Privacy Policy

Last updated: 29 June 2026

1. Who we are

Tokloom (the “Service”) is operated from Bangladesh and accessed at tokloom.com. This Privacy Policy explains what personal data we collect, why we collect it, who we share it with, and the rights you have over it. By using the Service you agree to this Policy.

2. What we collect

We collect only the data needed to provide the Service:

  • Account data — your email address and Google account identifier. You sign in with Google; we never see or store your Google password.
  • Connected TikTok accounts — when you connect a TikTok account we store an OAuth access token and refresh token, encrypted at rest with AES-256, used only to publish content and read post stats on your behalf. See §3.
  • Content you create — your automations (niches, keywords, schedules), curated image collections, and the captions, sourced images, and videos generated for you.
  • Usage metrics — monthly counters for videos generated, used to enforce plan limits.
  • Payment data— handled entirely by our payment processor (Polar); we never receive your full card details. We do store the processor’s customer and subscription IDs so we can link your account to your subscription.
  • Technical logs — standard server logs (IP address, request path, user-agent, timestamps) kept for security and debugging.

3. TikTok data

When you connect a TikTok account, we request the scopes user.info.basic, video.publish, and video.upload solely to: identify your connected account, upload and publish the videos you configure, and retrieve view/like/share counts to show you analytics. We publish only according to the automations you set up — we never post outside your configured settings, and we do not sell or share your TikTok data with third parties.

By using these features you also agree to the TikTok Terms of Service and TikTok Privacy Policy. You can revoke our access at any time by disconnecting the account on the Accounts page, or by removing the app in your TikTok settings.

4. How we use your data

We use your data only to:

  • Authenticate you and provide the Service’s features;
  • Source images, generate captions and videos, and publish posts to your TikTok accounts;
  • Retrieve and display post analytics;
  • Enforce plan limits and process payments;
  • Send transactional emails (subscription confirmations, support replies);
  • Diagnose errors and prevent abuse.

We do not sell your data, use it for advertising, or use your content to train any AI model.

5. Third-party processors

We rely on a small number of vetted sub-processors, each bound by its own privacy policy and processing only the data necessary for its specific role:

  • Supabase — database, authentication, and file storage;
  • Hetzner & Cloudflare — server hosting, CDN, and DDoS protection;
  • Google (Gemini) & Anthropic (Claude) — AI caption and script generation (niche / keywords only);
  • Replicate — AI video generation (for video content types);
  • Pexels & Pinterest — royalty-free and curated image sourcing;
  • TikTok — publishing your posts and retrieving their statistics;
  • Polar — payment processing and Merchant of Record;
  • Resend — transactional email delivery.

This list is updated whenever a category of sub-processor is added or changed.

6. International data transfers

Our infrastructure and sub-processors operate primarily in the United States and the European Union. By using the Service from outside these regions you consent to your data being transferred to and processed in those regions. Where required by law, the processors above use standard contractual clauses or equivalent safeguards.

7. Data retention

Generated videos are temporary and deleted shortly after publishing (TikTok keeps the published copy). We keep your account data and content for as long as your account exists. When you delete your account, all your data — connected accounts and stored TikTok tokens, automations, posts, collections, and subscription records — is deleted from our database within a reasonable period via cascading deletion. Some technical logs (security and billing audit trails) may be retained by our processors for up to 90 days as required for fraud prevention and tax compliance.

8. Your rights

Depending on where you live (EU/EEA, UK, California, Bangladesh, and other jurisdictions), you may have the right to:

  • Access the personal data we hold about you;
  • Correct inaccurate data;
  • Delete your account and the data it contains;
  • Export your data in a portable format;
  • Object to or restrict certain processing;
  • Withdraw consent (where processing is based on consent);
  • Lodge a complaint with your local data protection authority.

You can delete your account at any time from your settings, or by emailing [email protected], and we will respond within 3 days.

9. Cookies and local storage

We use cookies and browser local storage strictly for essential functionality: keeping you signed in (your authentication session token), remembering your active account and plan to avoid UI flicker, and storing your interface preferences. We do not use third-party advertising cookies or cross-site tracking, and we do not sell your data.

10. Children

The Service is intended only for adults aged 18 and over. It is not directed to children, and we do not knowingly collect personal data from anyone under the age of 18. If you believe a minor has provided us with data, contact us and we will remove it.

11. Security

All traffic between your browser and our servers is encrypted with TLS. Connected TikTok tokens are encrypted at rest with AES-256. Database tables enforce row-level security so each user can only read their own rows. No system is perfectly secure; if we become aware of a breach that affects your data we will notify you and the relevant authorities as required by law.

12. Changes to this Policy

We may update this Policy from time to time. We will post the updated version on this page and update the “Last updated” date above. For material changes we will give reasonable notice via email or in-app.

13. Contact

For privacy questions or to exercise the rights above, email [email protected].