Privacy Policy

1. Introduction

Welcome to Veltrix ("Company," "we," "us," or "our"). We are committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use our AI-powered e-commerce analytics platform, and interact with our integrations via the TikTok Developer API and TikTok Shop Seller API (collectively, the "Service").

Our Service integrates with TikTok's platform through authorized APIs, including the TikTok Developer API (Login Kit, Display API, Content Posting API) and TikTok Shop Open API (Seller API). We process data in compliance with the TikTok Developer Terms of Service, TikTok Developer Data Sharing Agreement, and all applicable data protection laws.

By accessing or using our Service, you agree to this Privacy Policy. If you do not agree, please discontinue use of the Service immediately.

2. Information We Collect

2.1 Account Information

When you register for or use our Service, we collect the following personal information:

• Name, email address, and contact information
• Account credentials (username and securely hashed password)
• Billing and payment information (processed securely via PCI-compliant third-party payment providers; we do not store full payment card details)
• Company or business name and business registration details

2.2 TikTok Account Data (via OAuth 2.0 Authorization)

When you connect your TikTok account through our Service, we access data via TikTok's official APIs using OAuth 2.0 with PKCE (Proof Key for Code Exchange) authorization. We only request and access scopes that are necessary for the Service to function. Data collected through TikTok APIs may include:

• TikTok Developer API: Basic profile information (display name, avatar, open ID), video performance data (views, likes, comments, shares), and content metadata as authorized through Login Kit and Display API
• TikTok Shop Seller API: Shop profile information, product listings, order data, transaction records, sales performance metrics, creator collaboration data, and advertising performance data as authorized by the seller

We adhere to the principle of data minimization—we only collect and process the minimum data necessary to provide our analytics and insights services. We conduct quarterly audits to ensure compliance with this principle.

2.3 Usage Data

We automatically collect certain technical information when you access our Service:

• IP address, browser type, operating system, and device information
• Pages visited, features used, and time spent on the Service
• Referring URLs and search queries
• API usage logs (endpoints accessed, request frequency, error logs)
• Cookies and similar tracking technologies (see Section 10)

2.4 Publicly Available TikTok Data

Our platform also collects and analyzes publicly available TikTok data, including public product listings, public creator profiles, public video performance metrics, and public livestream data. This data is gathered from publicly accessible sources and processed using our AI models to provide market analytics and insights. This data does not contain personally identifiable information (PII) of private individuals.

3. How We Use Your Information

We use your information strictly for the following purposes:

• To provide, maintain, and improve our Service, including AI-powered analytics, trend predictions, and personalized recommendations
• To process your account registration and manage your consulting engagement
• To access and analyze your TikTok Shop data as authorized by you through OAuth 2.0 consent
• To generate analytics reports, dashboards, and actionable insights
• To communicate with you about updates, features, and support requests
• To process payments and prevent fraudulent transactions
• To analyze usage patterns, monitor API performance, and improve user experience
• To comply with legal obligations, including TikTok Developer Terms of Service and applicable data protection laws
• To send marketing communications (only with your explicit opt-in consent; you may opt out at any time)

We do not use TikTok API data for purposes beyond what is described in this policy and authorized by the user. We do not use TikTok data to build user profiles for advertising or sell data to third parties.

4. TikTok API Data Handling

In compliance with TikTok's Developer Terms of Service and Data Sharing Agreement, we adhere to the following specific data handling practices:

4.1 Authorization and Consent

• We access your TikTok data only after you explicitly authorize our application through TikTok's OAuth 2.0 authorization flow
• We only request API scopes that are necessary for the specific features you use
• You can revoke access to your TikTok data at any time through your TikTok account settings or by contacting us

4.2 Data Processing Limitations

• TikTok API data is processed solely for the purpose of providing analytics and insights through our Service
• We do not share, sell, or transfer TikTok API data to any third party for their independent use
• We do not use TikTok API data to create competing products or services against TikTok
• Persons authorized to process TikTok data within our organization are bound by contractual confidentiality obligations

4.3 PII Protection

• We never share any user's Personally Identifiable Information (PII) obtained through TikTok APIs without the user's explicit consent
• We protect user identity and anonymity in all analytics outputs unless the user explicitly requests otherwise
• All PII is encrypted both in transit (TLS 1.3) and at rest (AES-256)

4.4 API Security

• OAuth 2.0 with PKCE for all TikTok API authorization flows
• Short-lived access tokens with automatic refresh token rotation
• Least-privilege API access — we never request full account permissions
• API rate limiting compliance with TikTok's throttling requirements
• All API credentials are stored in encrypted, access-controlled environments

5. Data Sharing and Disclosure

We do not sell your personal information or TikTok API data to any third party for marketing or any other purpose. We may share your data only in the following limited circumstances:

• Service Providers: Third-party vendors who assist in operating our platform (e.g., cloud hosting, payment processing, email delivery). These providers are contractually bound to use data only for the services they provide to us and must comply with applicable data protection laws
• Legal Requirements: When required by law, regulation, subpoena, court order, or legal process. We will notify TikTok without undue delay in the event of any regulatory investigation or request for disclosure of TikTok API data by a government agency or law enforcement authority, unless prohibited by applicable law
• Business Transfers: In connection with a merger, acquisition, or sale of assets, where the acquiring entity agrees to be bound by this Privacy Policy
• With Your Consent: When you explicitly authorize us to share your information for a specific purpose

6. Data Security

We implement comprehensive security measures to protect your data:

• Encryption: All data is encrypted in transit using TLS 1.3/SSL and at rest using AES-256 encryption
• Access Controls: Role-based access controls (RBAC) with multi-factor authentication for all internal systems
• API Security: OAuth 2.0 with PKCE, short-lived tokens, refresh token rotation, and encrypted credential storage
• Infrastructure: Hosted on enterprise-grade cloud infrastructure with SOC 2 compliance
• Monitoring: 24/7 security monitoring, intrusion detection, and automated threat response
• Audits: Regular security audits and annual penetration testing by independent third parties
• Incident Response: Documented incident response plan with notification procedures in compliance with applicable breach notification laws

In the event of a data breach involving TikTok API data, we will notify TikTok without undue delay in accordance with the TikTok Developer Data Sharing Agreement.

7. Data Retention

We retain your data according to the following schedules:

• Account Information: Retained for the duration of your active engagement, plus 2 years after engagement termination for legal and audit purposes
• Transaction Records: Retained for 7 years as required by applicable financial regulations
• API Logs: Retained for 90 days for debugging, security monitoring, and compliance purposes
• TikTok API Data: Cached data is refreshed regularly and deleted within 30 days of authorization revocation or account deletion
• Analytics Data: Aggregated, anonymized analytics data may be retained indefinitely as it does not contain PII

Upon account deletion or revocation of TikTok API access, we will delete or anonymize your personal data and TikTok API data within 30 days, except where retention is required by law.

8. Your Rights

You have the following rights regarding your personal data. We will respond to all valid requests within 45 days:

• Right to Access: Request a copy of the personal data we hold about you, including data obtained through TikTok APIs
• Right to Correction: Request correction of inaccurate or incomplete personal data
• Right to Deletion: Request deletion of your personal data and revocation of all TikTok API data access
• Right to Portability: Request transfer of your data in a structured, machine-readable format
• Right to Object: Object to processing of your data for certain purposes, including marketing
• Right to Restrict Processing: Request that we limit how we use your data while a complaint is being investigated
• Right to Withdraw Consent: Withdraw previously given consent at any time, including revoking TikTok API authorization
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights

To exercise any of these rights, contact us at privacy@veltrix.io. You may also revoke TikTok API access directly through your TikTok account settings at any time.

9. Legal Basis for Processing (GDPR / International)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process your personal data based on the following legal grounds:

• Consent: When you authorize TikTok API access or opt in to marketing communications
• Contract: When processing is necessary to provide the Service under your consulting engagement
• Legitimate Interest: For security monitoring, fraud prevention, and service improvement
• Legal Obligation: When we are required to process data to comply with applicable laws

We are an independent data controller under applicable data protection laws with respect to the data we receive through TikTok APIs, as specified in the TikTok Developer Data Sharing Agreement.

10. Cookies and Tracking Technologies

We use cookies and similar technologies for the following purposes:

• Essential Cookies: Required for the Service to function (authentication, security, session management)
• Analytics Cookies: To understand how users interact with our Service and improve user experience
• Preference Cookies: To remember your settings and preferences

We do not use advertising or third-party tracking cookies. You can manage cookie preferences through your browser settings. Note that disabling essential cookies may affect the functionality of our Service.

11. U.S. State Privacy Laws (CCPA/CPRA)

If you are a California resident or resident of another U.S. state with applicable privacy laws, you have additional rights:

• Right to know what personal information we collect, use, disclose, and sell
• Right to delete your personal information
• Right to opt out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising your privacy rights
• Right to correct inaccurate personal information
• Right to limit the use of sensitive personal information

To exercise these rights, contact us at privacy@veltrix.io.

12. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children or minors. If we become aware that we have inadvertently collected data from a person under 18, we will take immediate steps to delete such data. If you believe a minor has provided us with personal information, please contact us at privacy@veltrix.io.

13. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. When transferring data internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA
• UK International Data Transfer Agreement for transfers from the United Kingdom
• Adequacy decisions where applicable
• Supplementary technical and organizational measures to ensure data protection

14. Third-Party Services and Links

Our Service integrates with and may contain links to third-party services, including but not limited to TikTok, payment processors, and cloud infrastructure providers. We are not responsible for the privacy practices of these external services. We encourage you to review their respective privacy policies.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or TikTok's developer policies. We will notify you of material changes by posting the updated policy on our website, updating the "Last updated" date, and sending email notification for significant changes. Your continued use of the Service after changes constitutes acceptance of the revised policy.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy, our data practices, or your TikTok data, please contact us through any of the following channels:

• Privacy Inquiries: privacy@veltrix.io
• General Support: support@veltrix.io
• Website: https://veltrix.io

We are committed to addressing all privacy-related inquiries promptly and will respond within 45 days of receiving your request.