Table of Contents
- Introduction & Scope
- Information We Collect
- How We Use Your Information
- Legal Basis for Processing
- Data Sharing & Third Parties
- International Data Transfers
- Data Retention
- Data Security
- Your Rights
- Cookies & Tracking Technologies
- Children's Privacy
- Do Not Track Signals
- California Privacy Rights
- European Economic Area Provisions
- Changes to This Privacy Policy
- Data Protection Officer & Contact
Privacy Policy
Last updated March 10, 2026
Introduction & Scope
Welcome to ShopAI ("ShopAI," "we," "our," or "us"). ShopAI is a content management and analytics platform built for TikTok Shop affiliate creators. Our platform automates the production pipeline — from product research and AI-generated scripts, to voiceover synthesis, video generation, and TikTok publishing — so that creators can focus on growing their business.
This Privacy Policy explains what personal information we collect when you use ShopAI (the "Service"), how we use and protect that information, and what rights you have regarding your data. It applies to all users of the Service worldwide, including visitors to our website and users with active accounts.
By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, you must discontinue use of the Service.
This policy does not govern the data practices of third-party platforms you connect to (such as TikTok, ElevenLabs, Kling AI, or ManyChat). We encourage you to review the privacy policies of those services independently.
Information We Collect
We collect information you provide directly, information generated through your use of the Service, and information retrieved from third-party platforms you connect.
a. Account Information
When you create an account, we collect your name, email address, and account credentials. If you register or log in via TikTok OAuth, we additionally receive your TikTok username, profile display name, profile photo URL, and the OAuth access tokens necessary to act on your behalf. You may also optionally provide billing details and company information.
b. TikTok Data
With your explicit authorization through TikTok's OAuth flow, we retrieve and store data from your TikTok account, including:
- Video metadata: titles, descriptions, upload timestamps, video IDs
- Performance metrics: view counts, like counts, comment counts, share counts, watch time
- TikTok Shop affiliate commission data: order counts, revenue figures, conversion rates
- Shop product performance: product IDs, click-through rates, sales attribution
- Audience engagement signals used to optimize future content
c. Content Data
The Service processes and stores content you create or that is generated on your behalf, including:
- Video scripts, hook text, and call-to-action copy
- Voiceover source text submitted to AI synthesis
- Video generation prompts and style parameters
- Metadata about generated assets (file names, durations, generation timestamps)
- Product briefs, niche research notes, and strategy overrides you configure
d. Usage Data
We automatically collect information about how you interact with the Service:
- Features accessed, buttons clicked, and workflows initiated
- Session duration, page views, and navigation paths
- Device type, operating system, browser type and version
- IP address and approximate geographic location (country/region level)
- Referring URLs and utm parameters
- Error logs and performance diagnostics
e. AI Processing Data
To deliver core Service features, we transmit data to third-party AI providers:
- ElevenLabs: script text is sent to ElevenLabs' API for text-to-speech synthesis; generated audio is returned and stored on your behalf
- Kling AI / PiAPI: video generation prompts (which may reference product names and descriptions) are sent to generate product video clips
We retain the inputs and outputs of these AI operations so that you can review, reuse, or audit your content pipeline. We do not use your specific prompts or scripts to train our own models.
f. Payment Data
If you subscribe to a paid plan, payment processing is handled by a third-party payment processor (such as Stripe). We do not receive or store full credit card numbers, CVV codes, or bank account credentials. We receive only limited payment confirmation data (last four digits of the card, card brand, billing country, transaction IDs) necessary to manage your subscription.
g. Communication Data
If you contact us for support or send feedback, we retain records of those communications, including your email address, message content, and any attachments you provide. We use this information solely to respond to your inquiry and improve the Service.
How We Use Your Information
We use the information we collect for the following purposes:
| Purpose | Description |
|---|---|
| Service Delivery | Operate the platform, authenticate your account, execute the content pipeline, publish videos to TikTok, and sync analytics data. |
| Analytics & Reporting | Generate performance dashboards, revenue reports, and product-level insights that help you optimize your affiliate business. |
| AI Output Improvement | Analyze aggregate (de-identified) performance data to improve default script templates, prompt strategies, and pipeline automation quality. |
| Communication | Send transactional emails (account confirmations, billing receipts), product updates, and, where consented, marketing communications. |
| Security & Fraud Prevention | Detect unauthorized access, investigate abuse, enforce our Terms of Service, and protect users and the platform. |
| Legal Compliance | Comply with applicable laws, regulations, court orders, and lawful requests from public authorities. |
| Business Operations | Maintain internal records, process payments, conduct audits, and support corporate transactions (e.g., mergers). |
We will not use your personal information for any purpose that is materially incompatible with the purposes listed above without obtaining your prior consent.
Legal Basis for Processing
For users in the European Economic Area (EEA), the United Kingdom, and Switzerland, we process personal data under the following lawful bases established by the GDPR and UK GDPR:
Contract Performance (Art. 6(1)(b))
Processing your account information, TikTok data, content data, and usage data is necessary to fulfill our contractual obligations — i.e., to operate the Service you signed up for.
Legitimate Interests (Art. 6(1)(f))
We process data for security monitoring, fraud prevention, service improvement, and aggregate analytics where our legitimate interests are not overridden by your rights and freedoms.
Consent (Art. 6(1)(a))
Where we process data for marketing communications, non-essential cookies, or any purpose beyond what is required to deliver the Service, we rely on your explicit, freely given consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.
Legal Obligation (Art. 6(1)(c))
We may process data to comply with legal obligations such as tax record-keeping, responding to lawful governmental requests, or fulfilling data subject rights requests.
Data Sharing & Third Parties
We never sell your personal data. We do not sell, rent, or trade your personal information to data brokers, advertisers, or any third parties for their independent use.
We share data with the following categories of third parties, strictly as necessary to provide the Service:
We send your video files, captions, and scheduling instructions to TikTok's Content Posting API to publish videos on your behalf. We retrieve your video performance metrics and Shop analytics via TikTok's data APIs using OAuth tokens you authorize. TikTok's use of data is governed by TikTok's Privacy Policy.
Script text is transmitted to ElevenLabs' API to synthesize AI voiceovers. ElevenLabs may process this text data according to their own data handling policies. We recommend reviewing ElevenLabs' Privacy Policy. We do not send personally identifiable information such as your name or email to ElevenLabs.
Video generation prompts describing product visuals and scenes are sent to Kling AI via PiAPI's inference infrastructure. These prompts do not contain your personal account information. Generated video clips are returned and stored within your ShopAI account. Review PiAPI's Privacy Policy for their data practices.
To power automated comment-to-DM funnels on TikTok, we integrate with ManyChat. Interaction data (TikTok user identifiers of commenters, trigger keywords) may be shared with ManyChat to execute automated messaging flows. ManyChat's processing is governed by their Privacy Policy.
We use cloud hosting and object storage providers (such as AWS, Google Cloud, or equivalent) to host the Service and store your data. These providers are contractually bound to protect your data and process it only on our instruction. They are not permitted to use your data for their own purposes.
We may use privacy-respecting analytics tools to understand how the Service is used in aggregate. Where possible, we configure such tools to anonymize IP addresses and avoid tracking across third-party sites. We do not share individually identifiable usage data with analytics providers.
We may disclose your information when required to do so by law, regulation, legal process, or governmental request — including to respond to valid subpoenas, court orders, or requests from regulatory bodies. Where permitted, we will notify you before disclosing your data.
If ShopAI is involved in a merger, acquisition, financing, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you via email or prominent notice on the Service before your data becomes subject to a materially different privacy policy.
International Data Transfers
ShopAI operates globally, and your information may be transferred to, stored in, and processed in countries other than your country of residence — including the United States — where data protection laws may differ from those in your jurisdiction.
For transfers of personal data from the EEA, United Kingdom, or Switzerland to countries not recognized as providing an adequate level of data protection, we rely on appropriate safeguards, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission or UK ICO, incorporated into our contracts with processors and sub-processors
- Adequacy decisions from the European Commission where applicable
- UK International Data Transfer Agreements (IDTAs) for transfers from the United Kingdom
By using the Service, you acknowledge that your data may be transferred internationally in accordance with this section. You may request a copy of the relevant transfer mechanisms by contacting us at privacy@shopai.app.
Data Retention
We retain personal data only for as long as necessary to fulfill the purposes described in this policy, or as required by applicable law. The following retention principles apply:
| Data Category | Retention Period |
|---|---|
| Account Information | Duration of account plus 90 days post-deletion (to handle re-activation requests and support inquiries). |
| TikTok Analytics Data | Up to 24 months of historical performance data retained in your account. Data synced from TikTok is refreshed on a rolling basis. |
| Content Data (scripts, prompts, generated assets) | Retained while your account is active. Deleted within 30 days of account deletion, unless you export first. |
| Usage & Diagnostic Logs | 90 days rolling retention. Aggregated, anonymized usage statistics may be retained indefinitely. |
| AI Processing Inputs/Outputs | Retained for the lifetime of your account to support pipeline replay and audit. Purged within 30 days of account deletion. |
| Payment Records | 7 years, as required by financial record-keeping obligations. |
| Support Communications | 3 years from the date of last contact. |
When your account is deleted, we initiate a purge of your personal data within 30 days, except where longer retention is required by law or legitimate business interests (such as fraud prevention or unresolved disputes).
You may request earlier deletion of specific data categories by emailing privacy@shopai.app. We will respond within the timeframes specified in Section 9.
Data Security
We take the security of your data seriously and implement industry-standard technical and organizational measures to protect it against unauthorized access, alteration, disclosure, or destruction.
Technical Measures
- All data transmitted between your browser/device and our servers is encrypted using TLS 1.2 or higher
- Data stored at rest is encrypted using AES-256 encryption
- API credentials and OAuth tokens are stored encrypted and are never logged in plaintext
- Access to production data is restricted to authorized personnel using role-based access controls and multi-factor authentication
- Regular vulnerability scans and dependency audits are performed
Organizational Measures
- Employees and contractors with access to personal data are bound by confidentiality obligations
- Access to sensitive data is granted on a least-privilege basis and reviewed regularly
- Security awareness training is provided to all team members
Incident Response
In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware, and notify affected users without undue delay, as required by GDPR Article 33 and 34. Notifications will include the nature of the breach, likely consequences, and measures taken to address it.
No method of electronic transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee absolute security. You are also responsible for maintaining the security of your account credentials.
Your Rights
Depending on your location, you have various rights regarding the personal data we hold about you. We are committed to honoring these rights promptly and transparently.
GDPR Rights (EEA, UK & Switzerland)
- Right of Access — Request a copy of all personal data we hold about you, along with information about how it is processed.
- Right to Rectification — Request correction of inaccurate or incomplete personal data without undue delay.
- Right to Erasure — Request deletion of your personal data ("right to be forgotten") where it is no longer necessary for the original purpose.
- Right to Restriction — Request that we restrict processing of your data in certain circumstances, such as while a dispute is resolved.
- Right to Portability — Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
- Right to Object — Object to processing based on legitimate interests or for direct marketing purposes at any time.
- Automated Decision-Making — Not be subject to solely automated decisions that produce significant legal or similarly significant effects, without human review.
- Right to Withdraw Consent — Where processing is based on consent, withdraw that consent at any time without affecting prior lawful processing.
CCPA Rights (California Residents)
- Right to Know: Request disclosure of the categories and specific pieces of personal information collected, the purposes of collection, and the categories of third parties with whom we share it.
- Right to Delete: Request deletion of personal information we have collected from you, subject to certain exceptions (e.g., completing transactions, legal compliance).
- Right to Opt-Out of Sale: We do not sell personal information. No opt-out is necessary, but you may submit a request confirming this at any time.
- Right to Correct: Request correction of inaccurate personal information we maintain about you.
- Right to Non-Discrimination: We will not deny services, charge different prices, or provide a different quality of service because you exercised your CCPA rights.
How to Exercise Your Rights
To submit any privacy rights request, email us at privacy@shopai.app with the subject line "Privacy Rights Request." Please include your full name, email address associated with your account, and a description of your request. We may ask you to verify your identity before processing the request.
Response Timeframes
- GDPR requests: We will respond within 30 days of receipt. In complex cases, we may extend this by an additional 60 days with prior notice.
- CCPA requests: We will respond within 45 days of receipt. Extensions of up to 45 additional days are possible with notice.
If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection authority (for EEA users: your national supervisory authority; for UK users: the Information Commissioner's Office at ico.org.uk).
Cookies & Tracking Technologies
We use cookies and similar technologies (pixels, local storage, session storage) to operate the Service, maintain your session, and understand usage patterns. The following categories of cookies are used:
| Category | Purpose | Required? |
|---|---|---|
| Strictly Necessary | Authentication, session management, security tokens. Without these, the Service cannot function. | Yes |
| Functional | Remembering your preferences (language, timezone, display settings) to personalize your experience. | No |
| Analytics | Understanding how features are used in aggregate to improve the Service. IP addresses are anonymized where possible. | No |
| Performance | Monitoring Service availability and response times to identify and resolve infrastructure issues. | No |
Controlling Cookies
You can control non-essential cookies through our cookie preference center (accessible from the footer of the Service). Additionally, most browsers allow you to block or delete cookies through browser settings. Blocking strictly necessary cookies will prevent you from using the Service. For more information on managing cookies, visit allaboutcookies.org.
We do not use tracking technologies for cross-site behavioral advertising, and we do not share cookie data with advertising networks.
Children's Privacy
The Service is not directed to, and we do not knowingly collect personal information from, children under the age of 13 (or under the age of 16 for users in the EEA). Our platform is designed for use by content creators managing commercial affiliate businesses, and requires a TikTok account and acceptance of third-party API terms that themselves restrict access to minors.
If you believe we have inadvertently collected information from a child below the applicable age threshold, please contact us immediately at privacy@shopai.app and we will take prompt steps to delete that information.
Parents or legal guardians who have concerns about their child's use of the Service should also contact us directly.
Do Not Track Signals
Some browsers transmit "Do Not Track" (DNT) signals to websites. At this time, there is no universally accepted standard for how websites should respond to DNT signals, and we do not currently alter our data collection or usage practices in response to DNT signals.
However, we provide opt-out controls for non-essential cookies and analytics tracking through our cookie preference center, and we honor Global Privacy Control (GPC) signals as a valid opt-out of data sale or sharing for California residents, consistent with CCPA requirements.
California Privacy Rights
This section supplements the rights described in Section 9 and addresses specific California privacy laws, including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and the California "Shine the Light" law (Civil Code § 1798.83).
CCPA / CPRA Specifics
In the preceding 12 months, ShopAI has collected the following categories of personal information as defined by the CCPA:
- Identifiers (name, email, IP address, TikTok username, device identifiers)
- Internet or network activity (usage logs, feature interactions)
- Geolocation data (country/region level only)
- Professional or employment-related information (creator business context)
- Audio, electronic, visual, or similar information (AI-generated voiceovers)
- Inferences drawn from the above to create a profile of preferences for service optimization
We collect this information for the business purposes described in Section 3. We do not sell personal information and have not done so in the preceding 12 months. We do not share personal information for cross-context behavioral advertising.
As a California resident, you may designate an authorized agent to submit requests on your behalf. We will require written authorization or proof of power of attorney, and may verify your identity directly before acting on an agent-submitted request.
Shine the Light
California Civil Code § 1798.83 permits California residents to request information about disclosures of personal information to third parties for their direct marketing purposes. We do not share personal information with third parties for their independent direct marketing purposes, so no such disclosures have occurred. If you have questions, contact us at privacy@shopai.app.
European Economic Area Specific Provisions
For users located in the EEA, UK, or Switzerland, the following additional provisions apply under GDPR and UK GDPR:
Data Controller
ShopAI acts as the data controller for personal data processed through the Service. Where we engage third-party processors (such as ElevenLabs, cloud infrastructure providers, etc.), we enter into Data Processing Agreements (DPAs) to ensure they process data only on our documented instructions.
Automated Decision-Making & Profiling
The Service uses automated processes to analyze content performance metrics and generate product recommendations and script suggestions. These automated recommendations are provided as advisory outputs — they do not constitute automated decision-making that produces legal or similarly significant effects on you. You retain full control over which products to promote and which content to publish.
Data Protection Officer
We have designated a Data Protection Officer (DPO) responsible for overseeing our compliance with data protection obligations. The DPO can be reached at privacy@shopai.app with the subject line "DPO Inquiry."
Supervisory Authority
If you are located in the EEA and have concerns about our data processing that we have not resolved to your satisfaction, you have the right to lodge a complaint with your national data protection supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our data practices, legal obligations, or Service features. When we make changes, we will:
- Update the "Last updated" date at the top of this page
- For material changes that significantly affect your rights or our use of your data, provide at least 30 days' advance notice via email to your registered address and/or a prominent in-app notification
- For minor, non-material clarifications, update this page without separate notification
Your continued use of the Service after the effective date of any updated policy constitutes your acceptance of the revised terms. If you do not agree with a material change, you may delete your account before the change takes effect.
We encourage you to review this page periodically to stay informed about how we protect your information. Prior versions of this policy are available upon request.
Data Protection Officer & Contact
If you have any questions, concerns, or requests related to this Privacy Policy or the way we handle your personal data, please contact us using the details below. We take all privacy inquiries seriously and aim to respond promptly.
[Street Address]
[City, State, ZIP]
United States
For GDPR-related inquiries, please include "GDPR Request" in the subject line.
For CCPA-related inquiries, please include "CCPA Request" in the subject line.
We will make every reasonable effort to resolve your privacy concern directly. If you are not satisfied with our response, you retain the right to escalate your complaint to the appropriate regulatory authority in your jurisdiction, as described in Sections 9 and 14.
This Privacy Policy is provided in English. In the event of any conflict between translated versions and the English version, the English version shall prevail.