← Tuku home

Privacy Policy

Effective date: 25 May 2026

How Hiveknow Limited collects, uses, and protects personal data on the Tuku platform.

Hiveknow Limited (“Hiveknow”, “Tuku”, “we”, “us”, or “our”) operates the Tuku platform — a TikTok-native messaging automation platform for merchants in Southeast Asia, available at https://tuku.co. This Privacy Policy explains how we collect, use, share, and protect personal data in connection with the Services, and describes your rights in relation to that data.

This policy applies to: (a) Merchants — businesses and individuals who register for and use the Tuku platform; and (b) End Users — TikTok users (i.e., the merchants’ customers) whose data is processed through our platform on a merchant’s behalf.

Tuku operates in Thailand, Vietnam, and Indonesia. We apply data protection standards appropriate to the laws of each jurisdiction in which we operate, and comply with all applicable personal data protection legislation in the markets we serve.

1. Who We Are and How to Contact Us

The data controller for personal data relating to Merchants (and their authorised users) is Hiveknow Limited, incorporated in Hong Kong. Our registered address is Unit 1805, 18/F., Sterling Centre, 11 Cheung Yue Street, Lai Chi Kok, Hong Kong.

For personal data relating to End Users processed through the platform, Merchants act as data controllers and Hiveknow Limited acts as a data processor, processing data strictly on the Merchant’s instructions.

Our privacy contact and Data Protection Officer can be reached at:

  • Email: legal@tuku.co
  • Post: Data Protection Officer, Hiveknow Limited, Unit 1805, 18/F., Sterling Centre, 11 Cheung Yue Street, Lai Chi Kok, Hong Kong

2. Personal Data We Collect

2.1 Data We Collect About Merchants

When you register for and use Tuku, we collect the following categories of personal data (this list is illustrative, not exhaustive — as we add new features, we may collect additional data and will update this Policy accordingly):

Account and identity data

  • Name, business name, email address, phone number, and country;
  • Billing information including payment card details (processed by Stripe — we do not store full card numbers) and billing address;
  • TikTok account identifiers, including your TikTok user ID, username, and connected TikTok Shop account details;
  • Account credentials (passwords are stored in hashed form).

Usage and configuration data

  • Automation rules, messaging flows, and templates you configure in the platform;
  • Inbox messages (DMs and comments) that you access through our unified inbox;
  • Log data including IP address, device type, browser type, pages visited, features used, and timestamps;
  • Communications you send to our support team.

Financial and transactional data

  • Subscription tier, billing cycle, and payment history;
  • DM-to-GMV attribution data linking your sales to specific messaging interactions.

2.2 End User Data Processed on Behalf of Merchants

When merchants use our automation and platform features, we process the following categories of data relating to their TikTok customers. Additional categories may be processed as new features are released, and this Policy will be updated to reflect any material changes:

  • TikTok user identifiers (user IDs and usernames) of individuals who comment on or interact with merchants’ TikTok content;
  • The text content of public comments and direct messages between merchants and their customers;
  • Automated message content sent by the platform on behalf of merchants;
  • Interaction timestamps and engagement metadata;
  • TikTok Shop order and catalogue data where merchants have enabled TikTok Shop integration (where this feature is available).

We process End User Data solely on the instruction of and on behalf of Merchants. Merchants are responsible for ensuring they have a lawful basis for this processing.

Additional data as services evolve

As we introduce new features and integrations, we may collect additional categories of personal data. Where new processing activities are materially different from those described above, we will update this Privacy Policy and notify you in accordance with section 13.

2.3 Data From TikTok API

We access data through TikTok’s API under TikTok’s Developer Terms of Service. This includes:

  • TikTok account profile data for connected merchant accounts;
  • Content data (comments, DMs) as permitted by TikTok’s API;
  • TikTok Shop product and order data where merchants have authorised this access.

Data obtained from the TikTok API is used only for the purposes for which it was obtained and in compliance with TikTok’s data usage restrictions.

2.4 Data We Do Not Collect

We do not intentionally collect:

  • Special categories of personal data (e.g., health data, biometric data, racial or ethnic origin, religious beliefs, political opinions) from Merchants or End Users;
  • Personal data from children under 13 years of age (or the applicable age of digital consent in the relevant jurisdiction);
  • Full payment card numbers or banking credentials (these are handled by Stripe and never transmitted to our servers).

3. How We Use Personal Data

We use personal data for the purposes described below. As the Services evolve, we may process data for additional purposes that are compatible with the original purpose of collection. Where a new purpose is materially different, we will notify you and, where required by law, seek your consent:

PurposeData usedLegal basis
Providing and operating the ServicesAccount data, TikTok API data, usage dataPerformance of contract (PDPA: necessity for contract)
Processing payments via StripeBilling data, subscription informationPerformance of contract
Comment-to-DM automationEnd User data (comments, TikTok user IDs)Merchant’s instruction; legitimate interests
AI-powered message generationDM content, conversation historyLegitimate interests (service improvement)
DM-to-GMV attribution analyticsMessage interactions, TikTok Shop ordersLegitimate interests; performance of contract
Customer supportAccount data, support communicationsLegitimate interests
Security and fraud preventionLog data, IP addresses, account dataLegitimate interests; legal obligation
Product improvement (aggregated, anonymised)Usage data (anonymised)Legitimate interests
Legal and regulatory complianceAny data as requiredLegal obligation
New features and integrations (as released)Data relevant to the new featureContract, legitimate interests, or consent as applicable
Sending service and billing notificationsEmail address, billing dataPerformance of contract
Marketing (with opt-in)Email address, usage patternsConsent

For personal data of individuals in jurisdictions with data protection laws (including but not limited to Thailand’s PDPA), we process personal data on one or more of the following legal bases: (a) necessity for the performance of a contract; (b) compliance with a legal obligation; (c) our legitimate interests; or (d) your consent, as applicable to each processing activity described above.

4. Artificial Intelligence and Automated Processing

Tuku uses AI and machine learning to power features including automated message drafting, response suggestions, and conversation flow optimisation. You should be aware of the following:

  • AI-generated message suggestions are based on the context of your conversations and your configured templates. They are presented for human review and editing before sending, unless you have configured a fully automated flow.
  • We may use aggregated and anonymised data (not personally identifiable) to train and improve our AI models. We do not use individual merchants’ Merchant Data or End User Data to train our AI models without aggregating and anonymising it first.
  • No fully automated decisions with significant legal effects are made about End Users solely on the basis of automated processing through Tuku. Merchants are responsible for reviewing automated message content before use.
  • Use of AI Features is metered in credits and capped per Plan, subject to a fair use policy as described in our Terms of Service (sections 3.6 and 3.7). This metering does not create additional personal data beyond the conversation context already processed to generate the AI response.

5. How We Share Personal Data

5.1 Third-Party Service Providers

We share personal data with trusted third-party service providers who process data on our behalf and under our instructions:

  • Stripe, Inc.: payment processing for Subscription fees. Stripe has its own privacy policy and is PCI-DSS certified. We do not store full payment card data.
  • Cloud infrastructure providers (e.g., AWS, Google Cloud): hosting, storage, and processing of platform data in secure data centres.
  • AI model providers: for AI-powered messaging features, anonymised or pseudonymised data may be processed by AI infrastructure providers.
  • Analytics providers: aggregated and anonymised usage data for platform analytics and performance monitoring.
  • Email service providers: for transactional and service emails to Merchants.

All third-party processors are bound by data processing agreements and are required to process personal data only in accordance with our instructions.

5.2 TikTok

By connecting your TikTok account to Tuku, you authorise us to access and process TikTok API data on your behalf. This involves data flows between our platform and TikTok’s servers. Any data shared with TikTok as part of your use of TikTok’s platform is subject to TikTok’s Privacy Policy and Terms of Service.

5.3 Disclosure Required by Law

We may disclose personal data if required to do so by law, court order, or governmental authority, or if we believe in good faith that such disclosure is necessary to: (a) comply with a legal obligation; (b) protect and defend our rights or property; (c) prevent or investigate possible wrongdoing in connection with the Services; or (d) protect the personal safety of users of the Services or the public.

5.4 Business Transfers

In the event of a merger, acquisition, corporate restructuring, or sale of all or substantially all of our assets, personal data may be transferred to the acquiring entity, subject to equivalent privacy protections. We will notify affected parties of such a transfer and any material changes to this Privacy Policy.

5.5 No Sale of Personal Data

We do not sell, rent, or trade personal data to third parties for their own marketing or commercial purposes.

6. International Data Transfers

Hiveknow Limited is based in Hong Kong. We operate infrastructure in multiple regions and personal data may be transferred to and processed in countries other than the country in which it was originally collected, including Hong Kong, Singapore, and the United States (where cloud infrastructure providers operate data centres).

Where personal data of individuals in Thailand is transferred outside Thailand, we ensure that such transfers comply with the requirements of Thailand’s PDPA, including that appropriate safeguards are in place (such as standard contractual clauses, adequacy decisions, or equivalent mechanisms).

For cross-border data transfers, we apply appropriate safeguards consistent with applicable law in each jurisdiction, including standard contractual clauses or equivalent mechanisms where required. We keep our compliance approach up to date as data protection laws in the region evolve.

7. Data Retention

We retain personal data for as long as necessary to fulfil the purposes for which it was collected, to provide the Services, and to comply with our legal obligations. Our standard retention periods are:

Data typeRetention periodReason
Merchant account dataDuration of Subscription + 7 yearsLegal and tax compliance
Billing and payment records7 years from date of transactionAccounting and tax law
DM and comment content (inbox data)Plan-tiered retention: 12 months (Free), 24 months (Pro), 36 months (Enterprise), or duration of your Subscription, whichever is shorter. Content older than your Plan’s retention period is automatically purged. After termination, remaining content is retained for 60 days and then deleted.Service provision; plan entitlements
Media, files, and attachmentsSubject to the storage limit for your Plan (100 MB Free, 1 GB per 100 MAC Pro, 2 GB per 100 MAC Enterprise). Files become inaccessible once their associated conversation falls outside the applicable retention window.Service provision; storage capacity
Archived contact recordsUp to 12× / 24× / 36× your current MAC on Free / Pro / Enterprise plans respectively. Records exceeding the archive limit are purged on a rolling basis (oldest first).Service provision; plan entitlements
End User interaction logs12 months from date of interactionAnalytics; dispute resolution
TikTok API dataAs required by TikTok’s Developer Terms; deleted when account disconnectedTikTok API compliance
Security and access logs12 monthsSecurity monitoring
Support communications3 years from date of communicationLegal compliance; quality assurance

When data is no longer needed, we securely delete or anonymise it. If you close your Merchant Account, we will retain data for the periods above and then delete it.

8. Security

We implement industry-standard technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These measures include:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256);
  • Access controls limiting employee access to personal data on a need-to-know basis;
  • Regular security assessments and penetration testing;
  • Secure development practices including code review and vulnerability scanning;
  • Incident response procedures for detecting and responding to data breaches.

Despite these measures, no transmission over the internet or electronic storage system is 100% secure. We cannot guarantee absolute security. If we become aware of a security breach that is likely to result in risk to your rights and freedoms, we will notify you without undue delay in accordance with applicable law.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our web platform. Cookies are small text files stored on your device that help us operate and improve the Services.

9.1 Types of Cookies We Use

  • Essential cookies: necessary for the platform to function (e.g., session management, authentication). These cannot be disabled.
  • Preference cookies: remember your settings and preferences.
  • Analytics cookies: collect aggregated, anonymised information about how you use the platform (e.g., pages visited, features used) to help us improve the Services.
  • Security cookies: help detect and prevent fraudulent activity.

9.2 Managing Cookies

You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of the platform. Where required by law, we will obtain your consent before placing non-essential cookies.

10. Your Data Rights

10.1 Rights Available to Merchants

Subject to applicable data protection law (including Thailand’s PDPA), you have the following rights in relation to personal data we hold about you:

  • Right of access: to receive a copy of the personal data we hold about you;
  • Right to rectification: to have inaccurate or incomplete data corrected;
  • Right to erasure: to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, subject to our legal retention obligations;
  • Right to data portability: to receive your personal data in a structured, machine-readable format;
  • Right to restriction: to request that we limit processing of your data in certain circumstances;
  • Right to object: to object to processing based on legitimate interests;
  • Right to withdraw consent: where processing is based on your consent, to withdraw it at any time without affecting the lawfulness of prior processing.

10.2 Rights of End Users

End Users who wish to exercise their data rights in relation to data processed through our platform should contact the Merchant (the data controller) directly. If you are an End User and are unable to reach the Merchant, you may contact us at legal@tuku.co and we will direct your request appropriately.

10.3 How to Exercise Your Rights

To exercise any of the rights above, please contact us at legal@tuku.co. We will respond within the timeframe required by applicable law (30 days under Thailand’s PDPA, with the possibility of extending for complex requests). We may need to verify your identity before processing your request. There is no charge for exercising your rights, though we may charge a reasonable fee for manifestly unfounded or excessive requests.

10.4 Right to Complain

If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction. In Thailand, this is the Personal Data Protection Committee (PDPC). We encourage you to contact us first so we can try to resolve your concern directly.

11. Children’s Privacy

The Services are designed for use by businesses and adult merchants and are not directed at children under 13 years of age (or the applicable age of digital consent in the relevant jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child, we will delete it promptly. If you believe a child’s data has been submitted to us, please contact us at legal@tuku.co.

12. Third-Party Platforms and Links

Our Services integrate with TikTok and may contain links to other third-party platforms (including TikTok Shop and third-party payment pages). This Privacy Policy applies only to our Services. We are not responsible for the privacy practices of TikTok or any other third-party platform. We encourage you to review the privacy policies of any third-party services you use in connection with Tuku.

13. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Services. Where we make material changes, we will notify you by email or through an in-app notification at least 14 days before the changes take effect. The “Effective Date” at the top of this Policy indicates when it was last updated. Your continued use of the Services after the effective date of any update constitutes your acceptance of the revised Policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

  • Hiveknow Limited
  • Attn: Data Protection Officer
  • Unit 1805, 18/F., Sterling Centre, 11 Cheung Yue Street, Lai Chi Kok, Hong Kong
  • Email: legal@tuku.co
  • Website: https://tuku.co

This Privacy Policy is provided in English. In the event of a conflict with any translated version, the English version prevails.

Hiveknow Limited • https://tuku.co