Data Processing

1. Processing Roles

Alley AI processes several categories of data in different legal roles. For account creation, billing, security, fraud prevention, and general service administration, Alley AI usually acts as the business or controller.

For certain business data that you connect or submit so we can operate the service on your behalf, such as TikTok Shop data, creator-outreach records, support records, and script materials, Alley AI generally acts as a service provider or processor that handles data according to your instructions and our service design.

2. Categories of Data Processed

• Account data: user identity, email address, customer ID, hashed password, 2FA settings, and session data.
• Billing data: Stripe customer IDs, subscription records, billing status, and invoice-related metadata.
• Connected-platform data: TikTok tokens, scopes, shop metadata, creator information, product data, order data, analytics, and finance-related records returned by TikTok APIs.
• User content: templates, queued outreach drafts, support messages, abuse reports, and script inputs and outputs.
• Operational records: outreach review state, pacing metadata, and seller-confirmed manual TikTok delivery records.

3. Processing Purposes

• Provide the Alley AI application and authenticated user access.
• Retrieve, display, and process data from connected TikTok services.
• Execute outreach draft queueing, export, billing, and support workflows requested by the user.
• Secure the platform, investigate abuse, and comply with legal obligations.

4. Subprocessors and Service Providers

Current categories of subprocessors or service providers used by Alley AI include:

• Stripe for subscription billing, customer billing portal access, and payment processing.
• Google for optional OAuth authentication.
• TikTok for authorized seller, creator, analytics, Login Kit identity, and TikTok Shop API workflows.
• Hosting and network providers for application hosting, traffic delivery, and operational storage.

This list may change as the service evolves. Contact us if you need the current subprocessor categories for vendor review purposes.

5. Retention and Deletion

Alley AI retains data only as long as reasonably necessary for service delivery, security, billing, dispute resolution, and legal compliance.

• Connected-platform tokens and metadata are retained until the integration is disconnected or the account is closed, subject to backups and logs.
• Creator-outreach drafts and templates are retained while needed for review history, support, abuse prevention, and account operation.
• Support records, abuse reports, and billing data may be retained longer where operationally or legally necessary.

6. Security and Confidentiality

Alley AI applies a mix of application, access-control, and operational safeguards, including password hashing, optional two-factor authentication, signed session handling, rate limiting, and encryption of selected sensitive secrets before database storage.

Access to customer data is limited to what is reasonably necessary to operate, support, secure, and improve the service.

7. International Transfers

Alley AI and its providers may process data in the United States or other jurisdictions where hosting, payments, and platform providers operate. If your organization requires transfer-specific contractual terms, contact us before or during onboarding.

8. Data Subject Requests and DPA Requests