Acceptable Use Policy
Most of this page is ordinary housekeeping. Two things on it are not, and they are in section 2: attaching a screening to an item that was not screened, and using a certificate to tell someone a product is fit for a child. Those two turn this Service into a fraud instrument, and we will end your access for them without notice.
1. What this policy is
This Acceptable Use Policy (the Policy) sets out what you may not do with the ShelfStamp service operated by CLV Media, LLC, a North Carolina limited liability company. It is incorporated into the Terms of Service by reference, under section 9 of those Terms, and a breach of this Policy is a breach of the Terms.
It applies to everyone: to a parent running one free screening without an account, to a reseller buying certificates, and to a childcare operator on a business plan. Screening is free, so most people using the Service have paid us nothing. This Policy still binds them.
2. The two prohibitions that matter
Everything else in this document is housekeeping — necessary, but ordinary. These two are not ordinary. They are the two ways of taking an honest record and making a weapon of it, and they are the reason this page exists.
2.1 Do not attach a screening to an item that was not screened
You may not screen one item in order to produce a certificate that you present as belonging to a different item.
You may not photograph a label that is not on the item you are selling, transferring, or putting a child in contact with. You may not reuse a certificate across units. You may not screen a clean example of a product and hand the resulting certificate to a buyer of a different example.
The signature on such a certificate would be genuine. The screening would really have happened. The photograph would be a real photograph of a real label. And the document would still be a lie, because the one fact a certificate cannot establish is that the object in the buyer’s hands is the object that was in the frame. Only you can establish that, and by using the Service you represent that you have.
This is why the certificate is bound to the SHA-256 hash of the label photograph and why the photograph is served from the certificate: so that a buyer can look at the label in front of them, look at the label in the document, and see whether they are the same label. Defeating that on purpose is fraud, and we will treat it as fraud.
2.2 Do not use the Service, or a certificate, to represent that a product is safe
You may not use the Service, a screening result, a certificate, a badge, a register, or a state documentation record to represent to a buyer, a parent, a regulator, an inspector, or anyone else that a product is safe, fit for use, cleared, approved, inspected, or suitable for a child.
A certificate records the outcome of a database search on one date. It says nothing about the condition of the object, and it must never be presented as though it did.
NO MATCH FOUND means we did not find a matching recall record. It does not mean the item is free of defects, and we make no representation as to fitness. The Service never sees the item, cannot see the item, and cannot detect a crack, a crash history, a counterfeit, a missing part, or a defect that has not been recalled yet. Section 2 of the Terms sets out the full list of what a screening cannot detect, and it is longer than most people expect.
A seller who shows a certificate and says the words “this has been checked” is on the right side of this line. A seller who shows the same certificate and lets a parent believe it is a clearance is not, and the person who bears the consequence of that is a child. We do not have a sense of humour about it.
2.3 What happens
Either of the above, on evidence we find credible, results in revocation of the certificates concerned and termination of your access, without notice and without refund. Where the conduct is live — a listing is up, a sale is about to complete, a child is about to be placed in contact with the item — we will act first and explain afterwards. A notice period, in that situation, is simply a window in which the harm completes.
3. Certificates: forgery, alteration, misrepresentation
You may not:
- forge a certificate, or produce any document, image, badge, or page that imitates one;
- alter a certificate, or alter any rendering of it — the result, the date, the item, the data-freshness statement, the photograph, or the verification link;
- present a certificate as attesting to something it does not attest to, including by cropping it, quoting it selectively, or removing the language that says what it is not;
- present a certificate for a product other than the one screened, which is section 2.1 and is repeated here so that no reader can claim to have found it only in a list;
- represent that you are affiliated with, endorsed by, or acting for CLV Media, LLC, the CPSC, NHTSA, or any licensing or regulatory authority; or
- use the ShelfStamp name, mark, or badge on a listing, page, or item for which no certificate exists.
Every certificate has a public verification page that re-runs the screening against current data. Forgery is therefore not merely wrong; it is easy to catch, and the catching is done by the buyer you were lying to.
4. Automated access, scraping, and bulk extraction
4.1 What you may not do
You may not:
- use a crawler, scraper, bot, script, headless browser, or any other automated means to extract our recall corpus, our extractions, our match results, or our certificates in bulk;
- access the Service other than through the interface we provide, or in excess of what that interface permits;
- circumvent, disable, or evade any rate limit, quota, access control, or other technical measure; or
- create multiple sessions, addresses, or identities in order to defeat a limit that applies to one.
4.2 What we claim, and what we do not
We want to be exact about this, because most companies in this position are not.
The underlying recall records come from the U.S. Consumer Product Safety Commission and the National Highway Traffic Safety Administration. They are works of the United States Government and, under 17 U.S.C. § 105, they are not subject to copyright. We claim no ownership of the federal recall data. It is public, it belongs to the public, and anyone is free to go and get it from the source. If that is what you want, we will even tell you where it is.
What we claim is what we built on top of it, and only that: the extraction of model numbers and identifiers from unstructured recall prose, the matching engine and its logic, the compilation and structure of our database, the software, and the certificates we issue. Those are ours, and taking them in bulk is taking our work, not the public’s record.
4.3 Circumvention and the Computer Fraud and Abuse Act
Access to the Service in excess of what the interface permits, or in circumvention of any technical limit we impose, may violate the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, and equivalent state law. That claim is about circumventing our access controls. It is not a claim of ownership over a government safety notice, and we will not make one.
4.4 If you need the data at volume
Write to support@shelfstamp.com and tell us what you are trying to do. Researchers, journalists, and safety organisations are usually asking for something we are happy to give. A conversation costs less than a scraper, for both of us.
5. Machine learning and reverse engineering
5.1 No training, fine-tuning, evaluation, or benchmarking
You may not use the Service, or any output of it — screening results, extractions, match decisions, certificates, corpus records, page content, or the structure of any of them — as training data, fine-tuning data, evaluation data, or benchmark data for any machine learning or artificial intelligence model, whether the model is yours or a third party’s.
This is not a reflexive anti-AI clause. It is here because the value of what we do is in the extraction — turning a recall notice written in prose into a model number a machine can match against — and a model trained on our outputs is a copy of that work, obtained without doing it.
5.2 No reverse engineering
You may not reverse-engineer, decompile, disassemble, or otherwise attempt to derive the matching logic, the extraction logic, the confidence thresholds, the source code, or the structure of the Service, except to the extent that restriction is unenforceable under applicable law.
You may, of course, run a screening and look at the answer. That is the product. Probing it systematically in order to reconstruct how it decides is not.
6. What you may upload
6.1 Label photographs, and nothing else
The upload field takes a photograph of a product’s tracking label. That is its entire purpose. You may not upload anything else.
Specifically, do not upload an image containing:
- a person’s face, or any identifiable person;
- a document — an identity card, a licence, a bill, a medical record, a form;
- a screen, a monitor, or a phone displaying anything;
- a child, in any context whatsoever;
- anything at all that you would not want stored on our servers and served from a certificate page for as long as that certificate exists.
We strip EXIF and GPS metadata from every photograph before we store it, which protects the place you took it. Nothing protects you from what is in the frame. Photograph the label. Not the room, not the person holding it, not the child in it.
6.2 Unlawful, infringing, and malicious content
You may not upload or transmit:
- content that is unlawful, that infringes anyone’s intellectual property or privacy rights, or that you do not have the right to give us;
- malware, a virus, a payload, or any file crafted to exploit our systems or the systems of anyone who later views it;
- content designed to manipulate the automated label reader into producing a value that is not on the label — including text placed in the frame for that purpose; or
- content depicting the sexual exploitation or abuse of a child, ever, under any theory.
7. Security
7.1 What you may not do to our systems
You may not:
- probe, scan, or test the vulnerability of the Service, or breach or circumvent any security or authentication measure;
- evade a rate limit, or engineer traffic to degrade the Service for anyone else;
- interfere with the Service, its infrastructure, or the network of any provider named in our Sub-processors list; or
- attempt to enumerate, guess, or brute-force certificate addresses.
7.2 Certificate enumeration, specifically
Certificate addresses carry 160 bits of randomness. They cannot be guessed, they cannot be walked, and there is no sequence to follow. That is a deliberate design property, and it exists so that a certificate you have not shared with anyone is a certificate nobody else can find.
There is therefore no innocent reason to try. Attempting to enumerate certificates is not curiosity and it is not research — it is an attempt to read other people’s private documents, we log it, and we treat it as an intrusion attempt.
7.3 Responsible disclosure
If you have found a vulnerability, we want to hear from you, and we would rather hear from you than from anyone else. Write to security@shelfstamp.com. Tell us what you found and how to reproduce it, give us a reasonable period to fix it before you publish, and do not access, alter, or exfiltrate anyone else’s data in the course of finding it.
Do that, and we will not pursue you under section 7.1 or under the Computer Fraud and Abuse Act for the research that found it. We will credit you if you want the credit, and we will keep you out of it if you do not.
8. Enforcement
8.1 The ladder
Where conduct is careless rather than dishonest, we start at the bottom of this list and climb only as far as we have to:
- A warning. An email from a person, describing what we saw and what we need to stop.
- A rate limit. Applied to a session, an address, or an account.
- Revocation of a certificate. The certificate is marked revoked on its public verification page, where everyone you have shown it to can see it. This is permanent, and it does not entitle you to a refund.
- Termination. We close the account, cancel the plan, and decline to serve you again.
- Referral. We report the conduct to law enforcement, to the CPSC or NHTSA, to a state licensing authority, to a marketplace, or to whoever else needs to know — and where a buyer has been deceived, we may tell the buyer.
8.2 When we skip the ladder
Where a fraud is live, we act immediately, without notice, and at whatever rung is necessary to stop it.
A listing is up. A buyer is on their way. A certificate for one item is attached to another. In that situation a warning is not a lesser remedy — it is a delay, and the delay is the window in which the sale completes and a recalled product reaches a child. We revoke first.
Nothing in the ladder obliges us to use it. It describes how we intend to behave, and it is not a procedural right you can hold us to.
8.3 No refund on enforcement
A certificate revoked for a breach of this Policy is not refunded, and a plan terminated for a breach of this Policy is not refunded pro-rata. See the Refund Policy.
9. Reporting abuse
If you have seen a ShelfStamp certificate used to misrepresent an item, a forged badge, a certificate attached to a product it does not describe, or anyone claiming that our Service has cleared a product for a child — tell us.
Write to legal@shelfstamp.com for a misuse or fraud report, or security@shelfstamp.com for a vulnerability. Send the certificate number or the verification link if you have it, a link to the listing, and anything you saw. You do not need an account, you do not need to be our customer, and you do not need to be sure. We would rather read ten reports that come to nothing than miss the one that does not.
If the item itself is dangerous, report it to the CPSC or NHTSA as well. They can do things we cannot, and nothing in our Terms has ever purported to stop you.