Privacy Policy

NexlaHQ is a secure advertising management dashboard that uses authorized TikTok authentication to support advertising operations for organizations that hold valid TikTok Business Accounts and have been granted access to the TikTok Marketing API. The Platform is not publicly available — access is restricted to invited, authenticated personnel only.

All interactions with TikTok data are conducted through the official TikTok Marketing API using OAuth2 authorization tokens explicitly granted by account holders.

We collect only the minimum information necessary to operate the Platform securely:

• Account information: Full name and email address provided at registration, used solely for authentication and identification within the Platform.
• Authentication credentials: Passwords are stored as bcrypt hashes (never in plain text). Session refresh tokens are stored as SHA-256 hashes only; raw tokens are never persisted.
• TikTok OAuth2 tokens: Access and refresh tokens issued by TikTok through the official OAuth2 consent flow, stored to enable authorized API operations on behalf of the user. These tokens are scoped strictly to permissions the user explicitly grants via TikTok's authorization screen.
• Advertising operation records: Metadata relating to campaign management, creative management, and reporting operations performed through the Platform, including operation status, timestamps, and results — retained for audit and troubleshooting purposes.
• System logs: HTTP request method, endpoint path, HTTP status code, and response time. Request bodies and personal data are not included in system logs.

Information collected is used exclusively for the following operational purposes:

• Authenticating and authorizing platform users.
• Performing campaign management, analytics, reporting, and creative management operations on TikTok on behalf of explicitly authorized users.
• Displaying operation history, performance data, and status information in the dashboard.
• Maintaining platform security, detecting unauthorized access, and supporting incident response.
• Complying with applicable legal obligations.

We do not use your information for advertising, profiling, or any purpose unrelated to operating the Platform. We do not sell, rent, license, or share your information with any third party except as required to interact with the TikTok Marketing API on your behalf.

When you authorize the Platform to access your TikTok Business Account, the Platform interacts with the TikTok Marketing API to retrieve and manage advertising data (campaigns, ad groups, ads, creatives, analytics, and reporting data) within the scope of permissions you have granted.

This data is processed solely to provide the Platform's functionality. Data retrieved from TikTok is governed by TikTok's Privacy Policy and TikTok Marketing API Terms of Service. You may revoke the Platform's access to your TikTok account at any time through TikTok's account settings or through the Platform's Authentication page.

All Platform data is stored in a PostgreSQL database hosted on infrastructure controlled by the operating organization. The following security measures are applied:

• Passwords stored as bcrypt hashes (12 rounds); never stored in plain text.
• Refresh tokens stored as SHA-256 hashes; raw token values are never persisted.
• Access tokens have a 15-minute lifetime and are held in server memory only — not written to disk or database.
• TikTok OAuth tokens are stored in the database under application-level access controls, accessible only to the token owner.
• All production traffic is served over HTTPS with enforced HTTP security headers (HSTS, X-Frame-Options, Content-Security-Policy, etc.).
• CORS is restricted to explicitly configured, authorized origins.
• Access to the Platform is restricted to authenticated, invited users only.

The Platform uses a dual-token session model:

• Access tokens expire after 15 minutes and are held in server memory only.
• Refresh tokens are valid for 7 days. Each time a refresh token is used, it is immediately revoked and replaced with a new token — preventing replay attacks.
• Signing out revokes the active refresh token, terminating the session completely.
• Administrators may revoke all active sessions for any user account.

Account information and advertising operation records are retained for as long as the user account remains active. Upon account deletion, associated personal data is removed within 30 days, subject to any legal retention obligations.

Expired authentication tokens are purged from the database on a periodic basis. System logs are retained for a maximum of 90 days for security and diagnostic purposes, then deleted.

The Platform uses the following client-side storage mechanisms:

• auth_uid cookie: A non-sensitive session identifier used by the Platform's client-side routing to determine authentication state. It does not contain access tokens or personal data. Expires after 7 days or upon logout.
• localStorage: Used to store the refresh token string locally for session persistence across page reloads. This value is cleared upon logout.

No third-party tracking cookies, analytics cookies, or advertising cookies are used by the Platform.

As a user of this Platform, you have the right to:

• Access a copy of the personal data associated with your account.
• Request correction of inaccurate personal information.
• Request deletion of your account and all associated personal data.
• Revoke TikTok OAuth authorization at any time, from either the Platform or your TikTok account settings.
• Withdraw consent for data processing where consent is the legal basis.

To exercise any of these rights, contact the platform administrator at suporte@nexlahq.com.

The Platform is hosted and operated by the organization. Data may be transferred to and processed in jurisdictions outside your country of residence as required to operate the platform infrastructure and to interact with TikTok's API endpoints. Such transfers are conducted in compliance with applicable data protection requirements.

The Platform is intended exclusively for use by authorized adult personnel within the operating organization. We do not knowingly collect personal information from individuals under the age of 18. If we become aware that a minor has registered, the account will be terminated and all associated data deleted promptly.

We reserve the right to update this Privacy Policy to reflect changes in our practices, technology, or applicable law. The "Last updated" date at the top of this page indicates the most recent revision. We will notify active users of material changes via email or in-platform notification. Continued use of the Platform after changes constitutes acceptance of the updated policy.

For questions, concerns, or requests regarding this Privacy Policy or the handling of your personal data, please contact: