feature where one is not offered.

What is not permitted is credential sharing across households, sending your magic-link emails or 2FA recovery codes to friends, extended family who do not live with you, co-workers, or strangers on the internet who pay you for access. This is treated as account-sharing abuse under section 2.5 and is detected through:

• inconsistent country-code signals across sessions for the same account (e.g., concurrent active sessions in three countries within a short window);
• unusual concurrent-stream patterns (e.g., five streams from five different ISPs in five different geographies);
• payment-method mismatches against sign-in geography over time.

When we detect this pattern, we typically warn first, then require re-verification, then suspend.

7.2 VPN use

We do not ban VPN use generally. A VPN may be the right choice for a user who values privacy and who lives in a country where the Service is available. What we ban specifically is use of a VPN to defeat geographic restrictions on Content, for example, connecting to an Australian VPN endpoint to access an Australian-only release window from a country where that title is licensed only at a later date. We typically detect this through inconsistent IP-geolocation versus billing-address signals and through known VPN-exit IP ranges. The mitigation is to refuse playback of the geo-restricted title (not to ban the account); repeated attempts may escalate to suspension under section 2.5.

7.3 Accessibility tools

Use of assistive technologies, screen readers, captioning tools, hardware audio-loop systems, switch controls, is not prohibited by section 2.7's reverse-engineering language. The interoperability exceptions in EU Directive 2009/24/EC Art. 6, US §1201 accessibility exemptions, and the Australian Disability Discrimination Act 1992 support legitimate adaptation. If an accessibility tool is being blocked by our DRM stack, contact [email protected] and we will work with you. See the Accessibility Statement for our WCAG commitments.

7.4 Research and journalism

Journalists, academic researchers, classification regulators and trust-and-safety researchers occasionally need to access Content or metadata for legitimate research that may sit at the edge of the AUP. We are open to coordinated arrangements; contact [email protected] before relying on any informal interpretation. Coordinated-research access does not include the right to publish or redistribute Content.

7.5 Watch-party hosting

A watch-party host is responsible for the conduct of guests in their party. Hosts who repeatedly fail to moderate violations of the Community Guidelines may have their hosting privileges revoked while remaining able to attend parties hosted by others.

7.6 Bug bounty and security research

Coordinated security research is governed by the Vulnerability Disclosure Policy and is not a violation of section 2.1, provided the researcher follows the disclosure policy in good faith. Out-of-scope or out-of-policy probing, mass-scanning, or attempts to access user data for the purpose of public disclosure are violations.

8. Contact and version

Reporting violations: [email protected] Appeals: [email protected] General support: [email protected]

Apostle Pty Ltd [REGISTERED ADDRESS: TBD] [ABN: TBD] · [ACN: TBD]

Sibling documents

• Terms of Service
• Community Guidelines
• Trust and Safety Policy
• DMCA Policy
• Vulnerability Disclosure Policy
• Privacy Policy

Version history