Privacy Policy

Last updated: April 2026

Who we are

Trofeo LLC ("Trofeo", "we", "us", "our") is a New York limited liability company with offices at 10 Winthrop St., Rochester, New York 14607. We operate a B2B rewards and promotions platform that enables publishers and app developers ("Partners") to deliver reward offers to their end users.

Questions about this policy: privacy@trofeo.io

What this policy covers

This Privacy Policy describes how Trofeo processes personal data in two distinct contexts:

  • Visitors to our website — when you browse trofeo.io
  • End users of our Partners' applications — when our platform processes data on behalf of a Partner

These two contexts involve different roles and obligations, as explained below.

1. Website visitors

When you visit our website, we may collect the following data:

  • IP address, browser type, pages visited, referrer URL, timestamps
    Purpose
    Website operation, security, and analytics
    Legal basis
    Legitimate interest
    Retention
    12 months
  • Name, email, company name (contact forms)
    Purpose
    Responding to enquiries, follow-up communications
    Legal basis
    Legitimate interest / pre-contractual steps
    Retention
    Until the matter is resolved, or upon request

We use Google Analytics (via Google Tag Manager) to understand how visitors use our website. By continuing to use our website after accepting cookies, you consent to this use. You can withdraw consent at any time via the cookie settings banner.

We do not sell website visitor data or use it for advertising purposes.

2. End users of our Partners' applications

Trofeo acts as a Data Processor under the GDPR. Our Partners — the companies that integrate our platform into their products — act as Data Controllers.

Trofeo processes end-user data solely on behalf of and under the instructions of its Partners. Partners are responsible for ensuring they have the appropriate legal basis to collect and process their users' personal data.

Our relationship with each Partner is governed by a Data Processing Agreement (DPA). For more information, see our DPA page.

Data we may receive from Partners

  • IP address
    Purpose
    Geo-targeting to serve regionally appropriate reward content
    Retention
    In accordance with the applicable DPA
  • User identifier (anonymised ID, email, or similar)
    Purpose
    User deduplication and reward attribution
    Retention
    In accordance with the applicable DPA
  • Demographic and profile data (as provided by the Partner)
    Purpose
    Eligibility filtering and personalisation of reward offers
    Retention
    In accordance with the applicable DPA
  • Behavioural data (impressions, clicks, conversions)
    Purpose
    Reward attribution, reporting, and billing
    Retention
    In accordance with the applicable DPA
  • Survey and preference responses
    Purpose
    Personalisation of reward offers, as instructed by the Partner
    Retention
    In accordance with the applicable DPA

3. International data transfers

Our platform is hosted on Amazon Web Services (AWS) in the United States (us-east-1). Personal data originating in the European Economic Area (EEA) or the United Kingdom is therefore transferred to and processed in the United States.

We ensure the lawfulness of these transfers through:

  • EU-US Data Privacy Framework (DPF) — AWS is certified under the DPF.
  • Standard Contractual Clauses (SCCs) — our Data Processing Addendum with AWS incorporates the 2021 SCCs approved by the European Commission.

4. Sub-processors

We engage the following sub-processors, which process personal data in the course of providing their services:

  • Amazon Web Services (AWS)
    Purpose
    Cloud infrastructure and hosting
    Location
    USA
  • Cloudflare
    Purpose
    Proxy, CDN, and security
    Location
    USA
  • MaxMind
    Purpose
    IP geolocation
    Location
    USA
  • Rollbar
    Purpose
    Error monitoring
    Location
    USA
  • New Relic
    Purpose
    Performance monitoring
    Location
    USA
  • Redis Cloud (Redis Ltd.)
    Purpose
    Cache and session management
    Location
    USA
  • Bunny.net
    Purpose
    Content delivery (CDN)
    Location
    EU / USA
  • Better Stack
    Purpose
    Log management and monitoring
    Location
    USA / EU
  • Google LLC (Analytics, Tag Manager)
    Purpose
    Website analytics
    Location
    USA

All sub-processors are bound by contractual obligations consistent with GDPR requirements. This list is kept up to date and Partners are notified of material changes.

5. Data subject rights

If you are an end user of a Partner's application, your data rights (access, rectification, erasure, portability, restriction, objection) should be exercised with that Partner directly, as they are the Data Controller for your personal data. If you are unsure who the relevant Controller is, or if your request concerns data held directly by Trofeo, contact us at privacy@trofeo.io and we will assist or redirect your request.

If you are a visitor to our website, you may exercise any of the above rights by contacting privacy@trofeo.io.

6. Security

We implement technical and organisational measures appropriate to the risk, including encryption in transit (TLS 1.2 or higher) and at rest, access controls, and regular review of our security practices.

In the event of a personal data breach, we will notify affected Partners within 48 hours of becoming aware, so that Partners can fulfil their own notification obligations under applicable law.

7. Contact

Trofeo LLC 10 Winthrop St., Rochester, New York 14607 privacy@trofeo.io

If you are located in the EEA or UK and have unresolved concerns about our data practices, you have the right to lodge a complaint with your local data protection supervisory authority.

8. Changes to this policy

We may update this policy periodically. Material changes will be communicated to Partners directly. The "last updated" date above reflects the most recent revision.