← MaxVision TikTok Suite

Privacy Policy

Last updated: 2026-05-16 · Effective: 2026-05-16

1. Who we are

Controller: Produtora MaxVision, Brazil. Contact: [email protected]. We operate the "MaxVision TikTok Suite" plugin and Model Context Protocol (MCP) server for Claude Code that automates interactions with TikTok and TikTok Shop on behalf of users authenticated through the official TikTok OAuth flows.

2. Scope

This policy applies to (a) visitors of tiktok.produtoramaxvision.com.br, (b) users who install the Claude Code plugin, and (c) tenants whose TikTok or TikTok Shop accounts are accessed via OAuth through our MCP server. The plugin and server are operated as commercial software with Free, Pro, Shop+, and Agency tiers via Stripe.

3. Data we collect

3.1 From the website

• Standard request logs: IP, user-agent, referrer, timestamp — retained 30 days for security and analytics.
• Cloudflare CDN edge data (aggregated, anonymized).
• Stripe Checkout collects payment details directly — we never see card numbers.

3.2 From plugin users

• License key (hashed at rest) bound to a Stripe customer and tier.
• API key (prefix mxv_) for server-to-MCP authentication.
• Audit log of MCP tool calls: tool name, hashed input/output, success/error, latency, timestamp. Raw tool inputs and outputs are NOT stored.

3.3 From OAuth-authorized TikTok accounts

• Access tokens and refresh tokens (encrypted at rest with AES-256-GCM).
• Scopes granted by you through TikTok consent screen (user.info.basic, video.list, shop.products.read, etc.).
• Cached responses from TikTok APIs (video metadata, order metadata) — TTL 1h to 7d depending on resource type.
• We do not access: direct messages, private videos that scope did not authorize, payment instrument details, or any data outside requested scopes.

4. Why we process it (legal basis)

• Contract performance (LGPD art. 7º, V / GDPR art. 6(1)(b)) — to provide the plugin functionality you paid for.
• Legitimate interest (LGPD art. 7º, IX / GDPR art. 6(1)(f)) — fraud prevention, security logs, rate limit enforcement.
• Consent (LGPD art. 7º, I / GDPR art. 6(1)(a)) — OAuth scopes granted to TikTok require your explicit consent through the official TikTok flow.

5. With whom we share

• TikTok / TikTok Shop / TikTok Business — for API calls you authorize.
• Apify Inc. — managed scraping provider for public TikTok content.
• Bright Data — proxy for direct TikTok web requests (Web Unlocker).
• Cloudflare Inc. — CDN, Workers, KV, Pages, DNS.
• Stripe Inc. — payment processing and subscription management.
• Anthropic PBC — Claude Code is the host runtime; the plugin runs locally on your machine and calls our MCP server.
• Cloud VPS provider (Oracle Cloud Brazil region).
• We do not sell personal data.

6. International transfers

Data may be processed in the United States (Stripe, Cloudflare, Apify) and Europe (some Cloudflare PoPs). Transfers rely on Standard Contractual Clauses and the EU-US Data Privacy Framework where applicable.

7. Retention

• Account record + license: while subscription active + 24 months after cancellation (tax/legal).
• OAuth tokens: revoked and deleted on disconnect, or 90 days after last use.
• Audit log: 12 months rolling.
• Cache: as per TTL listed in section 3.3, max 30 days.
• Web logs: 30 days.

8. Your rights (LGPD art. 18 / GDPR art. 15–22)

You may at any time request:

• Confirmation of processing and a copy of your data.
• Correction of inaccurate data.
• Anonymization, blocking, or deletion of unnecessary data.
• Portability of your data to another provider.
• Revocation of consent and revocation of OAuth grants (also doable on TikTok's settings).
• Information about with whom we shared data.

Send requests to [email protected]. We respond within 15 days (LGPD) / 30 days (GDPR).

9. Security

Encryption at rest (AES-256-GCM) for all OAuth tokens and cookies. TLS 1.2+ in transit. Hashed license keys and audit log I/O. Rate limiting and abuse detection. Annual security review.

10. Cookies

The marketing site uses only essential cookies (no analytics or advertising trackers). Stripe Checkout may set its own cookies on its domain.

11. Children

The Service is not intended for users under 18. We do not knowingly process data from minors.

12. Changes

We may update this policy. Material changes are notified by email to active subscribers and posted here.

13. Contact

Data Protection Officer (Encarregado): [email protected].

Brazilian DPA (ANPD): www.gov.br/anpd.