Home > Privacy Policy | TikTok Shop Data Safety & Security

Privacy Policy | TikTok Shop Data Safety & Security

Last updated: April 23, 2026

1. Introduction & Data Controller

ListHeal ("we," "us," or "our") is committed to protecting the privacy and security of our users. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the ListHeal platform ("Service").

For the purposes of the UK GDPR, EU GDPR, and applicable data protection regulations, the data controller is LAYER DECISION LTD, a company registered in England and Wales under Company Number 17255053, with its registered office in England and Wales (registered address: Office 19305 182-184 High Street North, East Ham, London, United Kingdom, E6 2JA). ListHeal is a product of LAYER DECISION LTD. Contact email: privacy@listheal.com.

ListHeal operates as an independent third-party service and is not affiliated with TikTok or ByteDance. This policy covers only data processed by ListHeal, not by TikTok.

2. Information We Collect

2.1 Account Information

  • Name and email address (provided during registration)
  • Authentication credentials (hashed and salted; we never store plaintext passwords)
  • Google account identifiers (if you use Google Sign-In)

2.2 TikTok Shop Data (via API)

When you connect your TikTok Shop, we access the following through TikTok's official Partner API:

  • Product listing data: Product titles, descriptions, categories, attributes, and compliance status
  • Product images: Processed by our AI vision models to extract compliance information (CE/UKCA markings, BPR registration numbers, Responsible Person data)
  • Shop identifier: Your TikTok Shop ID for webhook routing

We do NOT access: Order data, customer data, financial data, messages, analytics, or any personal data about your customers.

2.3 Payment Information

Payment information is processed securely by our Merchant of Record, Paddle. ListHeal never collects, processes, or stores your payment card details on our servers. All transaction details are processed under Paddle's privacy and security terms.

2.4 Usage & Technical Data

  • IP addresses and browser user-agent strings (for security and rate limiting)
  • Timestamps of API requests and webhook events
  • AI diagnosis logs (which compliance fields were extracted, confidence scores)
  • Error logs for debugging purposes

3. How We Use Your Information

  • Service Delivery: To monitor your listings, run AI compliance analysis, generate corrected metadata, and resubmit listings to TikTok
  • Billing: To track which listings were successfully healed and generate accurate invoices
  • Account Management: To authenticate you, manage your shop connections, and provide customer support
  • Service Improvement: To improve our AI models' accuracy and confidence thresholds (using aggregated, anonymised data only)
  • Security: To detect and prevent fraud, abuse, or unauthorised access
  • Legal Compliance: To comply with applicable laws, regulations, and legal requests

4. TikTok API Data Handling

In compliance with TikTok's Developer Terms:

  • We access TikTok data only for the purpose you authorised — compliance remediation of product listings
  • We do not sell, rent, or share TikTok-sourced data with third parties
  • Product images are processed in-memory by our AI models and are not permanently stored after diagnosis is complete
  • We retain listing metadata and heal history for audit and billing purposes for up to 24 months, after which it is automatically purged
  • If you revoke ListHeal's API access through TikTok Partner Center, we cease all data access immediately

5. Data Sharing & Third Parties

We share data only with the following categories of service providers, and only as necessary:

  • TikTok (via Partner API): Corrected listing metadata submitted for your approval
  • Google Cloud / Gemini AI: Product images sent for AI vision analysis (processed under Google's enterprise data processing terms; not used for model training)
  • Paddle: Payment processing and Merchant of Record services
  • Supabase: Database hosting (encrypted at rest and in transit)

We do not sell your personal information. We do not share your data with advertisers or data brokers.

6. Data Security

  • All data in transit is encrypted using TLS 1.3
  • All data at rest is encrypted using AES-256
  • Webhook payloads are verified using HMAC-SHA256 signature validation
  • Admin access requires a separate authentication layer with audit logging
  • API keys and secrets are stored in environment variables, never in source code

7. Data Retention

  • Account data: Retained while your account is active, plus 90 days after deletion request
  • Listing data & heal history: Retained for 24 months for billing audit trail, then automatically deleted
  • Product images: Processed in-memory only; not retained after AI analysis
  • Logs: Retained for 90 days, then automatically purged

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your account and associated data
  • Portability: Request your data in a structured, machine-readable format
  • Objection: Object to processing of your data for specific purposes
  • Revoke Access: Disconnect your TikTok Shop at any time through TikTok Partner Center

To exercise any of these rights, contact privacy@listheal.com. We will respond within 30 days.

If you believe we have not processed your data in compliance with data protection laws, you have the right to lodge a complaint with your local supervisory authority. In the UK, this is the Information Commissioner's Office (ICO) (ico.org.uk). In the EU, you can find your national Data Protection Authority via the European Data Protection Board (edpb.europa.eu).

9. Cookies

ListHeal uses only essential cookies for authentication session management. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

10. Children's Privacy

ListHeal is a business-to-business service intended for TikTok Shop sellers who are 18 years of age or older. We do not knowingly collect data from anyone under 18.

11. International Data Transfers

Your data may be processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place for international transfers, including Standard Contractual Clauses where applicable.

12. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email or in-app notification at least 14 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision.

13. Contact Us

For privacy-related inquiries:
Email: privacy@listheal.com
Subject Line: Privacy Inquiry — [Your Name]

← Back to Home