TreffixTerms of Service →

Privacy Policy

This Privacy Policy explains how Treffix Inc. collects, uses, stores, and protects your personal data when you use the Treffix platform. We are committed to being transparent about our data practices.

Effective date: March 15, 2026
Last updated: March 15, 2026
Data controller: Treffix Inc. — privacy requests: privacy@treffix.com
Complies with GDPR (EU) and CCPA (California).

1. Introduction

Treffix Inc. ("Treffix", "we", "us", or "our") operates the Treffix platform, a performance-based creator marketing marketplace. This Privacy Policy applies to all data collected through the Treffix website, web application, APIs, and any related services (collectively, the "Platform").

By creating an account or using the Platform, you consent to the data practices described in this policy. This policy is incorporated into our Terms of Service.

We do not sell, rent, or trade your personal data to third parties for advertising or marketing purposes.

2. Data We Collect

2.1 Account Data

When you create a Treffix account, we collect:

  • First name and last name
  • Email address
  • Password (stored in hashed, encrypted form via Supabase Auth — we never have access to your plaintext password)
  • Account type (creator or brand)
  • Company name (brand accounts only)

2.2 TikTok Integration Data

When you connect your TikTok account to Treffix (creators only), we collect and store:

  • TikTok open_id (a unique identifier assigned by TikTok to your account within our application)
  • TikTok display name and username
  • TikTok OAuth access token and refresh token
  • View counts for specific TikTok videos you submit as part of campaign participation

Important: We store your TikTok OAuth access token and refresh token in our database. These tokens are required to enable automated, ongoing view count synchronization during campaign earning windows. We use these tokens only for the purpose of fetching view counts on submitted campaign videos. We do not access your TikTok messages, followers list, contact list, or any content beyond what is necessary for view verification.

2.3 Campaign & Activity Data

Through normal Platform use, we collect:

  • Brands: Campaign briefs, budgets, payout structures, requirements, tone guidelines, hashtag specifications, and campaign status history
  • Creators: Video submission URLs, TikTok video IDs, submission timestamps, performance data (view counts over time), payout amounts earned
  • All users: Transaction history, dispute and appeal records, account activity logs

2.4 Payment Data

Payment processing is handled by Stripe, Inc. Treffix does not store, process, or have access to credit card numbers, bank account numbers, or full payment credentials. Stripe collects and processes payment data directly, subject to Stripe's own Privacy Policy. We do store: transaction amounts, transaction status, payout records, and references to Stripe transaction IDs for accounting and legal compliance purposes.

2.5 Technical Data

Through your use of the Platform, our infrastructure providers may collect standard technical data including:

  • IP address and approximate geographic location
  • Browser type, version, and device information
  • Pages visited and actions taken within the Platform
  • Session timestamps and duration

This data is collected by Supabase (our infrastructure provider) as part of normal database and authentication operation. It is used for security, fraud prevention, and platform stability.

3. How We Use Your Data

We use the data we collect for the following purposes:

  • Platform operation: To authenticate your account, provide platform features, and facilitate campaigns and payouts
  • View verification: To use your stored TikTok OAuth tokens to fetch view count data from the TikTok API for submitted campaign videos
  • Fraud detection: To analyze view count patterns and identify potentially fraudulent activity using our proprietary detection systems
  • Payment processing: To process campaign launch fees and creator payouts through Stripe
  • Dispute resolution: To investigate and resolve disputes and appeals using submission and activity data
  • Transactional communications: To send account-related emails such as payout confirmations, campaign updates, and security alerts
  • Legal compliance: To meet tax reporting obligations, respond to lawful requests from authorities, and enforce our Terms of Service
  • Platform improvement: To understand how the Platform is used and improve its features and performance

Under GDPR, our legal bases for processing are:

  • Contract performance: Processing necessary to provide the Platform services you signed up for (account data, campaign data, TikTok tokens, payouts)
  • Legitimate interests: Fraud detection, platform security, abuse prevention
  • Legal obligation: Tax records, regulatory compliance, responding to lawful requests
  • Consent: Where we explicitly request consent (e.g., marketing communications, if introduced in the future)

4. Third-Party Services & Data Sharing

4.1 TikTok / ByteDance Ltd.

We use the TikTok Open API to authenticate creator accounts and retrieve video performance data. When you connect your TikTok account, OAuth token exchange occurs directly with TikTok's servers. TikTok's collection and processing of your data during this process is governed by TikTok's Privacy Policy. We do not sell or share your TikTok data with any party other than TikTok as required for API functionality.

4.2 Stripe, Inc.

All payment processing is handled by Stripe. When processing payments, we share with Stripe: your name, email address, transaction amounts, and payout destination information. Stripe's data practices are governed by Stripe's Privacy Policy. If you are a creator receiving payouts, you may need to create a Stripe Connected Account, subject to Stripe's Connected Account Agreement.

4.3 Supabase, Inc.

Treffix uses Supabase for database storage, authentication, and file storage infrastructure. All Platform data (account data, campaign data, transaction records) is stored on Supabase-managed servers. Supabase's data practices are governed by Supabase's Privacy Policy.

4.4 Legal Disclosure

We may disclose your personal data if required to do so by law, court order, or governmental authority, or if we reasonably believe disclosure is necessary to: (a) comply with applicable law; (b) protect the rights, property, or safety of Treffix, our users, or the public; or (c) enforce our Terms of Service.

4.5 Business Transfers

In the event of a merger, acquisition, sale of assets, or reorganization of Treffix, your personal data may be transferred to the acquiring entity. We will notify registered users via email before such a transfer takes effect and provide an opportunity to delete your account.

4.6 No Data Selling

Treffix does not sell, rent, lease, or otherwise trade your personal data to any third party for marketing, advertising, or commercial purposes.

5. Data Retention

We retain your data for the following periods:

  • Account data (name, email, account type): Retained for the lifetime of your account, plus 2 years after account deletion (for legal audit purposes)
  • TikTok OAuth tokens (access & refresh tokens): Deleted immediately when you revoke TikTok access or delete your Treffix account
  • Transaction and payout records: Retained for 7 years from the date of the transaction (tax and financial compliance requirements)
  • Video submission data: Retained for 2 years after the relevant campaign ends
  • Campaign briefs and data: Retained for 2 years after campaign end
  • Dispute and appeal records: Retained for 3 years from resolution date

After the applicable retention period, data is deleted or anonymized in accordance with our internal data lifecycle policies.

6. Your Privacy Rights

6.1 GDPR Rights (EEA / UK Residents)

If you are located in the European Economic Area or United Kingdom, you have the following rights:

  • Right of access: Request a copy of all personal data we hold about you
  • Right to rectification: Request correction of inaccurate or incomplete personal data
  • Right to erasure ("right to be forgotten"): Request deletion of your personal data, subject to our legal retention obligations
  • Right to data portability: Request your personal data in a structured, machine-readable format
  • Right to restrict processing: Request that we limit how we use your data in certain circumstances
  • Right to object: Object to processing of your personal data where we rely on legitimate interests as our legal basis
  • Right to withdraw consent: Where processing is based on consent, withdraw that consent at any time

You also have the right to lodge a complaint with your national data protection authority (e.g., the Dutch Autoriteit Persoonsgegevens, or the ICO in the UK).

6.2 CCPA Rights (California Residents)

If you are a California resident, you have the right to:

  • Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, the purposes for collection, and the categories of third parties with whom we share it
  • Delete: Request deletion of your personal information, subject to legal exceptions
  • Opt-out of sale: Treffix does not sell personal information. We will not begin selling your information without providing a clear opt-out mechanism
  • Non-discrimination: We will not discriminate against you for exercising your CCPA rights

6.3 How to Exercise Your Rights

To exercise any of the above rights, email us at privacy@treffix.com with the subject line "Privacy Rights Request". We will respond within 30 days (GDPR) or 45 days (CCPA) of receiving your request. We may ask you to verify your identity before fulfilling the request.

7. Cookies & Tracking

7.1 Session Cookies

We use session cookies that are strictly necessary for authentication and maintaining your logged-in state. These cookies are required for the Platform to function and cannot be disabled.

7.2 What We Do Not Use

Treffix currently does not use:

  • Third-party advertising or tracking cookies
  • Analytics platforms (Google Analytics, Mixpanel, Segment, etc.)
  • Social media tracking pixels
  • Fingerprinting or cross-site tracking technologies

If we introduce any non-essential cookies in the future, we will update this policy and implement a cookie consent mechanism.

8. Data Security

We implement appropriate technical and organizational security measures to protect your personal data:

  • Encryption in transit: All data transmitted between your browser and Treffix's servers is encrypted using HTTPS/TLS
  • Access controls: Supabase Row Level Security (RLS) policies ensure that users can only access their own data. Administrative access is restricted to authorized Treffix personnel
  • Password security: Passwords are hashed using industry-standard algorithms via Supabase Auth. Plaintext passwords are never stored or transmitted
  • TikTok token storage: OAuth tokens are stored in our database and used only for view verification. We recommend revoking TikTok access through TikTok's settings if you believe your tokens may have been compromised

Despite these measures, no data transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security of your data. In the event of a data breach that affects your rights and freedoms, we will notify affected users and relevant supervisory authorities in accordance with applicable law.

9. International Data Transfers

Treffix is based in the Netherlands. Your data may be processed and stored in data centers located within the European Economic Area. Our infrastructure providers (Supabase, Stripe, TikTok) may process data in locations outside the EEA. Where data is transferred outside the EEA, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission, or transfers to countries with an adequacy decision.

10. Children's Privacy

The Treffix Platform is intended exclusively for users who are 18 years of age or older. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that we have inadvertently collected data from a minor, we will delete that account and all associated data immediately. If you believe a minor has registered on the Platform, please contact us immediately at privacy@treffix.com.

11. Third-Party Links

The Platform may contain links to third-party websites (e.g., TikTok, Stripe). This Privacy Policy applies only to the Treffix Platform. We are not responsible for the privacy practices of third-party sites and encourage you to review their privacy policies before providing any personal data.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Platform features. For material changes, we will notify registered users via email at least 14 days before the changes take effect. The effective date at the top of this page will always reflect the date of the most recent update.

13. Contact & Data Requests

For any questions about this Privacy Policy, to exercise your data rights, or to report a privacy concern:

You also have the right to file a complaint with your national supervisory authority. In the Netherlands, this is the Autoriteit Persoonsgegevens.

© 2026 Treffix Inc. All rights reserved.
Terms of Service · treffix.com