TikToke Privacy Policy

INTRODUCTION

TikToke (the “Platform”, “we”, “us”, or “our”) recognizes the fundamental importance of privacy and is committed to the protection, confidentiality, and lawful processing of personal information in accordance with applicable Canadian privacy legislation, including but not limited to the Personal Information Protection and Electronic Documents Act (PIPEDA), the Consumer Privacy Protection Act where in force, and applicable provincial privacy statutes governing the collection, use, and disclosure of personal information by private-sector organizations. The Platform's privacy practices are designed to align with both the spirit and the letter of these instruments, and to provide individuals with meaningful clarity regarding how their information is handled at every stage of their interaction with our services.

This Privacy Policy describes, in comprehensive detail, the manner in which personal information is collected, generated, derived, used, disclosed, retained, secured, and ultimately disposed of when individuals access or interact with the Platform, including all associated services, digital experiences, engagement systems, gameplay surfaces, and ancillary functionality offered through the Platform's web, mobile, and embedded interfaces. It applies to every category of user — whether browsing anonymously, holding a registered account, or operating a verified store profile — and to every method of interaction, whether direct, indirect, automated, or initiated through third-party integrations operating in connection with the Platform.

By accessing or using the Platform in any manner, you acknowledge that you have read, understood, and agreed to the terms of this Privacy Policy in their entirety. Where you do not agree with any portion of this Policy, your sole remedy is to discontinue further use of the Platform; continued interaction with any feature, surface, or service of the Platform after the publication of this Policy constitutes ongoing acceptance of the terms then in force.

OPERATOR AND DOMAIN ROUTING

TikToke is operated by NetBics. NetBics may use related domains, including netbics.com, netbics.app, netbics.ca, TikToke regional domains, and other owned or authorized aliases, to route users to the appropriate service experience, detect approximate region, protect the service, and provide the appropriate app experience.

NetBics may in the future make netbics.app the primary app domain, with netbics.com forwarding to that app experience and netbics.ca or other regional domains supporting location-aware routing where appropriate. Where .ca or .com domains are used for region or IP-location routing, that routing is intended to be brief and functional, with users moved to the appropriate app surface as quickly as reasonably possible.

INFORMATION COLLECTION

In the ordinary course of operating the Platform, we may collect, generate, derive, infer, or otherwise process several distinct categories of personal information, all of which are limited to what is reasonably necessary for the purposes identified elsewhere in this Policy. The first category comprises identifying information voluntarily provided by users in the course of account creation, transaction completion, or support interactions, including but not limited to a user's full or display name, electronic mail address, telephone number, and any additional contact details supplied to facilitate account verification or service delivery.

The second category comprises location information, which may take the form of approximate geolocation derived from a device's Internet Protocol address, or precise positioning information obtained via the operating system's location services; the latter is collected only when the user has explicitly granted location permission through their device or browser. The third category is transactional and order-related data, which captures product selections, store interactions, cart activity, delivery-related events, and the chronological history of orders placed through or coordinated by the Platform. The fourth category is device and technical information, comprising browser type and version, operating system, device identifiers, screen characteristics, language preferences, and other network or hardware attributes that allow the Platform to render appropriately and to detect anomalous activity.

The fifth category covers behavioral and interaction data, which includes navigation patterns, feature usage, dwell time, click and scroll telemetry, and engagement metrics aggregated across sessions. The sixth category encompasses referral, rewards, and incentive-related data, including earned credits, redemption history, and participation in promotional programs operated through the Platform. The seventh category covers game-related data, encompassing in-game interactions, digital inventory, simulated economic events, and the behavioral simulations associated with engagement features. The eighth category is media submissions, including any images or other content uploaded for order verification, dispute resolution, or general platform interaction. The ninth and final category covers analytical and performance data, including server logs, diagnostic traces, error reports, and system-level telemetry retained for the purpose of operating and improving the service.

All information collected is limited strictly to what is reasonably necessary for the purposes identified herein, and no category of data is requested, retained, or processed beyond the scope reasonably required to operate the Platform as described in this Policy.

Session Location and Privacy Update Memory

TikToke may keep a current session location while you browse so the location pill, map, store ranking, product ranking, delivery estimates, and local carousel ordering use one consistent location source. If you create or sign in to an account, the current session location may be copied into your account as a default location, including city, province or state, country, approximate latitude/longitude where available, display label, source, consent state, timestamp, and stale/valid flags.

When TikToke publishes a privacy or terms update, the Platform may store versioned account-history events showing that the update was seen, cancelled, dismissed, or opened from a specific route/device context. These events are used to avoid showing the same update banner repeatedly to the same signed-in account and to preserve an audit trail of policy-version notices.

PURPOSE OF PROCESSING

Personal information processed through the Platform is used solely for legitimate operational, commercial, and compliance purposes, and only where there exists a lawful basis for such processing under applicable Canadian privacy legislation. Information is used, first and foremost, for the provision of core platform functionality, which includes cannabis discovery, store browsing, search and filtering, order coordination, account management, and the other engagement features that constitute the user-facing service.

Information is also used for the personalization of the user experience, including the operation of ranking systems, recommendation engines, priority placements, and contextual displays designed to surface relevant content while remaining mindful of the user's privacy interests. Information is processed to facilitate and coordinate user-initiated transactions with the independent store operators that use the Platform as a discovery and ordering channel, including the secure transfer of order parameters and the communication of relevant fulfillment events between the user and the relevant store. Information further supports the operation of simulation-based features intended to enhance perceived platform responsiveness and engagement, where such simulations are clearly delineated from real-world transactional state and disclosed in the relevant user-facing surfaces.

Information is processed for fraud detection, abuse prevention, and the enforcement of platform integrity, including the detection of automated, repetitive, or otherwise anomalous behavior that may compromise the safety or fairness of the service. Information supports the maintenance, optimization, and continuous improvement of system performance, the administration of referral systems and rewards programs, and the development and refinement of artificial-intelligence-assisted functionality used in connection with the Platform. Processing is conducted only where there is a lawful basis to do so, and no processing is undertaken for any purpose that has not been disclosed in this Policy or otherwise authorized by the user.

LOCATION DATA

Location data, where collected, is utilized for a narrow and clearly delineated set of operational purposes that directly support the user-facing functionality of the Platform. Location data is used to identify nearby stores and other relevant service providers based on the user's actual or approximate geographic position, ensuring that browsing, search, and discovery experiences are scoped to the user's local availability rather than presenting irrelevant or unreachable inventory. Location data is also used to calculate and progressively refine estimated delivery timelines presented in the user-facing order experience, including the upper-bound estimate displayed prior to driver assignment and the live-tracked estimate available once a driver has been matched and dispatch has commenced.

Location data further supports contextual filtering of product availability and recommendations, ensuring that age-, jurisdiction-, and stock-sensitive content is only surfaced where its display is appropriate and lawful. Where precise location access is denied, withheld, or otherwise unavailable, the user is required to manually select a geographic fallback — typically a Province, Territory, or municipality — in order to continue interacting with location-dependent areas of the Platform. Continued use of the Platform after declining precise location and selecting a manual fallback constitutes acceptance of this requirement and acknowledges that the resulting experience may differ in completeness or accuracy from a session with full location access. The Platform does not retain precise geolocation beyond the scope reasonably required to deliver the experience requested by the user, and aggregated or anonymized location signals derived from such data are subject to the same retention and security obligations described elsewhere in this Policy.

DISCLOSURE OF INFORMATION

We do not sell personal information. Where it is necessary to provide the services you request or to comply with our legal obligations, we may share limited information with verified store operators so they can fulfill your order, with payment processors where transactional features are enabled, with infrastructure and analytics providers that help us run the Platform, and with legal or regulatory authorities when the law requires it. In every case we share only what is needed for the specific purpose at hand, and only with parties bound by appropriate confidentiality and security obligations.

DATA RETENTION

We keep personal information only as long as we reasonably need it — to provide the services you use, to keep the Platform secure, and to comply with our legal obligations. Some categories of data, such as gameplay telemetry and short-term monitoring logs, are held only for a defined window and then deleted automatically. When information is no longer needed for the purposes for which it was collected, we either delete it or convert it into a form that no longer identifies you.

SECURITY MEASURES

We use commercially reasonable safeguards to protect your information. These include access controls and permission restrictions, encryption of data in transit, ongoing activity monitoring with anomaly detection, and automated abuse-detection systems that look for unusual or harmful patterns. No system can guarantee absolute security, but we take meaningful steps to reduce risk and to respond quickly if something goes wrong.

USER RIGHTS

Subject to applicable law and to the operational and legal limits described elsewhere in this Policy, users may exercise a number of rights with respect to the personal information that the Platform holds about them. Users may request access to the personal information associated with their account, in a form that allows them to understand what categories of data are held and the general purposes for which that data has been processed.

Users may request the correction of personal information that is inaccurate, incomplete, or out of date, and the Platform will make reasonable efforts to update the relevant records once the request has been verified. Users may request the deletion of their personal information, subject to the operational limitations imposed by ongoing transactions, anti-fraud holds, regulatory obligations, and any retention windows described in this Policy or required by applicable law. Users may modify their account preferences, communication settings, and personalization options through the in-product account interfaces, and may withdraw consent for optional categories of processing where such consent forms the lawful basis for that processing.

All requests are subject to reasonable verification procedures designed to confirm the identity of the requester and to prevent unauthorized changes to or disclosure of personal information; users may be asked to provide additional identifying information or to authenticate through an established account-recovery method before a request can be processed. The Platform endeavors to respond to verified requests within the timelines required by applicable Canadian privacy legislation, and will explain in writing the reason for any partial or denied response so that users may, where appropriate, seek further recourse with the relevant supervisory authority.

COOKIES AND TRACKING TECHNOLOGIES

The Platform uses cookies, browser local storage, session storage, and analogous client-side persistence technologies in order to maintain the functionality, performance, and personalization of the user experience across visits and across navigation events within a single session. Persistent and session cookies are used to maintain session continuity, allowing the Platform to recognize an authenticated user, remember accessibility and theme preferences, and avoid repeated prompts for routine consent or acknowledgment events.

Local storage and equivalent client-side stores are used to enhance performance and responsiveness — for example, to cache configuration objects so that subsequent renders do not incur an unnecessary network round-trip — and to personalize the user experience by retaining ephemeral preferences such as the selected display layout, the most recent location fallback, or transient filter selections. Certain analytical and operational cookies are used to support fraud prevention, abuse detection, and the measurement of feature usage in aggregate, and any third-party tracking technologies present on the Platform are constrained to the purposes disclosed in this Policy or in the relevant page-level notice.

Users may adjust their browser settings at any time in order to limit, restrict, or disable cookies and similar tracking mechanisms; however, doing so may degrade or disable certain elements of the Platform that depend on client-side persistence to function correctly, including authentication continuity and the retention of accessibility preferences. Where users are presented with a granular cookie or consent control, their selections are honored for the duration described in the relevant control surface, and users may revisit and update their selections at any time through the in-product settings interfaces.

POLICY UPDATES

This Privacy Policy may be amended from time to time to reflect operational changes, the introduction of new features, modifications to the legal or regulatory environment in which the Platform operates, or the evolution of accepted privacy practices within the broader industry. When a material amendment is published, the Platform will surface a clear in-product notification — typically in the form of a global banner that links directly to the updated Policy — so that users have a reasonable opportunity to review the changes before continuing to interact with affected functionality. Continued use of the Platform after the publication of an updated Policy constitutes the user's acceptance of the revised terms, and users who do not accept an updated Policy may discontinue use of the Platform; where applicable, account-deletion rights described in this Policy remain available subject to the operational and legal limits set out herein.

CONTACT

Inquiries regarding this Privacy Policy, requests to exercise the user rights described above, and correspondence concerning the Platform's privacy practices generally may be directed to the contact channels published on the Platform from time to time. Where a Platform user has been unable to resolve a privacy concern through these channels, that user may, in addition, seek recourse with the appropriate Canadian privacy supervisory authority, including the Office of the Privacy Commissioner of Canada or the equivalent provincial authority where applicable.

[ADMIN CONTACT TO BE CONFIGURED]

CAMERA, USER-GENERATED MEDIA, AND GENERATED 3D ASSETS

Certain features of the Platform may, with the user's prior permission, make use of the device camera to capture short videos that the user records of their own clothing or fit for the purpose of generating wearable digital items, avatar assets, or related fashion-oriented experiences offered through the Platform. Where such a feature is engaged, the camera is activated only after the user has been presented with a description of the use of the camera and has expressly granted browser-level camera permission, and the resulting video may begin recording immediately following the grant of that permission so that the capture experience proceeds without unnecessary delay.

In order to keep recordings reliable and to limit data loss in the event of a network interruption, video recorded through the Platform's capture features is transmitted to the Platform in short, sequential chunks while the recording is in progress; these chunks are stored on the Platform's infrastructure, may be reassembled into a single source video for review and processing purposes, and may be retained as part of the user's account history for the period reasonably required to operate the feature, to satisfy moderation and authenticity-review obligations, to support fraud prevention, and to comply with applicable record-keeping requirements. Footage submitted through these features may be reviewed for moderation, authenticity, safety, fraud prevention, and feature improvement, and may be processed by automated systems and by human reviewers acting under appropriate confidentiality and security obligations.

Where a generated 3D clothing or avatar asset is produced from submitted footage, that generated asset may be associated with the submitting user's account, including, where applicable, the user's profile, city, province, account history, and any in-product inventory or wearable systems offered by the Platform from time to time. Users are reminded that they should not record other people without the demonstrable permission of those people; that they should not include private documents, residential addresses, identifying details of minors, or sensitive background information in footage submitted to the Platform; and that the submission of any such material may result in moderation action, removal of the affected submission, or, in serious cases, suspension or termination of the associated account. Retention windows, admin review timing, and the operational rules that govern moderation of submitted footage are configurable through internal policy controls and may be adjusted from time to time to balance user privacy, platform integrity, and legal-compliance obligations.

BIOMETRIC EXCLUSION

The clothing-capture and avatar-generation features described elsewhere in this Policy are designed exclusively for the capture of clothing, fit, and fashion-oriented user-generated media, and for the generation of corresponding wearable digital items and avatar assets. These features do not perform face recognition, do not perform face matching against any reference template, do not perform identity verification or identity scoring on the basis of facial features, and do not extract or retain a biometric identifier capable of uniquely identifying a natural person from their facial geometry. The Platform does not introduce biometric identity claims into these features without a separate, explicit, and prior privacy and legal review, and any such change would be reflected in an updated version of this Policy before being made operationally available to users.