Privacy Policy

Company: Paradigm Shift Multimedia LTD (trading as ilanoShop).

Company No.: 17048990.

Document Type: Privacy Policy Addendum.

Applies To: ilanoShop platform users, merchants, and TikTok Shop integration.

Effective Date: 1 March 2026.

Last Reviewed: 1 March 2026.

Next Review: 1 March 2027.

This addendum supplements the ilanoShop Privacy Policy published at ilanoshop.com/privacy. It provides additional detail required under the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), the California Privacy Rights Act (CPRA), and TikTok Shop's Data Security and Privacy Review (DSPR) requirements.

This addendum specifically covers:

• How ilanoShop processes data received via the TikTok Shop API integration.

• Data retention periods for all categories of personal data.

• The rights available to data subjects (merchants, buyers, and end users).

• International data transfers and the safeguards we apply.

• How to contact our designated privacy contact.

ilanoShop (operated by Paradigm Shift Multimedia LTD) acts as the data controller for personal data processed on the ilanoShop platform.

Data Controller: Paradigm Shift Multimedia LTD (trading as ilanoShop).

Registration: Company No. 17048990, registered in England & Wales.

Privacy Contact: privacy@ilanoshop.com.

Postal Address: United Kingdom.

For queries related to data protection, including exercising your rights or raising a complaint, please contact us at privacy@ilanoshop.com. We will respond within 30 days.

Note: Depending on the scale of processing, ilanoShop may be required to appoint a formal Data Protection Officer (DPO) under UK GDPR Article 37. This will be reviewed as the platform scales.

ilanoShop collects and processes the following categories of personal data:

Merchant Account Data: Name, email, business name, billing address. Purpose: Contract performance (UK GDPR Art. 6(1)(b)).

TikTok Shop Data: Order data, product listings, buyer info received via TikTok API. Purpose: Contract performance; legitimate interests (Art. 6(1)(b), 6(1)(f)).

Buyer/Customer Data: Name, delivery address, order history. Purpose: Fulfilling merchant orders (Art. 6(1)(b)).

Usage & Analytics: Page views, feature usage, session data. Purpose: Legitimate interests — platform improvement (Art. 6(1)(f)).

Payment Data: Processed by Stripe/Square; ilanoShop does not store card details. Purpose: Contract performance; processed by PCI-DSS compliant processors.

Communications: Support tickets, emails. Purpose: Legitimate interests — customer support (Art. 6(1)(f)).

Where ilanoShop integrates with the TikTok Shop API as a partner, the following specific commitments apply:

• Data minimisation: ilanoShop requests only the minimum API scopes necessary to deliver the service (order management, product syncing, inventory updates).

• Purpose limitation: TikTok Shop data received via the API is used solely to provide the ilanoShop platform service to the merchant. It is not used for advertising, sold to third parties, or processed for any purpose beyond the agreed service.

• Deletion on termination: When a merchant revokes ilanoShop's access to their TikTok Shop account, all associated TikTok-sourced personal data is deleted within 30 days.

• Sub-processors: TikTok-sourced data may pass through ilanoShop's cloud infrastructure provider. All sub-processors are bound by appropriate data processing agreements.

• No sharing: ilanoShop does not share TikTok Shop data with any third party except where required by law or to deliver the core service (e.g. payment processors for order fulfilment).

Personal data is retained only for as long as necessary to fulfil the original purpose of collection, or as required by applicable law.

Merchant account data: Duration of account + 6 years. Basis: Legal obligation (UK tax/contract law).

TikTok Shop order data: Duration of integration + 30 days after revocation. Basis: Contract performance; deleted on disconnection.

Buyer/customer data: Duration of merchant account + 6 years. Basis: Legal obligation (transaction records).

Support communications: 3 years from last contact. Basis: Legitimate interests.

Analytics/usage data: 13 months (rolling). Basis: Legitimate interests; industry standard.

Payment records: 7 years. Basis: UK HMRC legal requirement.

Security/audit logs: 12 months. Basis: Security monitoring, incident investigation.

After the relevant retention period expires, data is securely deleted or anonymised so that it can no longer be attributed to an individual.

Under UK GDPR, EU GDPR, and CPRA (where applicable), individuals have the following rights regarding their personal data:

Right to Access: Request a copy of the personal data we hold about you.

Right to Rectification: Request correction of inaccurate or incomplete data.

Right to Erasure: Request deletion of your data where there is no legitimate reason to continue processing it.

Right to Portability: Receive your data in a structured, machine-readable format.

Right to Restrict Processing: Ask us to pause processing your data in certain circumstances.

Right to Object: Object to processing based on legitimate interests or for direct marketing.

Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting prior lawful processing.

CPRA Rights (California): California residents also have the right to know, correct, delete, opt-out of sale/sharing, and limit use of sensitive personal information.

To exercise any of these rights, please contact: privacy@ilanoshop.com.

We will respond within 30 days. In complex cases, we may extend this by a further 60 days, in which case we will notify you. There is no charge for submitting a request.

ilanoShop is a UK-registered company. Data may be transferred to and processed in countries outside the UK and EEA, including the United States, in the following circumstances:

• Cloud infrastructure and hosting: ilanoShop uses cloud service providers whose infrastructure may be located outside the UK/EEA.

• Payment processing: Stripe Inc. (US) and Square (US) process payment data under their own privacy policies and are certified under applicable data transfer frameworks.

• TikTok Shop API: Data exchanged with TikTok's systems is subject to TikTok's own privacy policy and data transfer mechanisms.

For all international transfers, ilanoShop ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) adopted by the UK ICO (International Data Transfer Agreements — IDTAs) or equivalent mechanisms recognised under UK GDPR.

ilanoShop implements appropriate technical and organisational security measures including:

• Encryption of personal data in transit using TLS 1.2 or higher.

• Encryption of personal data at rest using AES-256.

• Tenant isolation ensuring each merchant's data is logically separated.

• Role-based access control (RBAC) restricting data access to authorised personnel only.

• Audit logging of all access to sensitive data.

• Multi-factor authentication (MFA) for administrative accounts.

• Regular vulnerability scanning and security reviews.

Full details of our security measures are available on our Security page at ilanoshop.com/security.

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the relevant supervisory authority:

• UK: Information Commissioner's Office (ICO) — ico.org.uk.

• EU: Your local data protection authority.

• California: California Privacy Protection Agency (CPPA) — cppa.ca.gov.

We would appreciate the opportunity to address your concerns directly before you contact a regulator. Please email privacy@ilanoshop.com in the first instance.

This addendum is reviewed at least annually, or whenever there is a material change to our data processing activities. The effective date at the top of this document indicates when it was last updated.

We will notify merchants of significant changes via email or a notice on the ilanoShop dashboard.