API & MCP Developer Agreement

1. Prohibited Uses

You must not:

• Scraping or non-API access: Scrape, crawl, harvest, or index BuildStability's web UI, HTML, or other non-API interfaces to obtain data. Use only the documented REST API, MCP, and OAuth endpoints.
• Automated browser or UI control: Use bots, browser automation, headless browsers, or scripts to simulate user actions in the BuildStability web app, to bypass security controls, or to access data or functionality in a way that is not provided by the official APIs.
• Credential sharing or misuse: Share OAuth client secrets, access tokens, API keys, or other credentials with third parties, or use them outside your registered application. You are responsible for keeping credentials confidential and for all use under your client_id.
• Reverse engineering: Reverse engineer, disassemble, or decompile our APIs, MCP server, or underlying systems except to the extent expressly permitted by applicable law.
• Resale or redistribution of raw data: Resell, redistribute, or sublicense API- or MCP-derived data to third parties in bulk, or build a product that primarily repackages or resells that data, unless we have a separate written agreement.

2. AI and Machine Learning (AI/ML)

• No training on customer data unless permitted: You must not use data obtained via the API or MCP—including client, appointment, revenue, or any other end-user or business data—to train, fine-tune, adapt, or otherwise improve artificial intelligence or machine learning models (including large language models), unless we have given you explicit written permission under a separate agreement.
• Allowed use: You may use our APIs and MCP to power AI agents, assistive tools, or automation that operate on behalf of a specific business or end user for permitted, in-session use (e.g., summaries, scheduling, reporting), as long as that data is not used for model training.

3. Rate Limits and Fair Use

• Compliance: You must comply with all published rate limits, daily caps, and usage quotas that apply to your subscription tier and OAuth app. These are documented in the Developer Portal and may change with notice.
• No circumvention: You must not circumvent or attempt to circumvent rate limits, throttling, or usage caps by using multiple OAuth apps, IP rotation, credential sharing, or any other means.
• Consequences: If we reasonably believe you have breached rate-limit or fair-use provisions, we may throttle, suspend, or terminate your API or OAuth app access without advance notice. Repeated or serious violations may result in permanent revocation of developer access.

4. Security Requirements

• Token and credential storage: You must store OAuth client secrets, access tokens, and any other credentials securely (e.g., in a secrets manager or secure vault). Do not commit them to source control, log them, or expose them in client-side or public code.
• Least privilege: Request only the OAuth scopes (e.g., read, write) that your application needs. Do not request or use broader access than necessary.
• No logging of secrets: Do not log, trace, or otherwise capture client secrets, access tokens, or other credentials in plain text. If logging is necessary for debugging, redact or truncate sensitive values.
• Breach notification: If you become aware of any unauthorized access to, disclosure of, or compromise of BuildStability credentials or data (including via your systems or integrations), you must notify us at the contact provided in the Developer Portal within 72 hours of discovery. You must cooperate with us in investigating and mitigating the incident.

5. Audit and Suspension Rights

• Monitoring and audit: We may monitor API and MCP usage (e.g., volume, endpoints, error rates) and may audit your compliance with this API Agreement. You agree to provide reasonable information and cooperation in connection with any such audit.
• Suspension and termination: We may suspend or terminate your API or MCP access, or revoke your OAuth apps, immediately and without advance notice if we reasonably believe you have: (a) violated this API Agreement, (b) violated our Terms of Service or Privacy Policy, (c) used the API or MCP in a way that poses a security, legal, or reputational risk, or (d) abused or overloaded our systems. We will, where practicable, provide a post-hoc explanation and a chance to remedy where appropriate.

6. End-User Control and Transparency

• Transparency: If your application or AI agent acts on behalf of an end user (e.g., a trainer or client), you must provide clear disclosure about what data your app accesses and what actions it can perform.
• End-user consent: You must obtain appropriate consent from the end user (or the business that owns the account) before accessing or acting on their data via the API or MCP. You are responsible for ensuring that your use is consistent with the permissions the business has granted (e.g., via Business Settings and API access enablement in BuildStability).

7. Definitions and Interpretation

• API includes the BuildStability REST API, MCP server, and any other programmatic interfaces we offer.
• MCP means the Model Context Protocol implementation we provide for AI agents.
• OAuth app means an application you register to obtain client_id and client_secret for API access.
• This API Agreement is in addition to, and does not replace, our Terms of Service or Privacy Policy. In case of conflict between this API Agreement and the Terms of Service with respect to API or MCP use, this API Agreement prevails for that use.

8. Contact

For questions about this API Agreement or to report a security or compliance concern, use the contact details in the Developer Portal or the main BuildStability Terms of Service.