GDPR & Data Privacy

Our commitment

Trofeo LLC is committed to processing personal data responsibly and in compliance with the EU General Data Protection Regulation (GDPR), the UK GDPR, and equivalent applicable privacy laws. This page is intended for our Partners — the publishers and app developers who integrate the Trofeo platform — and explains how we handle data protection in practice.

Our role under the GDPR

Trofeo operates as a Data Processor (Art. 28 GDPR). Our Partners are the Data Controllers.

This distinction matters:

Trofeo processes end-user data solely on behalf of and under the instructions of its Partners. Partners are responsible for ensuring they have the appropriate legal basis to collect and process their users' personal data.

What data we process

On behalf of our Partners, we may process the following categories of personal data relating to their end users:

• IP addresses (used for geo-targeting)
• User identifiers (anonymised IDs, email addresses, or similar references)
• Demographic and profile data (as provided by the Partner)
• Behavioural data (reward impressions, clicks, conversions)
• Survey and preference responses (where the Partner has enabled our questions feature)

We do not process special categories of personal data (Art. 9 GDPR) unless explicitly agreed upon and documented in a separate addendum to the DPA.

International data transfers

Our infrastructure runs on Amazon Web Services (AWS) in the United States (us-east-1). Data originating in the EEA or UK is transferred to the US under the following safeguards:

• EU-US Data Privacy Framework — AWS holds current DPF certification.
• Standard Contractual Clauses (2021) — incorporated into our AWS Data Processing Addendum.

Our DPA with Partners includes the relevant transfer mechanisms to cover any onward transfer of EEA/UK personal data.

Sub-processors

We maintain a current list of sub-processors in our Privacy Policy. Partners are notified in advance of any intended changes to our sub-processor list, providing sufficient time to object if warranted.

Security measures (Art. 32)

We implement and maintain appropriate technical and organisational measures, including:

• Encryption of data in transit (TLS 1.2 or higher) and at rest
• Role-based access controls and principle of least privilege
• Multi-factor authentication for access to production systems
• Regular review of access permissions, including offboarding procedures
• Error monitoring and alerting for anomalous behaviour
• Network access controls that restrict access to production systems to authorised traffic only
• Defined incident response and breach notification procedures

Data subject rights support

When Partners receive data subject requests (access, erasure, rectification, portability, restriction, objection), Trofeo will assist the Partner in fulfilling those requests within a reasonable timeframe, in accordance with our DPA obligations.

Partners should direct data subject requests to their own processes in the first instance. If assistance from Trofeo is required, contact privacy@trofeo.io.

Data Processing Agreement

All Partners who process personal data of individuals located in the EEA or the United Kingdom through the Trofeo platform are required to enter into a Data Processing Agreement with us. Our DPA covers:

• Subject matter and duration of processing
• Nature and purpose of processing
• Categories of personal data and data subjects
• Obligations and rights of the Controller
• Sub-processor management
• International transfer safeguards
• Security measures
• Breach notification procedures
• Return and deletion of data upon termination

To request or review our DPA, visit our DPA page or contact privacy@trofeo.io.

Contact

Trofeo LLC 10 Winthrop St., Rochester, New York 14607 privacy@trofeo.io