Personal Information Protection Standard – Detailed Policy
Introduction & Document Control
This page contains the complete Personal Information Protection Standard (PIPS) policy for BLK BOX Social Commerce LLC. The standard outlines our organizational, technical, administrative, and physical controls to protect personal information when providing TikTok Shop growth marketing and analytics services. See below for full details on document control, definitions, roles and responsibilities, categories and purposes of processing, processing principles, consent, retention, safeguards, third parties, data subject rights, incident response, training, audit, law compliance, TikTok-specific commitments, and how to contact us.
Effective Date: May 12, 2026 | Version: 1.0 | Owner: Becca Neises, Founder & Head of Growth. Document type: Internal Policy & External Compliance Attestation. Review Cycle: Annual or on material change. Organization: BLK BOX Social Commerce LLC (“BLK BOX Social”). This standard is published at https://blkboxsocial.com/legal/personal-information-protection-standard.
Purpose: This Standard specifies the controls BLK BOX Social applies to protect Personal Information (PI) processed for clients, creators, affiliates, and employees, in alignment with TikTok Developer requirements, GDPR, CCPA/CPRA, COPPA, and other applicable laws.
Scope: Applies to all PI BLK BOX Social collects, receives, processes, or stores—including PI from TikTok APIs, clients, end users, creators, staff, and any sub-processors—regardless of location or engagement.
Definitions: “Personal Information” (PI) means any data identifying or linked with an individual or household. “Sensitive PI” includes identifiers like government ID, location, health, financial, minors’ info, etc. “Processing” means any operation (collecting, storing, accessing, etc.) performed on PI. “Controller” decides processing purposes; “Processor” acts on controller’s behalf; “Data Subject” is the individual.
Roles & Responsibilities: The Founder (Becca Neises) approves this Standard and handles privacy inquiries. Privacy & Security Lead enforces the Standard, manages vendor and incident response. Personnel access PI only as needed, complete training, and report incidents. Sub-processors are bound to equal protections.
What principles guide how we process personal information?
BLK BOX Social adheres to GDPR Article 5/TikTok Developer Data Sharing standards: lawfulness, fairness, transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity/confidentiality; accountability.
What categories of personal information are processed?
We may process names, contact info, TikTok handles/IDs, transactional details, analytics, brand and creator metrics, employee records, etc. Sensitive data is not intentionally collected; minors are not targeted, and any such data is promptly deleted.
What are the purposes for processing? How does consent work?
PI is processed only for business functions (managing TikTok Shop, affiliate programs, analytics, communication, legal compliance/fraud prevention). BLK BOX Social as Controller gives notice and gains consent per law. As Processor, we act on Controller instructions and never use PI for unrelated purposes.
Data Minimization, Access Limitation, Retention & Disposal
Only necessary data fields are collected via minimal API scopes/OAuth. PI access is role-based and reviewed quarterly. MFA is enforced on all accounts, and secrets are securely managed. PI is retained only as long as required. See detailed schedule: TikTok operational data (client engagement +90 days), analytics (36 months), creator records (program +24 months), client/vendor contracts (7 years), personnel (engagement +7 years), prospects (24 months since last contact). Data is securely deleted or anonymized per documented schedule.
Technical, Administrative & Physical Safeguards
Technical: All PI encrypted in transit (TLS 1.2+) and at rest (AES-256); secrets managed securely; SSO & MFA required; access logs enabled; cloud infrastructure hardened. Administrative: All personnel sign privacy/confidentiality agreements and receive mandatory training. Access is regularly reviewed. Sub-processors are bound by equivalent agreements. Physical: No on-premise servers; devices are secured, encrypted, locked, and remotely wiped if lost.
How are sub-processors and third parties managed?
We only engage vetted, documented sub-processors (Vercel, Supabase, Google, GitHub, Anthropic, Cruva, Windsor.ai, etc.) under binding privacy/security agreements. Material changes are communicated to clients and a current list is available upon request.
How do cross-border data transfers and data subject rights work?
International transfers comply with EU Standard Contractual Clauses, UK IDTA, or applicable law. Individuals may request access/correction/deletion by emailing privacy@blkboxsocial.com. We forward end user requests to the relevant Controller as Processor.
How do we respond to incidents or breaches?
Incidents must be reported within 24 hours. The Document Owner coordinates triage, containment, analysis, and notification to Controllers/TikTok as law requires. Affected parties are notified within 72 hours in line with GDPR and contract terms.