Halo Quokka Privacy Policy

Last Updated: April 28, 2026

Effective Date: April 1, 2026

Preamble

Halo Quokka is a social media and e-commerce data analytics platform (the "Service" or "Halo Quokka") operated by Echo Infinity Limited (a limited company duly incorporated and existing under the laws of the Hong Kong Special Administrative Region of the People's Republic of China, with its registered address at OFFICE 5, 8/F, MEGA CUBE, 8 WANG KWONG ROAD, KLN BAY, KOWLOON, HONG KONG, hereinafter referred to as "we", "us", or "our").

This Privacy Policy (the "Policy") explains how we collect, use, share, and protect your personal information when you use Halo Quokka's website, applications, or related services (collectively, the "Service"). Please read this Policy carefully before using the Service.

If you do not agree with any part of this Policy, please discontinue use of the Service. Your continued use of the Service constitutes your acknowledgment and acceptance of this Policy in its entirety.

This Policy applies to all users of the Service, including users located in Southeast Asia, the European Economic Area (EEA), the United Kingdom, the United States, Canada, Australia, and other jurisdictions.

Terminology Note: The terms "personal information" and "personal data" used in this Policy carry equivalent meaning, depending on the applicable law (such as the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), Indonesia's Personal Data Protection Law (UU PDP), etc.), and refer to any information that can directly or indirectly identify a specific natural person.

1. Two Categories of Data Subjects Covered by This Policy

For clarity in describing our data practices, this Policy distinguishes between two categories of data subjects:

1.1 Platform Users (referred to as "you")

Individuals who register for or use Halo Quokka, or who use Halo Quokka on behalf of their organization. Platform users are typically brand marketers, marketing agencies, e-commerce teams, or individual operators.

1.2 Indexed Creators (referred to as "Creators")

Social media content creators whose publicly available TikTok profiles or public videos are aggregated, analyzed, and presented to Platform Users within the Service, sourced from TikTok or other public sources.

Important Note: We do not collect any private or non-public information about Creators. All data concerning Creators is sourced from information that Creators have voluntarily made publicly available on TikTok — including their public profile, video content, and other publicly displayed information.

2. Information We Collect

2.1 Information You Voluntarily Provide (Platform Users)

When you register an account, use the Service, or contact us, we may collect:

Account Information: email address, name, company name (optional), job title (optional), preferred language, password (stored in encrypted form — we cannot read it)
Authentication Information: invitation code (if applicable), registration time, last login time
Payment Information: if and when we offer paid services in the future, payments will be processed directly by third-party payment service providers (such as Stripe). We do not store your full credit card number.
Communications: feedback, inquiries, requests, and other content you submit through email, feedback forms, or other channels

2.2 Information Automatically Generated Through Your Use of the Service

Usage Logs: queries, feature usage records, API call records, and analysis report generation records within the Service
Technical Information: device type, browser type and version, operating system, IP address (stored in anonymized form in some scenarios), access timestamps, and access paths
Cookies and Similar Technologies: see Section 10 below

2.3 Information About Creators Aggregated from Public Sources

We aggregate publicly visible information about TikTok Creators through lawful data sources (including third-party data service providers), which may include:

Creator's public username, public user ID, public avatar, public bio (signature)
Publicly published videos and video metrics (view count, likes, comments, and other public engagement indicators)
Public comment content, hashtags, and topic participation
Contact information that Creators have voluntarily disclosed in their public bio (such as email addresses or instant messaging handles, if any)
Inferred information derived algorithmically from the above public data (such as audience estimates, performance metrics, content classification, etc.)

We do not collect any data that requires platform login authorization to access, nor any personal information that Creators have not actively made public.

2.4 Creator Contact Data — Our Specific Commitment

This subsection elaborates on our handling of contact information (email addresses, phone numbers) extracted from Creator public bios.

Core Principles — Our Commitment

Our handling of Creator contact data follows three principles, open to inspection by Creators and regulators alike:

Already Public Information: All contact details are voluntarily published by Creators in their own public TikTok bio (signature field). Any TikTok visitor — not just Halo Quokka users — can already see this data on the Creator's profile. We only structure and index it; we do not expand its visibility.

Strictly Limited Use: Contact data is visible only to authenticated Halo Quokka users (brands / marketing managers) for the explicit business purpose of initiating Creator collaborations on our platform. We do not sell, share with third parties, use for non-platform purposes, or enable any form of bulk outreach or spam.

Creators Always Retain Control: Creators can stop our processing at any time via either: (a) editing or removing the contact info from their TikTok bio — our next sync will auto-clear the corresponding fields; or (b) emailing us at privacy@haloquokka.com to request deletion. We will never obstruct or delay a Creator's request to control their personal data.

Implementation Details

Source: We extract email addresses and phone numbers from Creators' publicly displayed TikTok bio (signature field). All extracted data was already voluntarily published by the Creator and is visible to any TikTok visitor.
Purpose: To help Halo Quokka customers (brands / marketing managers) reach out to Creators for collaboration.
Storage: Only in the Halo Quokka backend database, in dedicated fields within the kols table.
Retention: Tied to the Creator's profile lifecycle. Will be cleared on next data sync if the Creator deletes or updates their TikTok bio.
Sharing: Contact data is visible only to authenticated Halo Quokka users; never sold, shared via public API, or used for non-platform purposes.
Export Restriction: Halo Quokka does not offer bulk CSV export of contact data in v1, to prevent secondary redistribution.
Deletion Requests: Creators may request removal via privacy@haloquokka.com. We respond within 7 business days.
Legal Basis: Indonesia UU PDP 2022 · EU GDPR Article 6(1)(f) (legitimate interests) and Article 17 (right to erasure) · Malaysia PDPA 2010.

3. How We Use Information

We may use the information we collect for the following purposes (the word "may" here indicates the complete list of potential uses; actual usage is determined by the Service's actual functionality):

Providing the Service: creating and managing your account, responding to your inquiries, providing creator data analytics and report generation features
Improving the Service: internal analysis of usage patterns to optimize product features, troubleshoot, and enhance performance
Security and Compliance: preventing fraud, abuse, and unauthorized access; complying with regulatory or legal requirements
Communicating with You: sending Service-related notifications (such as password resets, subscription expiry); responding to your feedback and inquiries
Exercising Our Legal Rights: protecting the Service and its users from unlawful use or harm
Complying with Applicable Laws: responding to legal process, government requests, or exercising legal rights

We will not use your personal information for marketing purposes unrelated to your use of the Service without your prior consent.

4. Legal Bases for Processing Personal Data (Applicable to Users Within GDPR Scope)

If you are located in the European Economic Area (EEA), the United Kingdom, or other regions where GDPR-equivalent laws apply, we process your personal data on the basis of one or more of the following legal bases:

4.1 Performance of a Contract (GDPR Article 6(1)(b))

To provide the Service to you and to fulfill our service agreement with you (such as creating your account or providing features included in your paid subscription).

4.2 Legitimate Interests (GDPR Article 6(1)(f))

To pursue the following legitimate interests, balanced against your individual rights and freedoms:

Aggregating and analyzing publicly available data of TikTok Creators — to provide market research and partnership decision support to brand marketers. We consider this processing necessary for a legitimate commercial information service. As Creators have voluntarily chosen to make their profiles public on TikTok, our processing of such public information falls within their reasonable expectations.
Maintaining Service security and preventing fraud
Internal statistics and product improvement

4.3 Legal Obligation (GDPR Article 6(1)(c))

To comply with laws, regulations, or regulatory requirements applicable to us.

4.4 Your Consent (GDPR Article 6(1)(a))

In specific scenarios where consent is required (such as marketing email subscriptions), we will explicitly obtain your consent. You have the right to withdraw such consent at any time.

4.5 Supplementary Note on the Legal Basis for Processing Creator Public Data

Regarding the processing of Creators' public data:

Creators have voluntarily made their profiles and content public on TikTok, allowing access by any third party
Pursuant to GDPR Article 14(5)(b), given the substantial number of Creators, providing individual notice to each indexed Creator would constitute disproportionate effort on our part
We fulfill our transparency obligations to Creators by publishing this Policy, providing convenient Creator data deletion request channels (see Section 8.3) and response mechanisms

5. Information Sharing

We may share your information with third parties only in the limited circumstances described below. We do not sell your personal information for purposes unrelated to the Service.

5.1 Service Providers (Data Processors)

We may rely on the following categories of third-party service providers to operate the Service. They may process limited information on our behalf, in accordance with our instructions and within the scope we specify:

Infrastructure and Hosting: providing database, authentication, file storage, web hosting, and content delivery
AI and Data Processing: for analyzing public TikTok content and automating processing
Public Data Acquisition: for aggregating creator and video information from public sources such as TikTok
Communication Services: for sending account- and Service-related emails
Security and Traffic Management: for rate limiting, caching, and abuse prevention

The above categories of service providers and the specific list may change as the Service evolves. We select service providers offering reasonable security safeguards and, where feasible, contractually require them to comply with data protection obligations. To request the most current list of specific service providers, please contact us at privacy@haloquokka.com.

5.2 Legal Requirements or Legal Process

We may disclose your information in the following circumstances:

In response to lawful and valid legal process (such as court orders, subpoenas, or government regulatory requests)
To protect the rights, property, or personal safety of us, you, or the public
To investigate, prevent, or respond to fraud, technical issues, or security incidents

5.3 Business Transfers

If Echo Infinity Limited is involved in a merger, acquisition, restructuring, sale of all or part of its assets, financing, or similar transaction, your information may be transferred as part of the relevant assets, provided that the transferee adheres to a level of protection no less than that set forth in this Policy.

5.4 Disclosures with Your Consent

Where required by law or in scenarios not expressly covered by this Policy, we will obtain your prior consent before disclosing your information to a third party.

5.5 Aggregated or Anonymized Information

We may share aggregated, anonymized, or de-identified information that cannot be used to identify you personally (for example, statistical descriptions such as "the Service completed X thousand creator queries this month").

6. How Long We Retain Information

We retain your personal information only for as long as necessary to fulfill the purposes described in this Policy, with reference to the following general principles:

During Account Activity: we retain your account information to provide the Service to you
After Account Deletion: we may retain minimized residual information (such as a hash of your email address) for a reasonable period to prevent abuse, fraud, fulfill legal obligations, or resolve disputes
Legal or Compliance Requirements: certain information (such as transaction and tax records) may be retained for longer periods as required by law
Logs and Usage Records: generally retained no longer than necessary for service operation, troubleshooting, and security audit purposes
Anonymized or Aggregated Data: may be retained indefinitely as it can no longer identify you personally

The above retention periods may be adjusted based on applicable law, business needs, or security considerations. To inquire about retention periods for specific categories of information, please contact privacy@haloquokka.com.

7. Cross-Border Data Transfers

As our service providers are located in multiple jurisdictions worldwide, your personal information may be transferred outside your country or region (including, but not limited to, our company's place of registration, the locations of our service providers, and other jurisdictions).

For data transfers from the European Economic Area, United Kingdom, or Switzerland to other jurisdictions, we will use one or more of the following mechanisms to provide a reasonable level of protection:

Countries covered by an "adequacy decision" recognized by the European Commission, the UK, or Swiss authorities
EU Standard Contractual Clauses (SCCs) or equivalent mechanisms
Other lawful transfer mechanisms recognized under applicable law

As we are a Hong Kong company with primary markets in Southeast Asia, Europe, and the Americas, by using the Service, you acknowledge and understand the existence of such cross-border transfers.

8. Your Rights

To the extent permitted by applicable law, you have one or more of the following rights regarding your personal information. Please note that the specific scope of rights depends on the law applicable to you (such as GDPR, UK GDPR, CCPA, Indonesia UU PDP, etc.). The following is a comprehensive list.

8.1 Rights of Platform Users

Right of Access: to request confirmation that we process your personal information and obtain a copy
Right to Rectification: to request correction of inaccurate or incomplete information
Right to Erasure: to request that we delete your personal information (within the scope permitted by applicable law)
Right to Restrict Processing: to request that we restrict the processing of your information in specific circumstances
Right to Object: to object to processing of your information based on legitimate interests
Right to Data Portability: where technically feasible, to receive your information in a structured, commonly used, machine-readable format
Right to Withdraw Consent: where processing is based on consent, you may withdraw consent at any time (without affecting the lawfulness of processing prior to withdrawal)
Right to Lodge a Complaint: to file a complaint with the data protection regulator in your country or region

8.2 Additional Rights for California Residents (CCPA / CPRA)

If you are a California resident, you have additional rights, including:

The right to know the categories and purposes of personal information we collect, use, and disclose
The right to request deletion of your personal information
The right to request correction of inaccurate personal information
The right to opt out of the "sale" or "sharing" of personal information — We declare: We do not sell your personal information within the meaning of "sale" under the CCPA
The right to limit the use of sensitive personal information
The right not to be discriminated against for exercising privacy rights

8.3 Creators' Rights (Important)

Even if you are not a Halo Quokka Platform User, if you are a TikTok Creator indexed by the Service, you also enjoy reasonable control over your personal information:

Deletion / Removal Request: you may request that we delete or hide your Creator profile from the Service
Access Request: you may request that we inform you which categories of public data about you we have indexed
Correction Request: you may request that we correct manifestly inaccurate information

How to Submit: send an email to privacy@haloquokka.com, with the subject "Creator Data Request", including your TikTok account unique identifier (user ID or username) and the content of your request. We will process your request within a reasonable time (typically within the period required by applicable law).

Verification: to prevent impersonated requests from infringing on Creators' rights, we may require reasonable identity verification (for example, sending the request from the email registered to your TikTok account, or temporarily adding a verification code we provide to your TikTok bio).

8.4 How to Exercise Your Rights

To exercise any of the above rights, please email privacy@haloquokka.com. We will respond to your request within the reasonable timeframe required by applicable law.

We may require verification information for necessary identity confirmation. We may, in specific circumstances and in accordance with applicable law, refuse or partially respond to requests (for example, where law requires us to retain related information). Where we refuse, we will explain our reasoning to you.

9. AI / Automated Processing

9.1 Use of AI in the Service

The Service may use third-party artificial intelligence service providers to assist with the following functions:

Analyzing public TikTok Creator content and generating descriptive reports
Identifying potential contact information and business collaboration intentions from public bios
Generating creator evaluations, campaign analytics, and other commercial supporting content

9.2 Statement on Your Data and AI

We do not use your personal information to train any public or third-party AI models
The AI services we use process related inputs only briefly during the course of providing the Service and return results
We have required, or will require, AI service providers not to use received data for training their own models (subject to the providers' terms)

9.3 Regarding Automated Decision-Making

The Service does not subject you or Creators to "decisions based solely on automated processing that produce legal effects or similarly significant effects on the data subject" within the meaning of GDPR Article 22. AI-generated analyses, evaluations, and recommendations are provided to Platform Users for reference only and do not constitute final decisions; any business decisions made based on AI output are made and the responsibility of the Platform User.

10. Cookies and Similar Technologies

We use necessary technical cookies to ensure the basic functionality of the Service, including but not limited to:

Maintaining your login session
Remembering your selected interface language
Security protection (such as preventing cross-site request forgery)

We currently do not integrate third-party advertising tracking cookies or third-party user behavior analytics tools (such as Google Analytics or Mixpanel). If we plan to introduce such tools in the future, we will update this Policy in advance and obtain your consent in jurisdictions where consent is required.

Most browsers allow you to manage or disable cookies, but disabling certain cookies may affect the proper functioning of the Service.

11. Children's Privacy

The Service is not directed to minors under the age of 16. We do not knowingly collect personal information from minors under 16.

If we become aware that we have collected personal information from a minor under 16, we will take reasonable steps to delete it. If you are the parent or guardian of a minor under 16 and believe your child has provided personal information to us without your consent, please contact privacy@haloquokka.com.

Regarding Indexed Creators: as TikTok already imposes minimum age requirements for Creators, and as we obtain data from public sources where it is technically difficult to independently verify the actual age of each Creator, we rely on the existing age mechanisms of social media platforms for age compliance verification. If you become aware through any channel that we have indexed data of a minor Creator, please contact us immediately and we will address the matter as soon as possible.

12. Data Security

We employ commercially reasonable administrative, technical, and physical security measures to protect your personal information from unauthorized access, use, modification, or disclosure. Such measures may include but are not limited to:

Encrypted transmission (HTTPS)
Encrypted storage (for some sensitive fields)
Access controls and permission isolation
Security logging and monitoring
Security compliance requirements for service providers

However, no method of transmitting or storing data over the internet or electronically is absolutely secure. We cannot guarantee that your information is absolutely secure under all circumstances. You assume the risks inherent in submitting information to us.

In the event of a security incident involving your personal information, we will notify you and the relevant regulatory authorities promptly as required by applicable law.

13. Changes to This Policy

We may revise this Policy from time to time. Where material changes occur, we will provide notice through prominent placement within the Service, by email, or by other reasonable means.

The revised Policy will apply to you from the effective date stated therein. Your continued use of the Service constitutes acceptance of the revised Policy. If you do not agree with the revised Policy, please discontinue use of the Service.

14. Governing Law and Jurisdiction

This Policy is governed by and construed in accordance with the laws of the Hong Kong Special Administrative Region. Any dispute related to this Policy shall first be resolved through amicable negotiation between the parties; failing which, it shall be submitted to the Hong Kong courts.

This clause does not affect any consumer protection rights you may have under the laws of your place of residence, nor your right to lodge a complaint with the regulator in your place of residence.

15. Contact Us

If you have any questions, comments, or wish to exercise your rights regarding this Policy, please contact us:

Data Protection Email: privacy@haloquokka.com
Company Name: Echo Infinity Limited
Registered Address: OFFICE 5, 8/F, MEGA CUBE, 8 WANG KWONG ROAD, KLN BAY, KOWLOON, HONG KONG

We will respond to your inquiries within a reasonable time.

Last Updated: April 28, 2026

Effective Date: April 1, 2026

About this Document: This English version is the official version of the Halo Quokka Privacy Policy. Internal Chinese and Indonesian translations may exist for reference; in case of any discrepancy between language versions, this English version shall prevail.