Verdict

EXHIBIT A

TikTok.

"we watch what you watch — and what you almost watched."

TikTok grabs your videos before you ever hit upload §2.2, reads your keystroke rhythms §3.3, scans your face and body features for "demographic classification" §3.5, and ships it all to servers in Singapore, Malaysia, Ireland and the United States §7 where the rest of the ByteDance corporate group §6.4 gets to play. The For You algorithm makes decisions about you — they call it "automated processing" §13.3 and admit you can't always opt out. Deletion is offered §8 but the policy reserves indefinite retention of "non-personally identifiable" derivatives §13.2. They have been fined or banned on four continents.

Social Media

Analyzed: 2026-05-23

§2 · The short version

TL;DR — 8 answers.

The eight things you actually want to know, at a glance.

TL;DR — 8 answers F

YES Do they sell your data?

YES Are they tracking you on other sites?

YES Can your data train their AI?

~ Who can see what you do?

~ Can you delete everything?

NO Do they honor your opt-out?

~ Special handling for minors?

YES Been fined for this before?

§3 · The details

The questions, answered.

No legalese. Every answer the way your most cynical friend would put it.

YES

§6.3

Do they sell your data?

They "share" with advertisers, ad networks, publishers and measurement partners — and let advertisers bid on ad opportunities. That's selling with extra steps.

YES

§4

Are they tracking you on other sites?

TikTok Advertiser Tools (pixel/SDK) feed your activity from other websites and apps back into your TikTok profile. They also accept hashed emails and phone numbers from partners.

YES

§5.3

Can your data train their AI?

Yes. The policy lists "train and improve our technology, such as our machine learning models and algorithms" as a flat-out purpose. No opt-out offered.

COND.

§6.4

Who can see what you do?

Advertisers and measurement partners always · the ByteDance corporate group · service providers including content moderation contractors · sellers if you shop · governments on request.

COND.

§10

Can you delete everything?

You can delete your account in Settings, but they may keep "other information about you to process the violation," and Indonesia's section explicitly allows non-PII retention forever.

§8

Do they honor your opt-out?

No mention of Global Privacy Control. Cookie/ad opt-outs must be repeated per browser, per device, per app — and may break functionality.

COND.

§11

Special handling for minors?

Under 13 nominally blocked (higher in some countries). 13–17 still get tracked, profiled and content-moderated automatically. Several regional sections require 18+ but rely on self-declaration.

YES

§6.4

Been fined for this before?

$5.7M FTC/COPPA (2019), £12.7M ICO (2023), €345M Irish DPC for kids' data (2023), €530M Irish DPC for China transfers (2025). Banned outright in India.

§3 · The privacy card

At a glance, honestly.

Eight signals, color-coded. Like a model card for a machine — except the machine is reading your data.

Privacy Card · TikTok · Analyzed 2026-05-23

Data sold / shared YES BAD

Cross-site tracking YES BAD

AI training YES opt-out: unavailable

Deletion right AVAIL. GOOD

GPC honored NO BAD

Keeps forever? YES BAD

Child protections COND. MIXED

Automated decisions YES human review: yes

Collects

Identifiers, Biometric-ish Data, Location, User Content, Clipboard +6 more

Shares with

Advertisers, ad networks, publishers, measurement partners, ByteDance corporate group / affiliates, Service providers (cloud + content moderation), Sellers and payment providers +2 more

§5 · The label they should have shown you

The Privacy Label, honestly.

An Apple-style label for what's collected and a Cranor-style back-of-pack for what they do with it. Every cell links to the exact line in their policy.

TIKTOK — DATA COLLECTED

PER APPLE PRIVACY-LABEL TAXONOMY ↗

● USED TO TRACK YOU

Data shared with third parties for cross-property tracking.

Identifiers §3.3

User ID · Device ID · IP address · Advertising ID

Location §3.4

Approximate (SIM + IP) · Precise GPS with permission

Browsing & Usage §3.1

Browsing history · Search history · Videos watched · Watch dwell · Favourites

Off-Platform Activity §4

Cross-site actions via TikTok Advertiser Tools/Pixel · Hashed email and phone from partners

◐ LINKED TO YOU

Tied to your identity and stored against your account.

Biometric-ish Data §3.5

Face and body features in your videos · Voice/audio in User Content · Keystroke patterns or rhythms

User Content §2.2

Videos · Photos · Audio · Drafts you never posted · Livestreams · Messages

Clipboard §2.4

Text, images, video on your device clipboard

Contacts & Social Graph §2.6

Phone contacts (names, numbers, emails) · Social network contacts

Inferred Sensitive Info §3.2

Inferred gender · Inferred age range · Inferred interests

Contact & Account Info §2.1

Username · Email · Phone · Date of birth · ID/age proof

Purchase Info §2.5

Payment card · Billing/delivery address · Items purchased

○ NOT LINKED TO YOU

Aggregated, supposedly anonymous.

Other Data

— none claimed —

↓ BACK OF LABEL · WHAT THEY DO WITH IT (CRANOR FRAMEWORK)

Purposes

Personalisation (For You ranking), Personalised advertising on and off the Platform, Train ML models and algorithms, Content moderation & safety scanning, Demographic classification of users via image/audio, Inferring age, gender, interests. §5.1

6+ stated purposes. The interesting ones are buried in §7.

Sold or shared?

Yes. Advertisers, ad networks, publishers, measurement partners, ByteDance corporate group / affiliates, Service providers (cloud + content moderation), Sellers and payment providers, Law enforcement and public authorities, Acquirers in any sale/merger. §6.3

"We don't sell data" is technically true and substantively false.

Retention

Indefinite, with caveats. §10

"As long as necessary" — never defined. Account info kept while account exists; "other information" kept after violations; Indonesia supplemental explicitly allows non-PII to be retained indefinitely for analytics.

User controls

Deletion: Available · Opt-out: Limited §8

Delete works. Opting out of inference does not exist.

Honors GPC?

No. §8

Global Privacy Control browser signal: ignored.

Automated decisions

Yes. With human review. §13.3

For You ranking / content recommendations · Ad targeting · Automated content moderation (removal, suspension, ban) · Demographic classification from your face/voice. All algorithmic.

AI training on your data

Yes. No opt-out. §5.3

Your public posts/photos train commercial models.

Children's data

Under 13 blocked · 13–17 limited §8

Ad targeting paused for teens, but content profile still kept.

Breach disclosure

"As required by law." §15.3

Translation: the bare minimum legal window in your jurisdiction.

§5 · The receipts

The receipts, translated.

Five of the worst clauses, lifted verbatim. Strikethroughs are theirs. Marginalia is ours.

TIKTOK PRIVACY POLICY · §2.2 — USER CONTENT §2.2

We collect User Content through pre-loading at the time of creation, import, or upload, regardless of whether you choose to save or upload that User Content, ↑ the drafts you deleted. yes, those. in order to recommend audio options and provide other personalized recommendations. i.e., to train the algorithm on you If you apply an effect to your User Content, we may collect a version of your User Content that does not include the effect. they keep the un-filtered face

DRAFTS ≠ PRIVATE

TIKTOK PRIVACY POLICY · §3.5 — IMAGE & AUDIO INFORMATION §3.5

We may collect information about the videos, images and audio that are a part of your User Content, such as identifying the objects and scenery that appear, the existence and location within an image of face and body features and attributes, ↑ this is biometric data, just named carefully the nature of the audio, and the text of the words spoken in your User Content. We may collect this information to enable special video effects, for content moderation, for demographic classification, ↑ guessing your race, age, gender from your face for content and ad recommendations, and for other non-personally-identifying operations. ↑ "non-PII" is a legal fiction, not a technical fact

FACE-SCAN IN DISGUISE

TIKTOK PRIVACY POLICY · §3.3 — TECHNICAL INFORMATION §3.3

We collect certain information about the device you use to access the Platform, such as your IP address, user agent, mobile carrier, time zone settings, identifiers for advertising purposes, model of your device, the device system, network type, your screen resolution and operating system, app and file names and types, keystroke patterns or rhythms, ↑ how fast and rhythmically you type. behavioral biometric. battery state, audio settings and connected audio devices. We automatically assign user IDs and device IDs. Where you log-in from multiple devices, we use your information such as your device IDs and user ID to identify your activity across devices. cross-device graph, automatic. We may also associate you with information collected from devices other than those you use to log-in to the Platform. ↑ they track you on devices you never logged in on.

SHADOW PROFILE

TIKTOK PRIVACY POLICY · §6.4 — OUR CORPORATE GROUP §6.4

We may also share your information with other members, subsidiaries, or affiliates of our corporate group, ↑ ByteDance. all of it. including to provide the Platform, to improve and optimise the Platform, to prevent illegal use and to support users. "and to support users" = blank-cheque clause

BYTEDANCE FAMILY PLAN

TIKTOK PRIVACY POLICY · §13.2 — INDONESIA SUPPLEMENT (RETENTION) §13.2

After you have terminated your use of our Platform and the five (5) years retention period has lapsed, we store your information in an aggregated and anonymised format. "anonymised" = re-identifiable in 3 lines of SQL Non-personally identifiable information may be retained indefinitely for analytics. ↑ forever. there it is.

RETENTION: ∞

§6 · The deceptive design

Dark patterns spotted.

Tricks the policy and surrounding UX use to make you "consent" without really consenting.

Forced consent

§1

There is no "no." Using the Platform is treated as agreement; the only alternative offered is to leave.

"If you do not agree with this policy, you should not use the Platform.

"Continued use = consent" trap

§12

Policy updates are pushed unilaterally. The moment you open the app after a change, you've legally accepted whatever they wrote.

"Your continued access to or use of the Platform after the date of the updated policy constitutes your acceptance of the updated policy.

Background collection of unsubmitted content

§2.2

The app uploads your video drafts and pre-effect raw footage before you ever decide to post. The dark pattern is the absence of any toggle.

"We collect User Content through pre-loading at the time of creation, import, or upload, regardless of whether you choose to save or upload that User Content

Euphemistic naming of biometrics

§3.5

Face geometry and voiceprint analysis are reframed as "identifying objects" and "non-personally-identifying operations," making it sound like ordinary computer vision.

"the existence and location within an image of face and body features and attributes

Per-browser, per-device opt-out maze

§8

There is no central opt-out. You must repeat the dance for every browser, every device, every app permission — and they warn it will break the product.

"your opt-out selection is specific to the particular browser or device that you are using when you opt out, so you may need to opt-out separately for each of browser or device

Coerced data provision

§13.1

Refusing to hand over data is reframed as your problem: features will be removed until you comply.

"In some cases, if you refuse to provide your data, you may be restricted from the use of certain Services.

§7 · What you can actually do

Your rights, by where you live.

Same company, wildly different rights depending on your jurisdiction. Direct links to the specific opt-out / delete / access flows.

EU (GDPR)

DIFFICULTY: MEDIUM

✓ Right of access
✓ Right to erasure
✓ Right to rectification
✓ Right to data portability
✓ Right to object to processing
✓ Right not to be subject to solely automated decisions
✓ Right to lodge a complaint with a DPA

REQUEST →

Source: §8

California (CCPA / CPRA)

DIFFICULTY: HARD

✓ Right to know
✓ Right to delete
✓ Right to correct
✓ Right to opt out of "sharing" for cross-context behavioral ads
✓ Right to limit use of sensitive personal information

REQUEST →

Source: §8

Default (rest of world)

DIFFICULTY: NIGHTMARE

✓ Whatever your local law happens to grant
✓ Subject to TikTok's discretion on what is "reasonably necessary"
✓ No statutory deadline promised
✓ Indonesia: non-PII can be kept forever
✓ Latin America: refusing data = losing features

REQUEST →

Source: §13.1

§8 · Receipts

The actual sources.

Every claim above is anchored to a line in the policy we analyzed. Click any section ID to view it in context.

ANALYZED BY: claude (via Claude Code sub-agent) · PROMPT VERSION: honest-policy-v1.4-subagent · ANALYZED AT: 2026-05-23T00:00Z
SOURCE: https://www.tiktok.com/legal/page/row/privacy-policy/en · POLICY VERSION: 2025-07-08 · SNAPSHOT HASH: auto

§1

Introduction & forced agreement

"If you do not agree with this policy, you should not use the Platform."

Original → Snapshot →
§2.1

What we collect — Account information

"You give us information when you register on the Platform, including your username, password, date of birth (where applicable), email address and/or telephone number, information you disclose in your user account, and your photograph or profile video."

Original → Snapshot →
§2.2

What we collect — User Content (including unsubmitted drafts)

"We collect User Content through pre-loading at the time of creation, import, or upload, regardless of whether you choose to save or upload that User Content, in order to recommend audio options and provide other personalized recommendations."

Original → Snapshot →
§2.3

What we collect — Messages

"We collect information you provide when you compose, send, or receive messages through the Platform’s messaging functionalities and the associated metadata, subject to applicable laws."

Original → Snapshot →
§2.4

What we collect — Clipboard access

"We may access content, including text, images, and video, found in your device’s clipboard, with your permission."

Original → Snapshot →
§2.5

What we collect — Purchase information

"When you make a purchase or payment on or through the Platform, including when you buy TikTok Coins or purchase goods through our shopping features, we collect information about the purchase or payment transaction, such as payment card information, billing, delivery, and contact information, and items you purchased."

Original → Snapshot →
§2.6

What we collect — Phone & social contacts

"If you choose to sync your phone contacts, we will access and collect information such as names, phone numbers, and email addresses, and match that information against existing users of the Platform."

Original → Snapshot →
§3.1

Automatically collected — Usage information

"We collect information regarding your use of the Platform, e.g., how you engage with the Platform, including how you interact with content we show to you, the advertisements you view, videos you watch and problems encountered, browsing and search history, the content you like, the content you save to ‘My Favourites’, the users you follow and how you engage with mutual followers."

Original → Snapshot →
§3.2

Automatically collected — Inferred information

"We also infer your attributes, including your interests, gender and age range for the purpose of personalising content."

Original → Snapshot →
§3.3

Automatically collected — Technical & cross-device

"We collect certain information about the device you use to access the Platform, such as your IP address, user agent, mobile carrier, time zone settings, identifiers for advertising purposes, model of your device, the device system, network type, your screen resolution and operating system, app and file names and types, keystroke patterns or rhythms, battery state, audio settings and connected audio devices."

Original → Snapshot →
§3.4

Automatically collected — Location

"We collect information about your approximate location, including location information based on your SIM card and/or IP address. With your permission, we may also collect precise location data (such as GPS)."

Original → Snapshot →
§3.5

Automatically collected — Image & audio (biometric-adjacent)

"We may collect information about the videos, images and audio that are a part of your User Content, such as identifying the objects and scenery that appear, the existence and location within an image of face and body features and attributes, the nature of the audio, and the text of the words spoken in your User Content."

Original → Snapshot →
§3.6

Automatically collected — Cookies and pixels

"We and our service providers and business partners use cookies and other similar technologies (e.g., web beacons, flash cookies, etc.) (“Cookies”) to automatically collect information, measure and analyze how you use the Platform"

Original → Snapshot →
§4

Information from other sources — Advertisers, partners, off-platform tracking

"Advertisers, publishers, and measurement and other partners share information with us about you and the actions you have taken outside of the Platform, such as your activities on other websites and apps or in stores"

Original → Snapshot →
§5.1

How we use — Personalisation / For You

"To personalise the content you see when you use the Platform."

Original → Snapshot →
§5.2

How we use — Personalised advertising on and off Platform

"To measure and understand the effectiveness of the advertisements and other content we serve to you and others, and to deliver advertising, including personalised advertising, to you on and off the Platform."

Original → Snapshot →
§5.3

How we use — ML / AI training

"To train and improve our technology, such as our machine learning models and algorithms."

Original → Snapshot →
§5.4

How we use — Safety, scanning and moderation

"To promote the safety, security of the Platform, including by scanning, analyzing, and reviewing User Content, messages and associated metadata for violations of our Terms of Service, Community Guidelines, or other conditions and policies."

Original → Snapshot →
§5.5

How we use — Inferring age, gender, interests

"To infer additional information about you, such as your age range, gender, and interests."

Original → Snapshot →
§6.1

How we share — Business partners & social login

"If you choose to allow a third-party service to access your account, we will share certain information about you with the third party"

Original → Snapshot →
§6.2

How we share — Service providers (cloud, moderation, analytics)

"We provide information and content to service providers who support our business, such as cloud service providers and providers of content moderation services"

Original → Snapshot →
§6.3

How we share — Advertisers, ad networks, publishers, measurement

"We share information with advertisers, advertising partners, publishers, and third-party measurement companies to show how many and which users of the Platform have viewed or clicked on an advertisement"

Original → Snapshot →
§6.4

How we share — Corporate group (ByteDance affiliates)

"We may also share your information with other members, subsidiaries, or affiliates of our corporate group, including to provide the Platform, to improve and optimise the Platform, to prevent illegal use and to support users."

Original → Snapshot →
§6.5

How we share — For legal reasons / government requests

"We will share your information with law enforcement agencies, public authorities or other organisations if legally required to do so"

Original → Snapshot →
§6.6

How we share — Sale, merger, bankruptcy

"if we sell, buy, merge, are acquired by, or partner with other companies or businesses, or sell some or all of our assets. In such transactions, user information may be among the transferred assets."

Original → Snapshot →
§7

Where we store your information (Singapore, Malaysia, Ireland, US)

"Your information may be stored on servers located outside the country where you live, such as in Singapore, Malaysia, Ireland and the United States."

Original → Snapshot →
§8

Your rights and choices — controls, deletion, cookie opt-out

"your opt-out selection is specific to the particular browser or device that you are using when you opt out, so you may need to opt-out separately for each of browser or device. If you choose to refuse, disable, or delete Cookies, some of the functionality of the Platform may no longer be available to you."

Original → Snapshot →
§9

Security — no guarantees

"we cannot guarantee the security of your information transmitted via the Platform; any transmission is at your own risk."

Original → Snapshot →
§10

How long we keep your information

"If you violate our Terms of Service, Community Guidelines, or other conditions or policies, we may remove your account from the Platform or User Content from public view immediately, but may keep other information about you to process the violation."

Original → Snapshot →
§11

Information relating to children and teens

"TikTok is not directed at children under the age of 13."

Original → Snapshot →
§12

Privacy Policy updates (continued-use = consent)

"Your continued access to or use of the Platform after the date of the updated policy constitutes your acceptance of the updated policy."

Original → Snapshot →
§13.1

Latin America supplement — consent by use & coerced data

"In some cases, if you refuse to provide your data, you may be restricted from the use of certain Services."

Original → Snapshot →
§13.2

Indonesia supplement — indefinite analytics retention

"Non-personally identifiable information may be retained indefinitely for analytics."

Original → Snapshot →
§13.3

Nigeria supplement — automated processing / moderation

"You have the right not to be subject to decisions based solely on automated processing which produces legal or similar significant effect concerning you. However, you may not be entitled to this right, where the decision becomes necessary for the performance of the contract between us, or where you have given us your consent, or as authorised by law."

Original → Snapshot →