EU AI Act and Responsible AI Use Statement
Last updated: July 16, 2026
This statement describes the rules that apply when AIIGLE is used to design, test, configure, connect, publish, deploy, or operate artificial-intelligence systems, workflows, agents, applications, interfaces, or tools. It forms part of the AIIGLE Terms of Use.
AIIGLE is a general-purpose no-code development environment. Users can connect data, language models, other AI models, external APIs, software components, and user interfaces. The legal classification of a resulting system depends on its intended purpose, functions, data, affected persons, deployment context, branding, modifications, and actual use.
1. Scope and allocation of regulatory roles
Depending on the circumstances, AIIGLE, the user, a customer, an integrator, a model provider, an API provider, or another party may qualify as a provider, deployer, importer, distributor, product manufacturer, data controller, joint controller, or processor. Technical access to AIIGLE does not determine those legal roles.
Users remain responsible for identifying and documenting their own regulatory role and the role of every relevant party. A party may acquire provider obligations where it places its name or trademark on a high-risk AI system, substantially modifies such a system, or changes an AI system's intended purpose so that it becomes high-risk. Contractual allocation of tasks does not remove obligations imposed directly by law.
2. Closed prototype definition
A closed prototype is a workflow that:
- is accessible only to the user and specifically authorised internal testers;
- uses synthetic, fictional, or effectively anonymised data unless otherwise approved;
- is not used to evaluate, rank, recommend, decide, or act in relation to real persons;
- is not published, marketed, sold, licensed, embedded, or exposed through a public or customer-facing interface;
- does not trigger operational actions in external systems;
- does not make or materially influence legal, contractual, medical, educational, employment, financial, safety, public-sector, or similarly significant decisions; and
- is not represented as production-ready, legally compliant, certified, or approved.
3. Mandatory internal approvals for commercial and non-commercial use
Before any commercial or non-commercial use outside the limited closed-prototype conditions described above, the user must obtain and retain:
- a written GDPR and privacy review from the user's appointed data protection officer, where one is appointed, or otherwise from a suitably qualified privacy officer or adviser;
- written approval from the controller, accountable management representative, or other person formally authorised to accept responsibility for GDPR compliance (the Data Protection Approver); and
- written approval from the user's appointed AI officer, AI governance officer, responsible AI officer, or equivalent person formally authorised to approve AI compliance (the AI Compliance Approver).
A data protection officer's review is advisory and does not transfer the controller's or management's legal responsibility to the data protection officer. If the user is an individual or organisation without formal privacy or AI-governance functions, the user must obtain equivalent written review from suitably qualified independent privacy and AI advisers and personally or organisationally accept the resulting compliance obligations. Self-approval by the workflow creator is not sufficient where that person lacks appropriate independence, competence, and formally assigned authority.
The written approvals must, at minimum, identify:
- the workflow name, owner, version, intended purpose, and prohibited purposes;
- the persons who will use the system and the persons or groups affected by it;
- all data categories, sources, recipients, retention periods, and international transfers;
- the legal bases for personal-data processing and any Article 9 GDPR condition;
- the connected models, model providers, APIs, external services, and subprocessors;
- the AI Act classification and the reasoning supporting that classification;
- whether a data protection impact assessment, fundamental-rights impact assessment, conformity assessment, registration, or sector-specific approval is required;
- the required human oversight, testing, accuracy, robustness, cybersecurity, transparency, logging, incident response, and appeal mechanisms; and
- the deployment territory, target users, review date, and conditions or limitations of approval.
4. Mandatory AIIGLE approval before activation or real-world use
Users may design closed prototypes, but they must not activate, publish, market, sell, license, externally deploy, expose through an API, connect to live operational systems, process personal data in production, or use a workflow on, for, or about real individuals without AIIGLE's prior written compliance approval.
This restriction applies to both commercial and non-commercial use, including research, education, open science, charitable projects, public-sector projects, internal company use, pilot projects, and unpaid services.
A request for AIIGLE approval must include the internal approvals described in Section 3 and any risk assessments, technical documentation, data-protection documentation, testing evidence, model documentation, notices, contracts, and safeguards requested by AIIGLE. AIIGLE may approve, reject, condition, suspend, or revoke approval at its discretion where reasonably necessary for legal, security, safety, or platform-integrity reasons.
AIIGLE approval is a contractual platform permission only. It is not legal advice, certification, conformity assessment, CE marking, regulatory authorisation, or a transfer of the user's statutory responsibilities. A material change to the intended purpose, model, data, logic, affected population, integration, deployment environment, or risk profile requires renewed internal and AIIGLE approval.
5. Prohibited AI practices
The following uses are prohibited and may not be designed, tested with real data, enabled, deployed, or facilitated through AIIGLE:
- subliminal, purposefully manipulative, or deceptive techniques that materially impair a person's ability to make an informed decision and cause or are reasonably likely to cause significant harm;
- exploitation of vulnerabilities caused by age, disability, or a specific social or economic situation in a manner that causes or is reasonably likely to cause significant harm;
- social scoring or classification of persons based on social behaviour or known, inferred, or predicted personal or personality characteristics where this leads to unrelated, unjustified, or disproportionate detrimental treatment;
- individual criminal-offence risk assessment based solely on profiling, personality traits, or personal characteristics;
- untargeted scraping of facial images from the internet, social media, uploaded media, or CCTV footage to create or expand facial-recognition databases;
- emotion inference in workplaces, recruitment, schools, universities, examinations, or educational institutions;
- biometric categorisation intended to infer race, ethnic origin, political opinions, trade-union membership, religious or philosophical beliefs, sex life, sexual orientation, or other sensitive or protected characteristics;
- real-time remote biometric identification in publicly accessible spaces, including uses presented as law-enforcement exceptions, unless AIIGLE has expressly introduced a separately governed service for that purpose under a specific written agreement;
- unlawful automated decision-making, discrimination, denial of rights, or disparate treatment based on protected characteristics or proxies for protected characteristics;
- creation, transformation, possession, or distribution of child sexual abuse material, sexual exploitation material involving minors, or sexualised depictions of persons who are or appear to be minors;
- creation or manipulation of intimate, nude, sexually explicit, or sexualised depictions of an identifiable person without that person's explicit and verifiable consent;
- stalking, doxxing, coercive surveillance, unlawful location tracking, identity theft, impersonation, fraud, harassment, extortion, or targeted deception;
- systems intended to facilitate unlawful weapons use, autonomous targeting of persons, violent wrongdoing, biological harm, or other serious physical harm;
- removal, evasion, concealment, or disabling of safety controls, AI disclosures, provenance markings, human oversight, audit logs, rate limits, access controls, or compliance restrictions; and
- any activity prohibited by the EU AI Act, GDPR, national law, criminal law, anti-discrimination law, consumer law, intellectual-property law, or sector-specific law.
5.1 Copyright, related rights, and unlawful content-generation services
Copyright infringement is not, by itself, classified as a prohibited AI practice under Article 5 of the EU AI Act. It is nevertheless a prohibited use of AIIGLE under these rules and applicable intellectual-property law.
Users must not create, configure, offer, publish, or operate a workflow, application, interface, agent, retrieval system, or other service whose purpose, principal functionality, marketing, or reasonably foreseeable use is to generate, retrieve, reconstruct, continue, adapt, reproduce, distribute, communicate, or otherwise make available copyright-protected material without the required authorisation or other valid legal basis.
This prohibition includes services intended or configured to:
- provide complete or substantial portions of protected song lyrics, musical compositions, sheet music, sound recordings, books, articles, journals, scripts, films, broadcasts, photographs, illustrations, artwork, software, source code, databases, games, or other protected works or subject matter;
- recreate, closely reproduce, or reconstruct a protected work from prompts, fragments, summaries, embeddings, retrieval indexes, uploaded copies, screenshots, recordings, or other reference material where the result infringes copyright or related rights;
- bypass paywalls, subscription controls, digital-rights-management measures, access restrictions, copy protection, or other technological protection measures;
- remove, conceal, falsify, or alter copyright notices, author or performer credits, watermarks, provenance data, rights-management information, licence terms, or ownership information;
- ingest, scrape, index, train, fine-tune, or perform retrieval-augmented generation on protected material where the user lacks the required rights or where an applicable reservation of text-and-data-mining rights has not been respected; or
- facilitate piracy, unauthorised file sharing, counterfeit publications, unauthorised derivative works, or systematic substitution for lawful access to protected works.
These restrictions do not prohibit the use of material that is demonstrably owned by the user, validly licensed for the intended use, in the public domain, made available under an applicable open licence, or used within a binding statutory exception or limitation. The user must retain evidence of the relevant rights, licence, permission, or exception and provide it to AIIGLE on request.
Requests to generate content merely “in the style of” a creator are not automatically lawful or unlawful. Users must ensure that outputs do not reproduce protected expression, create unlawful adaptations, misrepresent endorsement, infringe moral rights, or otherwise violate copyright, trademark, passing-off, personality, or unfair-competition law.
6. High-risk and otherwise regulated uses
The following uses are restricted and may not leave a closed prototype without the approvals in Sections 3 and 4, a documented legal classification, and all legally required controls:
- remote biometric identification, biometric categorisation, emotion recognition, or biometric verification beyond ordinary user authentication;
- safety components for regulated products or critical digital, transport, water, gas, heating, electricity, industrial, robotic, or medical systems;
- education admission, access, placement, learning-outcome evaluation, grading, exam monitoring, or student-behaviour assessment;
- recruitment, targeted job advertising, applicant screening, candidate ranking, promotion, termination, task allocation, worker monitoring, or performance evaluation;
- eligibility for public benefits, healthcare access, housing, creditworthiness, credit scoring, life or health insurance pricing, emergency-call classification, dispatching, or patient triage;
- law-enforcement, evidence assessment, victim-risk assessment, profiling, polygraph-like assessment, offending or reoffending assessment, or criminal investigation;
- migration, asylum, visa, residence, border-control, security-risk, health-risk, document, or evidence assessment;
- judicial decision support, legal fact assessment, interpretation or application of law, or alternative dispute resolution affecting persons;
- systems intended to influence election or referendum outcomes or individual voting behaviour;
- medical diagnosis, treatment recommendation, medical-device functions, or other regulated health decisions;
- decisions producing legal effects or similarly significant effects for natural persons; and
- any use classified as high-risk under Article 6, Annex I, or Annex III of the EU AI Act, or regulated under another Union or national regime.
7. GDPR and data-governance requirements
Users must not upload, retrieve, combine, infer, generate, or process personal data unless they have a documented legal basis, satisfy transparency duties, respect purpose limitation and data minimisation, implement appropriate retention and deletion controls, and execute all required controller-processor or joint-controller arrangements.
Users must complete a data protection impact assessment before processing that is likely to result in a high risk to the rights and freedoms of natural persons. Special-category, biometric, genetic, health, criminal-conviction, children's, employee, student, financial, location, or similarly sensitive data may be used only where the user has documented the applicable legal condition and obtained the approvals required by this statement.
Users must not rely solely on an AI output for a decision producing legal or similarly significant effects unless the processing is lawful under Article 22 GDPR and all required safeguards, information, human intervention, contestation, and review rights are implemented.
Data must not be sent to an LLM, model provider, API, plug-in, connector, or external service unless the user has assessed that recipient, configured appropriate data-use and retention settings, entered required contracts, and implemented a lawful international-transfer mechanism.
8. Transparency and AI-generated content
- People must be informed clearly and accessibly when they are interacting with an AI system, unless this is obvious in the relevant context.
- Public or customer-facing AI interfaces must identify the responsible operator and provide an accessible contact and review channel.
- AI-generated or manipulated audio, image, video, and text must retain applicable machine-readable provenance or detection markings where technically feasible and legally required.
- Deepfakes must be clearly disclosed as artificially generated or manipulated.
- AI-generated or manipulated text published to inform the public on matters of public interest must be disclosed where required by law.
- Users must not remove or conceal AIIGLE or third-party provenance, watermarking, labelling, or disclosure controls.
9. Human oversight, testing, and safety
Every externally used workflow must have named natural persons with sufficient competence, training, authority, and resources to supervise its operation. Human oversight must be meaningful and must include authority to disregard outputs, stop processing, correct errors, suspend the workflow, and respond to affected persons.
Before deployment, users must test the workflow for its intended purpose, foreseeable misuse, bias and discriminatory effects, accuracy, false positives and negatives, robustness, cybersecurity, prompt injection, data leakage, unsafe tool use, model or API failure, accessibility, and the effectiveness of human oversight. Testing must be documented and repeated after material changes.
10. Logs, documentation, monitoring, and incident reporting
Users must preserve sufficient version information, configuration records, model and API identifiers, instructions, test results, approvals, deployment history, and logs to investigate incidents and demonstrate compliance. Where high-risk-system rules apply, legally required automatically generated logs must be retained for the required period.
Users must continuously monitor deployed workflows and immediately suspend use where there is a reasonable indication of illegality, serious risk, loss of control, discriminatory impact, security compromise, or a serious incident.
Suspected prohibited use, serious incidents, personal-data breaches, material model failures, or regulatory investigations relating to AIIGLE must be reported to AIIGLE without undue delay. Users must cooperate with AIIGLE, model providers, affected persons, competent authorities, and market-surveillance or data-protection authorities as legally required.
11. External models, APIs, connectors, and agents
Users are responsible for every model, API, database, plug-in, connector, tool, agent, service, and destination they connect. Users must comply with the provider's terms, licences, documentation, usage restrictions, security requirements, copyright rules, and geographic limitations. API keys and credentials must be kept confidential and may not be embedded in publicly accessible client-side code.
Agentic workflows capable of taking actions, calling tools, sending communications, changing records, making purchases, operating devices, or triggering external processes require explicit permission boundaries, least-privilege credentials, human confirmation for consequential actions, transaction limits, audit logs, rollback or interruption mechanisms, and safeguards against prompt injection and unauthorised tool use.
12. AI literacy and authorised personnel
Users acting as providers or deployers must ensure, to the extent required by Article 4 of the EU AI Act, that staff and other persons operating or using AI systems on their behalf have an appropriate level of AI literacy. Training should reflect their technical knowledge, responsibilities, use context, system risks, and the persons affected. Users must keep evidence of relevant training, instructions, and authorisations.
13. AIIGLE controls and enforcement
AIIGLE may require risk declarations, identity or organisation verification, internal approvals, DPIAs, fundamental-rights assessments, technical documentation, testing evidence, model information, lawful-basis documentation, licences, contracts, or other evidence before enabling a feature or deployment.
AIIGLE may technically restrict models, connectors, data types, features, outputs, execution, sharing, publication, external access, or production deployment. AIIGLE may inspect relevant workflow metadata and, where reasonably necessary and legally permitted, review content or logs to investigate abuse, safety incidents, security threats, or suspected non-compliance.
AIIGLE may reject approval, suspend a workflow, disable an integration, preserve relevant evidence, remove content, restrict an account, terminate access, or report matters to competent authorities where it reasonably suspects prohibited, unlawful, unsafe, deceptive, or non-compliant use.
14. No certification or legal advice
AIIGLE does not automatically review or certify each workflow. Templates, documentation, warnings, technical restrictions, risk questions, or approval decisions do not constitute legal advice or guarantee compliance. Users must obtain their own qualified legal, data-protection, AI-governance, security, and sector-specific advice.
15. Updates and precedence
AI law, guidance, standards, and enforcement practices continue to develop. AIIGLE may update this statement and require renewed approval or additional safeguards. If this statement conflicts with a specific written enterprise or regulated-use agreement, that specific agreement governs only to the extent it expressly addresses the conflict and does not permit conduct prohibited by mandatory law.
16. Official legal references
- Regulation (EU) 2024/1689 — Artificial Intelligence Act
- Article 5 — Prohibited AI practices
- Annex III — High-risk use cases
- Article 25 — Responsibilities along the AI value chain
- Article 26 — Obligations of deployers
- Article 50 — Transparency obligations
- Directive 2001/29/EC — Copyright in the information society
- Directive (EU) 2019/790 — Copyright in the Digital Single Market