Privacy Policy

1. Who we are

"Creavo" is a software-as-a-service product operated by ALLOZA LLC, a United States limited liability company. Creavo helps TikTok Shop sellers discover affiliate creators, launch collaborations, and track affiliate performance — exclusively through TikTok's official Affiliate APIs.

Creavo is not affiliated with, endorsed by, or operated by TikTok, ByteDance, or any of their affiliates. Where this policy refers to "we", "us", or "our", it means ALLOZA LLC.

2. Information we collect

Account information. When you register, we collect your email address and any name or company name you choose to provide. Billing details are processed by our payment provider (Stripe) — we never store card numbers or bank details.

TikTok Shop connection. When you connect your TikTok Shop via OAuth, TikTok issues us an access token and refresh token (stored encrypted), along with your shop identifier and public shop metadata.

Data returned by TikTok APIs. On your instruction, we call TikTok Shop Affiliate APIs and temporarily cache the responses:

Usage and diagnostic data. Request logs, error traces, and aggregated usage metrics to operate and improve the service. No browser fingerprinting; we do not sell data to advertisers.

3. Cookies and tracking technologies

We use a minimal set of cookies and similar technologies to operate the service:

We do not use advertising cookies, third-party tracking pixels, or cross-site tracking technologies.

TikTok OAuth flow. When you click "Connect TikTok Shop", your browser is redirected to TikTok's authorization page. During that flow, TikTok may set its own cookies subject to TikTok's Privacy Policy. We have no control over TikTok's cookies.

You can delete cookies in your browser settings at any time. Deleting the session cookie will sign you out of Creavo.

4. How we use information

• To provide the features you activate in Creavo (creator discovery, collaboration management, reporting).
• To operate, secure, debug, and improve the service.
• To send transactional emails (receipts, security alerts, account notices).
• To comply with legal obligations and TikTok's developer terms and data sharing agreement.

We do not use your data or your customers' data to: train shared machine-learning models, serve advertising, sell to data brokers, or engage in cross-context behavioral advertising.

5. Legal bases (GDPR)

Where the GDPR or UK GDPR applies, we process personal data under the following legal bases:

• Contract (Art. 6(1)(b)) — processing necessary to provide Creavo to you under our Terms of Service.
• Legitimate interest (Art. 6(1)(f)) — to secure and operate the service, prevent fraud, and maintain audit logs.
• Consent (Art. 6(1)(a)) — for optional marketing communications. You may withdraw consent at any time via the unsubscribe link or by emailing privacy@tikada.xyz.
• Legal obligation (Art. 6(1)(c)) — where required by applicable law (e.g. tax records, law enforcement requests).

6. Sharing of data and sub-processors

We do not sell personal information. We share data only as described below:

We require all sub-processors to maintain security standards no less protective than those described in this policy. A current, detailed sub-processor list is available on request at privacy@tikada.xyz.

7. TikTok as an independent data controller

When you use Creavo's "Connect TikTok Shop" feature, you are redirected to TikTok's OAuth authorization page. During and after that flow, TikTok acts as an independent data controller with respect to data it collects about you, your shop, and your creators.

TikTok's collection and use of that data is governed by TikTok's Privacy Policy and TikTok Shop Seller Privacy Policy, not by this document. ALLOZA LLC has no control over, and is not responsible for, TikTok's data practices.

Data that TikTok returns to Creavo via the API is processed by us as described in Sections 2–6 above. We handle that data as an independent controller acting on your instructions, consistent with TikTok's Developer Data Sharing Agreement.

We do not:

• Sell or disclose TikTok API data to any third party for cross-context behavioral advertising.
• Combine TikTok API data with external data sources to build advertising profiles.
• Use TikTok creator data for any purpose other than providing Creavo features to you.

8. Data retention

Anonymized, aggregated statistics (e.g. total number of campaigns run) may be retained indefinitely as they contain no personal information.

9. OAuth deauthorization

You may revoke Creavo's access to your TikTok Shop at any time from two places:

• Inside Creavo — Settings → Connected Accounts → Disconnect.
• Inside TikTok — TikTok Shop Seller Center → Authorized Apps → Revoke.

When TikTok sends us a deauthorization notification (or when you disconnect inside Creavo), we will:

1. Immediately invalidate the OAuth access token and refresh token.
2. Stop all scheduled API calls for that shop.
3. Delete all cached API responses associated with that shop within 24 hours.
4. Retain only records required for legal, billing, or audit purposes (e.g. subscription history, anonymized usage logs).

10. Your rights

Depending on your jurisdiction, you may exercise the following rights by emailing privacy@tikada.xyz. We verify identity before acting and respond within 30 days (GDPR) or 45 days (CCPA).

• Access — obtain a copy of the personal data we hold about you.
• Correction — rectify inaccurate or incomplete data.
• Deletion — request erasure of your personal data (subject to legal holds).
• Portability — receive your data in a machine-readable format.
• Objection — object to processing based on legitimate interest.
• Restriction — request that we limit processing while a dispute is resolved.
• Withdraw consent — at any time for consent-based processing, without affecting prior processing.

California residents (CCPA / CPRA). You have the right to know what personal information we collect and how it is used, to delete your personal information, to correct inaccurate information, and to opt out of the sale or sharing of your personal information. We do not sell or share personal information for cross-context behavioral advertising. To exercise your rights, email privacy@tikada.xyz with the subject line "CCPA Request".

If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority (e.g. the FTC in the US, the ICO in the UK, or your EU member state supervisory authority).

11. Security and breach notification

We apply the following technical and organizational measures to protect personal data:

• TLS 1.2+ for all public traffic; TLS 1.3 preferred internally.
• HSTS with preload enabled on tikada.xyz and all subdomains.
• OAuth credentials encrypted at rest using AES-256-GCM authenticated encryption.
• Principle of least privilege across all operator roles; MFA enforced for administrative access.
• All administrative access logged in a tamper-evident audit trail retained for 24 months.
• Regular security reviews and dependency scanning via automated tooling.

Data breach notification. In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware (as required by GDPR Art. 33).
• Notify affected users without undue delay when the breach is likely to result in high risk to their rights (GDPR Art. 34 / CCPA).
• Provide details of the nature of the breach, the data affected, our response actions, and recommended steps for affected users.

To report a security vulnerability, contact security@tikada.xyz. We acknowledge security reports within 48 hours.

12. International transfers

Creavo's infrastructure is located in the United States. If you access the service from outside the US, your data is transferred to and processed in the US. For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to the US, we rely on the European Commission's Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms recognized by the relevant authority.

When TikTok processes data in connection with your use of their API, TikTok's own transfer mechanisms apply. Refer to TikTok's Privacy Policy for details.

13. Automated decision-making

Creavo uses algorithmic scoring to rank creator search results based on factors such as GMV, follower count, and category relevance. This scoring is a tool to assist your decision-making — it does not produce legal or similarly significant effects on any individual, and no collaboration invitation is sent without your explicit approval.

We do not engage in automated decision-making that produces legal effects concerning any natural person, as defined in GDPR Article 22.

14. Children

Creavo is a business-to-business product intended solely for use by legal entities and adult individuals operating TikTok Shop accounts. It is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have done so in error, contact privacy@tikada.xyz immediately and we will delete the data without delay.

15. Changes to this policy

We will notify account owners of material changes at least 30 days before they take effect — by email to the address on your account and by posting an updated version on this page with a new effective date. Non-material changes (e.g. clarifications, formatting) may be posted without advance notice.

Continued use of Creavo after the effective date of a material change constitutes acceptance of the updated policy.

16. Contact us

For any questions about this policy, to exercise your privacy rights, or to request our sub-processor list: