Privacy Policy

01What we collect

To operate the verification, payout, and chat workflow, we collect:

• Account info: your email address, first/last name, country, time zone.
• TikTok handles: @username and follower-count for each account you submit for verification.
• TikTok login credentials (when you submit them on an order): email/phone, password. Encrypted at rest in our database.
• Payment references: Square payment ID, amount, tier, fee snapshot. We never see your full card number — Square handles that on their hosted checkout.
• Withdrawal-form submissions: withdrawal amount, date, source account, screenshot proof, your bank or payout details (so we can pay you).
• Contract audit log: when you click-to-sign the operations agreement, we record your signature, the timestamp, and the contract version. This is required to make the agreement legally enforceable for both parties.
• Chat messages between you and the Aragon Media team inside the Portal.
• Operational metadata: session tokens (hashed), one-time verification codes (hashed, 15-minute TTL), basic request logs from Vercel.

02What we do NOT collect

• We do not collect or store full credit-card or banking-PAN data — Square is the merchant of record.
• We do not run third-party advertising trackers, Google Analytics, Facebook Pixel, or session-replay tools on the Portal.
• We do not sell, rent, or trade creator data to third parties. Ever.

03Where it lives

Creator data is stored on infrastructure operated and overseen by Aragon Media:

• Account & portal data sits in our managed database, hosted in the United States. TikTok credentials are encrypted at rest.
• File uploads (such as screenshot proofs on withdrawal forms) are stored on object storage tied to Aragon Media's operations.
• App hosting runs on US-based serverless infrastructure under Aragon Media's control.
• Transactional email (verification codes, receipts, payout confirmations) is sent through a vetted email provider.
• Payments are processed through a PCI-DSS-certified payment provider; we never see your full card number.
• TikTok Shop integration uses standard OAuth tokens scoped to read your shop's GMV and order data on your behalf. We never gain write access to your TikTok account.

Specific vendor names are intentionally not listed here; if you need a current list of subprocessors for due-diligence purposes, email us and we'll share one privately.

04Who can see your data

Inside Aragon Media, only Kevin Aragon (Head Manager) and team members holding the admin role inside the Portal can view your account data. Admin access is logged. We do not share creator data with other creators, advertisers, or external agencies.

We will only disclose your data to law enforcement or government agencies if compelled by valid legal process (subpoena, court order). If we receive such a request, we will notify you unless legally prohibited from doing so.

05How we use it

• Verification: log into your TikTok Shop account once, perform the agency verification handshake, then sign out. Credentials are not used after verification.
• Payouts: match your withdrawal-form submissions to TikTok Shop balances tied to our agency account, then send your share to the bank info you provide.
• Communication: the in-Portal chat with the AM team, plus transactional email (verification codes, receipts, payout confirmations).
• Contract enforcement: the audit log on your click-to-sign operations agreement.
• Service operation: debugging, abuse prevention, fraud detection.

06TikTok credentials — special handling

While credentials are on file, they are encrypted at rest with AES-256-GCM, with the key held in Vercel's environment variable store (separate from the database). Credentials are only decrypted in-memory during the verification session and never logged.

07Retention

• Account + chat history: retained as long as your relationship with Aragon Media is active, plus 24 months after offboarding (for tax + dispute records).
• TikTok credentials: retained while your TikTok account is under management. You can render any stored credentials useless at any time by changing your TikTok password (which we strongly recommend after verification completes).
• Withdrawal-form records: retained for 7 years (tax recordkeeping).
• Verification codes + session tokens: auto-purged after expiry (15 minutes / 30 days respectively).
• Server logs: 30 days on Vercel, then auto-rotated.

08Your rights

You can, at any time:

• Request a copy of all data we hold on you (we'll send it within 30 days).
• Request correction of any inaccurate data via Settings or by emailing us.
• Request deletion of your account and associated data, subject to the retention requirements above.
• Withdraw your consent and end your relationship with Aragon Media at any time per the Terms of Service.

Email aragonkevin239@gmail.com with the subject line “Data request — [your name]” to exercise any of these rights.

09Cookies

We use one cookie: am_session — a hashed session token tied to your account. It is HTTP-only, Secure, SameSite=Lax, and expires after 30 days of inactivity. We do not use any other cookies, trackers, or fingerprints for advertising or analytics.

10Children

The Portal is intended for creators 18 years of age or older. We do not knowingly collect data from anyone under 18. If we learn we have, we will delete it.

11Changes to this policy

If we make material changes, we will email every active creator at least 14 days before they take effect, and post the change history on this page. The current version is shown at the top.