Privacy policy

Official Privacy Terms

Platform-Specific Privacy Policies

For users of our third-party integrated applications, please refer to the dedicated privacy policies below:

I. General Provisions

These Privacy Terms (hereinafter referred to as the "Terms") constitute a compliance agreement regarding personal information processing activities between you (hereinafter referred to as the "Developer") and TikTok (hereinafter referred to as the "Platform") during the use of API Services. These Terms are a supplementary agreement to the API Terms of Service.

By applying for or using the TikTok API (including interfaces, SDKs, and related tools, collectively referred to as the "API Services"), or actually processing any personal information obtained through the API, the Developer is deemed to have fully read, understood, and agreed to all contents of these Terms, as well as globally applicable data protection regulations (including but not limited to China's Personal Information Protection Law, the EU's GDPR, and the US CCPA) .

The Platform reserves the right to modify these Terms based on regulatory updates or business adjustments. Modifications will be announced via the Developer Portal. If the Developer does not raise a written objection within 7 days of the announcement or continues to use the API Services, it will be deemed to have accepted the modified Terms.

II. Core Definitions

  • Personal Information: Refers to any information recorded electronically or by other means related to an identified or identifiable natural person, excluding anonymized information. This includes, but is not limited to, user nicknames, contact details, and behavioral data .

  • Sensitive Personal Information: Refers to personal information that, if leaked or illegally used, may easily infringe upon personal dignity or cause harm to personal or property safety. This includes biometric information, medical and health information, financial account information, etc.

  • Data Processing: Encompasses the entire lifecycle of activities involving personal information, including its collection, storage, use, processing, transmission, provision, disclosure, and deletion.

  • Anonymization: Refers to the process of treating personal information with technical means so that it cannot be used to identify a specific natural person and cannot be restored.

III. Core Principles of Data Processing

  • Lawfulness, Fairness, and Good Faith: The Developer must have a legal basis for processing personal information. Data must not be obtained or processed through misleading, fraudulent, or coercive means, and processing must not violate laws, regulations, public order, or good customs.

  • Purpose Limitation and Data Minimization: The Developer may only collect the minimum necessary personal information required to achieve the approved purposes of the API. Data shall not be processed beyond the agreed purposes, and information unrelated to the functionality shall not be collected .

  • Openness and Transparency: The Developer must inform users of the data processing rules in a clear and understandable manner, including key information such as the processing purpose, methods, scope, and storage period, safeguarding users' right to know .

  • Security Safeguards: Security protection measures commensurate with the data risk level must be implemented to ensure the confidentiality, integrity, and availability of personal information, and to prevent its leakage, loss, or tampering .

IV. Developer's Data Processing Obligations

(1) Data Collection and Consent

The Developer must obtain the user's explicit and voluntary consent before collecting personal information. Consent must be actively given by the user (e.g., by checking a confirmation box, clicking an authorization button). Pre-ticked boxes or bundled consent are not allowed .

The information provided to the user must include: the identity and contact information of the data processor, the purpose and methods of processing, the types of personal information, storage periods, and how users can exercise their rights. Separate consent must be obtained for sensitive personal information.

If the purpose or method of data processing changes, the Developer must re-obtain user consent and promptly update its privacy policy.

(2) Data Use and Storage

Data may only be used within the scope of permissions granted by the API approval. The Developer shall not process data beyond the authorized scope or scenario, nor use data for purposes not clearly disclosed to users, such as marketing promotion or user profiling .

The storage period for personal information shall not exceed the shortest time necessary to achieve the processing purpose. Upon expiration of this period, the Developer must immediately anonymize or completely delete the information, unless otherwise stipulated by laws and regulations.

The buying, selling, renting, sharing, or providing of personal information to third parties is prohibited, unless separate user consent is obtained and the provision is reported to the Platform.

The Developer shall not perform operations such as decoding, de-anonymizing, reverse-engineering, or re-identifying individuals from personal information.

(3) Data Security Safeguards

The Developer must establish a sound data security management system, deploy technical measures such as Data Loss Prevention (DLP) and access controls, encrypt data transmission using TLS 1.2 or higher, and employ strong encryption algorithms like AES-256 for storing sensitive data .

Data access permissions must be restricted based on the principle of least privilege, complete access logs must be recorded and retained for at least 6 months, and these logs should be tamper-evident.

Regular data security audits and risk assessments must be conducted, security drills should be performed at least quarterly, and system vulnerabilities must be promptly addressed.

In the event of an actual or potential data breach, the Developer must immediately take remedial measures, notify the Platform within 24 hours, inform affected users and relevant regulatory authorities within 72 hours, and provide an explanation of the cause, scope of impact, and remedial actions taken .

V. Safeguarding User Rights

The Developer must provide users with convenient channels to exercise their rights, supporting their rights to access, correct, supplement, delete their personal information, and to withdraw their consent .

Upon receiving a user request to exercise their rights, the Developer must complete verification and respond within 15 business days, and shall not refuse or delay without just cause, unless otherwise stipulated by laws and regulations.

The Developer shall not refuse to provide API-related products or services to users because they withdraw consent or exercise their data rights (except where the processing of personal information is necessary for providing the service).

If automated decision-making (e.g., precise recommendations, eligibility checks) is conducted via the API, the Developer must ensure the transparency and fairness of the decisions, avoid unreasonable differential treatment, and users have the right to require an explanation of the decision logic and to refuse decisions based solely on automated decision-making that significantly affect their rights .

VI. Rules for Cross-Border Data Transfers

When transferring personal information overseas, the Developer must comply with the laws and regulations of both the data origin and destination countries, ensuring the transfer path is legal and compliant.

The following situations require prior reporting to the Platform and completion of corresponding compliance procedures:

  • Transferring important data or sensitive personal information of more than 10,000 individuals overseas;

  • Cumulative transfer of personal information of more than 100,000 individuals overseas;

  • Transfer of personal information or important data overseas by Critical Information Infrastructure Operators.

Cross-border transfers must adopt necessary safeguard measures, including signing standard contracts, passing personal information protection certification, or obtaining approval from a data export security assessment, to ensure that the data protection level of the overseas recipient is no lower than the statutory standard .

For transfers not requiring a data export security assessment declaration, relevant supporting documents must be retained for at least 3 years for potential review by the Platform and regulatory authorities.

VII. Prohibited Acts

Developers are prohibited from using the API Services to engage in the following data processing activities:

  • Illegally collecting, stealing, altering, or leaking personal information, or buying, selling, providing, or disclosing personal information;

  • Discriminatory processing or incitement to discrimination based on sensitive characteristics such as race, religion, gender, or age;

  • Using data for surveillance, tracking, or activities that infringe upon users' privacy rights;

  • Processing data beyond the agreed scope, or using data for automated decision-making that significantly impacts user rights without consent;

  • Circumventing or bypassing the Platform's data security protection measures, or reverse-engineering the API to obtain unauthorized data;

  • Other activities that violate data protection regulations or these Terms.

VIII. Platform Rights and Responsibilities

The Platform has the right to supervise and inspect the Developer's data processing activities, and may request the Developer to provide privacy compliance documentation, data processing records, etc. .

If the Platform discovers that the Developer is processing data in violation of these Terms, it has the right to take measures such as issuing warnings, restricting API calls, suspending, or terminating services, and may report to regulatory authorities if necessary.

The Platform respects the Developer's legitimate intellectual property and trade secrets, and will not disclose the Developer's business data within the bounds of compliance, unless required by law or agreed by the Developer.

The Platform provides API technical documentation and basic compliance guidance, but the Developer independently bears the legal responsibilities and user disputes arising from its data processing activities.

IX. Liability for Breach

If the Developer violates these Terms or relevant data protection regulations, it shall bear all resulting losses (including losses to the Platform, user compensation, and regulatory fines, etc.).

If the Developer's non-compliant data processing leads to penalties for the Platform or involves it in disputes, the Developer shall fully compensate the Platform for direct and indirect losses (including legal fees, litigation costs, etc.).

If the Developer's actions are suspected of illegal crimes, the Platform will refer the matter to judicial authorities and reserves the right to pursue legal liability.

X. Dispute Resolution and Governing Law

The interpretation and execution of these Terms shall be governed by the laws of the People's Republic of China (if the Developer is located outside China, the laws of the jurisdiction agreed by both parties shall apply).

Any dispute arising from these Terms shall first be resolved through friendly negotiation. If negotiation fails, either party has the right to file a lawsuit with the competent people's court in the location of the Platform.

XI. Miscellaneous

Matters not covered by these Terms shall be governed by the API Terms of Service and other data security rules published by the Platform.

If the Developer has questions regarding these Terms, it may consult customer service through the Developer Portal. The Platform's compliance guidelines, technical documentation, etc., serve as supplementary explanations to these Terms and have the same effect .