Privacy Policy
Trepic, Inc. ("Trepic," "we," "us," "our") respects your privacy. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, the rights you have, and how to exercise them. It covers trepic.co, trepic.app, trepicstories.com, and any other website, product, email, or service that links to this policy (collectively, the "Services").
If you have any question or want to exercise your rights, contact us at privacy@trepic.co.
1. Quick summary
- We collect only what we need to evaluate signups, send transactional and marketing emails you've asked for, and run a small business.
- We do not sell your personal information. We do not share it for cross-context behavioral advertising.
- We do not run Google Analytics, Meta Pixel, LinkedIn Insight, or any third-party marketing tag on the public site.
- We use a small set of vendors (Vercel, Supabase, Resend, Cloudflare) to host the site, store form submissions, send email, and protect against abuse.
- You have rights — including access, correction, deletion, and opt-out — and we honor them under GDPR (EU/UK), CCPA/CPRA (California), LGPD (Brazil), PIPEDA (Canada), the Australia Privacy Act, and equivalent laws.
2. Information we collect
2.1 Information you give us
Waitlist form — your name, email, your role (traveler, creator, hotel/brand, or tourism board), and an optional referral code from a friend.
Creator application — your name, email, social handle(s), follower counts (if you choose to share them), niche, and free-text pitch.
Brand / hotel inquiry — property name, your name, email, phone (optional), region, property type, and a free-text message.
Privacy and data requests — when you exercise your rights, we collect the information you provide on the request form (type of request, email, message) to verify and respond.
2.2 Information collected automatically
Network metadata. When you submit a form, our servers temporarily process your IP address (passed by Cloudflare via X-Forwarded-For) for the sole purpose of rate-limiting abusive traffic. This IP is held only in volatile memory inside an in-process token bucket and is not persisted to our database.
Hosting and DNS logs. Vercel (our host) and Cloudflare (our DNS / edge proxy) maintain operational logs that may include IP addresses and request metadata, retained per their standard retention policies. We use these only for security, abuse mitigation, and operational debugging.
Cookies and similar storage. See § 6 and our Cookie Policy. The public marketing site sets no analytics or advertising cookies. The admin area sets a single strictly-necessary session cookie (trepic_admin).
Email engagement. When we send you an email, our provider (Resend) may record open and click events using a tracking pixel and link wrapping. You can request that we stop tracking your engagement at any time at privacy@trepic.co.
2.3 Information we do not collect
We do not collect government identifiers, payment card numbers, precise geolocation, biometric data, health data, sexual-orientation data, or any "sensitive personal information" as defined by CCPA/CPRA, unless you voluntarily include it in a free-text field. We discourage you from doing so.
3. How we use your information
| Purpose | Why |
|---|---|
| Process your waitlist signup, generate a referral code, and place you in queue | Honor your request to join the waitlist |
| Evaluate creator and brand applications | Decide whether to invite you to the platform |
| Send confirmation emails and account messages | Deliver the service you requested |
| Send marketing emails about Trepic launches and updates (only if you signed up to hear from us) | Keep you informed; you can unsubscribe at any time |
| Rate-limit form submissions, detect abuse, prevent fraud | Keep the site safe |
| Comply with legal obligations and respond to lawful requests | Required by law |
| Aggregate, anonymize, and analyze trends | Understand which messages and channels are working |
4. Legal bases (EEA, UK, Switzerland)
We rely on one or more of the following bases under Article 6 of the GDPR:
- Consent (Art. 6(1)(a)) — when you submit a form to join the waitlist or apply as a creator or partner. You can withdraw consent at any time.
- Performance of a contract / pre-contractual steps (Art. 6(1)(b)) — evaluating an application or partnership inquiry.
- Legitimate interests (Art. 6(1)(f)) — security, abuse prevention, service improvement. We balance these against your rights.
- Legal obligation (Art. 6(1)(c)) — responding to data-subject requests and lawful regulatory or government requests.
We do not knowingly process special-category data; if you submit any in a free-text field, our basis is your explicit consent (Art. 9(2)(a)).
5. How we share your information
5.1 Sub-processors / service providers
| Vendor | Role | Location |
|---|---|---|
| Vercel, Inc. | Hosting and serverless function execution | USA |
| Supabase, Inc. | Database (Postgres) | USA |
| Resend, Inc. | Transactional and marketing email delivery | USA |
| Cloudflare, Inc. | DNS, edge proxy, bot mitigation | USA / global edge |
Each vendor processes personal information only on our written instructions, under contractual confidentiality and security obligations, and may not use your data for their own purposes.
5.2 Business transfers
If Trepic is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your personal information may be transferred. We will notify you and give you a meaningful choice where required by law.
5.3 Legal and safety
We may disclose information when we believe in good faith that disclosure is required by law, court order, or governmental request, or is necessary to protect the rights, property, or safety of Trepic, our users, or the public.
5.4 We do not sell or "share" your data
We do not sell your personal information for money. We do not "share" your personal information for cross-context behavioral advertising as those terms are defined under California's CPRA. We have not done so in the preceding twelve months and have no plans to start.
6. International data transfers
All four of our PII-touching sub-processors are headquartered in the United States. If you are located in the EEA, UK, Switzerland, or another jurisdiction whose laws restrict transfers to the US, we rely on the European Commission's Standard Contractual Clauses (Modules 2 and 3, as applicable) and additional safeguards including TLS encryption in transit, AES-256 at rest, and access controls. A copy of the SCCs is available on request.
7. Cookies and tracking
The public marketing site (trepic.co) sets no analytics, advertising, or third-party tracking cookies. The only cookie-equivalent storage we use is a single localStorage entry recording your cookie-banner choice (trepic_cookie_consent_v1). The admin dashboard at /admin/, used by our internal staff only, sets a strictly-necessary HMAC-signed session cookie (trepic_admin).
For full detail see our Cookie Policy.
8. How long we keep your information
| Record | Retention |
|---|---|
| Waitlist signups | Until product launch + 12 months, then deleted or anonymized |
| Creator applications — pending or rejected | Up to 24 months |
| Creator applications — accepted | Duration of partnership + 12 months |
| Brand inquiries — open | Up to 24 months |
| Brand inquiries — converted | Duration of partnership + 12 months |
| Email engagement logs | Up to 24 months |
| Privacy-request records | 24 months from completion |
| Admin session cookies | 24 hours |
| Rate-limit IP buffers (in-memory only) | ≤ 60 minutes |
You can ask us to delete your information at any time, subject to limited exceptions (for example, where we must keep records to comply with law).
9. Your rights
9.1 GDPR (EEA, UK, Switzerland)
You have the right to: access the data we hold about you; rectify inaccurate data; request erasure; restrict or object to processing; data portability; withdraw consent at any time; and lodge a complaint with your supervisory authority (e.g., the UK ICO, the Irish DPC, the French CNIL).
9.2 California (CCPA / CPRA)
California residents have the right to: know what personal information we collect, use, disclose, and (would) sell or share; delete personal information we hold; correct inaccurate information; opt out of the sale or sharing of personal information (we do neither); limit use of sensitive personal information (we do not collect any); and non-discrimination for exercising these rights.
You may submit a "Do Not Sell or Share My Personal Information" request at /dnsmpi/ even though we do not sell or share — it is honored either way. You may use an authorized agent.
9.3 Brazil (LGPD)
Data subjects in Brazil have the right to: confirmation of processing and access; correction of incomplete, inaccurate, or outdated data; anonymization, blocking, or deletion of unnecessary or non-compliant data; portability; deletion of data processed with consent; information about entities with whom we have shared data; information about the option to refuse consent; and to revoke consent.
9.4 Canada (PIPEDA)
You may request access to your personal information, challenge its accuracy, and ask us to correct it.
9.5 Australia (Privacy Act 1988)
You may request access to and correction of your personal information held by us under Australian Privacy Principles 12 and 13.
9.6 How to exercise your rights
Email privacy@trepic.co or use the form at /dnsmpi/. We will verify your identity (typically by replying to the email address on file) and respond within 30 days. There is no charge for reasonable requests.
10. Children
The Services are not directed to children. We do not knowingly collect personal information from anyone under 16. If you believe we have collected information from a child under 16, contact us and we will delete it.
11. Security
We use commercially reasonable administrative, technical, and physical safeguards to protect personal information, including TLS in transit, AES-256 at rest, HMAC-signed session cookies, server-side input validation, per-IP rate limiting, a strict Content-Security-Policy, and least-privilege access controls. No system can guarantee absolute security.
12. Changes to this policy
If we make material changes, we will post the updated policy here, update the "Last updated" date, and (where required) notify you by email or via a prominent notice on the site at least 14 days before the change takes effect.
13. Contact
Trepic, Inc.
Privacy contact: privacy@trepic.co
If you are in the EEA or UK and we have not designated a local representative, you may direct correspondence to the same address pending designation.