Not quite. The messages aren't being sent from the device, they're being sent by Path from their own infrastructure once they've uploaded the address-book.
An app generally needs a backend and it is clear some of the policies are directed towards not the app itself but how it interacts with the backend. These same guidelines are meant to be used to stop apps such as malware games that collect contacts and send them to the backend to be used as spam email lists.
