1. Introduction

Lucyd B.V. (operating as Treffix) ("Treffix", "we", "us", or "our") operates the Treffix platform, a performance-based creator marketing marketplace. This Privacy Policy applies to all data collected through the Treffix website, web application, APIs, and any related services (collectively, the "Platform").

By creating an account or using the Platform, you consent to the data practices described in this policy. This policy is incorporated into our Terms of Service.

We do not sell, rent, or trade your personal data to third parties for advertising or marketing purposes.

2. Data We Collect

2.1 Account Data

When you create a Treffix account, we collect:

• First name and last name
• Email address
• Password (stored in hashed, encrypted form via Supabase Auth — we never have access to your plaintext password)
• Account type (creator or brand)
• Company name (brand accounts only)

2.2 TikTok Integration Data

When you connect your TikTok account to Treffix (creators only), we collect and store:

• TikTok open_id (a unique identifier assigned by TikTok to your account within our application)
• TikTok display name and username
• TikTok OAuth access token and refresh token
• View counts for specific TikTok videos you submit as part of campaign participation

Important: We store your TikTok OAuth access token and refresh token in our database. These tokens are required to enable automated, ongoing view count synchronization during campaign earning windows. We use these tokens only for the purpose of fetching view counts on submitted campaign videos. We do not access your TikTok messages, followers list, contact list, or any content beyond what is necessary for view verification.

2.3 Instagram Integration Data

When you connect your Instagram account to Treffix (creators only), we collect and store:

• Instagram user ID (a unique identifier for your Instagram Professional account)
• Instagram username
• Instagram long-lived OAuth access token (valid approximately 60 days, automatically refreshed)
• Instagram media IDs and permalinks for Reels you submit as part of campaign participation
• View counts and engagement metrics (views, likes, comments, shares) for submitted Reels, fetched via the Instagram API

Important: We request only two Instagram permissions: instagram_business_basic (to identify your account) and instagram_business_manage_insights (to read view counts on your submitted Reels). We do not access your Instagram messages, followers list, stories (unless submitted to a campaign), or any content beyond what is necessary for campaign performance verification.

Your Instagram account must be a Professional account (Business or Creator type) to connect to Treffix. Personal Instagram accounts cannot be connected due to Instagram API restrictions.

2.4 Campaign & Activity Data

Through normal Platform use, we collect:

• Brands: Campaign briefs, budgets, payout structures, requirements, tone guidelines, hashtag specifications, and campaign status history
• Creators: Video submission URLs, TikTok video IDs, Instagram Reel permalinks and media IDs, submission timestamps, performance data (view counts over time), payout amounts earned
• All users: Transaction history, dispute and appeal records, account activity logs

2.5 Payment Data

Payment processing is handled by Stripe, Inc. Treffix does not store, process, or have access to credit card numbers, bank account numbers, or full payment credentials. Stripe collects and processes payment data directly, subject to Stripe's own Privacy Policy. We do store: transaction amounts, transaction status, payout records, and references to Stripe transaction IDs for accounting and legal compliance purposes.

2.6 Technical Data

Through your use of the Platform, our infrastructure providers may collect standard technical data including:

• IP address and approximate geographic location
• Browser type, version, and device information
• Pages visited and actions taken within the Platform
• Session timestamps and duration

This data is collected by Supabase (our infrastructure provider) as part of normal database and authentication operation. It is used for security, fraud prevention, and platform stability.

3. How We Use Your Data

We use the data we collect for the following purposes:

• Platform operation: To authenticate your account, provide platform features, and facilitate campaigns and payouts
• TikTok view verification: To use your stored TikTok OAuth tokens to fetch view count data from the TikTok API for submitted campaign videos
• Instagram view verification: To use your stored Instagram OAuth token to fetch view count and engagement data from the Instagram API for submitted campaign Reels
• Fraud detection: To analyze view count patterns and identify potentially fraudulent activity using our proprietary detection systems
• Payment processing: To process campaign launch fees and creator payouts through Stripe
• Dispute resolution: To investigate and resolve disputes and appeals using submission and activity data
• Transactional communications: To send account-related emails such as payout confirmations, campaign updates, and security alerts
• Legal compliance: To meet tax reporting obligations, respond to lawful requests from authorities, and enforce our Terms of Service
• Platform improvement: To understand how the Platform is used and improve its features and performance

Under GDPR, our legal bases for processing are:

• Contract performance: Processing necessary to provide the Platform services you signed up for (account data, campaign data, TikTok and Instagram tokens, payouts)
• Legitimate interests: Fraud detection, platform security, abuse prevention
• Legal obligation: Tax records, regulatory compliance, responding to lawful requests
• Consent: Where we explicitly request consent (e.g., marketing communications, if introduced in the future)

4. Third-Party Services & Data Sharing

4.1 TikTok / ByteDance Ltd.

We use the TikTok Open API to authenticate creator accounts and retrieve video performance data. When you connect your TikTok account, OAuth token exchange occurs directly with TikTok's servers. TikTok's collection and processing of your data during this process is governed by TikTok's Privacy Policy. We do not sell or share your TikTok data with any party other than TikTok as required for API functionality.

4.2 Meta Platforms / Instagram

We use the Instagram API (via Instagram Login) to authenticate creator accounts and retrieve Reel performance data. When you connect your Instagram account, OAuth token exchange occurs directly with Meta's servers. Meta's collection and processing of your data during this process is governed by Meta's Privacy Policy and Instagram's Terms of Use. We do not sell or share your Instagram data with any party other than Meta as required for API functionality.

When you disconnect your Instagram account from Treffix, we immediately delete your Instagram access token, user ID, and username from our database. You can also revoke access from Instagram's Settings → Website permissions.

4.3 Stripe, Inc.

All payment processing is handled by Stripe. When processing payments, we share with Stripe: your name, email address, transaction amounts, and payout destination information. Stripe's data practices are governed by Stripe's Privacy Policy. If you are a creator receiving payouts, you may need to create a Stripe Connected Account, subject to Stripe's Connected Account Agreement.

4.4 Supabase, Inc.

Treffix uses Supabase for database storage, authentication, and file storage infrastructure. All Platform data (account data, campaign data, transaction records) is stored on Supabase-managed servers. Supabase's data practices are governed by Supabase's Privacy Policy.

4.5 Legal Disclosure

We may disclose your personal data if required to do so by law, court order, or governmental authority, or if we reasonably believe disclosure is necessary to: (a) comply with applicable law; (b) protect the rights, property, or safety of Treffix, our users, or the public; or (c) enforce our Terms of Service.

4.6 Business Transfers

In the event of a merger, acquisition, sale of assets, or reorganization of Treffix, your personal data may be transferred to the acquiring entity. We will notify registered users via email before such a transfer takes effect and provide an opportunity to delete your account.

4.7 No Data Selling

Treffix does not sell, rent, lease, or otherwise trade your personal data to any third party for marketing, advertising, or commercial purposes.

5. Data Retention

We retain your data for the following periods:

• Account data (name, email, account type): Retained for the lifetime of your account, plus 2 years after account deletion (for legal audit purposes)
• TikTok OAuth tokens (access & refresh tokens): Deleted immediately when you revoke TikTok access or delete your Treffix account
• Instagram OAuth tokens (long-lived access token): Deleted immediately when you disconnect Instagram or delete your Treffix account
• Transaction and payout records: Retained for 7 years from the date of the transaction (tax and financial compliance requirements)
• Video submission data: Retained for 2 years after the relevant campaign ends
• Campaign briefs and data: Retained for 2 years after campaign end
• Dispute and appeal records: Retained for 3 years from resolution date

After the applicable retention period, data is deleted or anonymized in accordance with our internal data lifecycle policies.

6. Your Privacy Rights

6.1 GDPR Rights (EEA / UK Residents)

If you are located in the European Economic Area or United Kingdom, you have the following rights:

• Right of access: Request a copy of all personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete personal data
• Right to erasure ("right to be forgotten"): Request deletion of your personal data, subject to our legal retention obligations
• Right to data portability: Request your personal data in a structured, machine-readable format
• Right to restrict processing: Request that we limit how we use your data in certain circumstances
• Right to object: Object to processing of your personal data where we rely on legitimate interests as our legal basis
• Right to withdraw consent: Where processing is based on consent, withdraw that consent at any time

You also have the right to lodge a complaint with your national data protection authority (e.g., the Dutch Autoriteit Persoonsgegevens, or the ICO in the UK).

6.2 CCPA Rights (California Residents)

If you are a California resident, you have the right to:

• Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources, the purposes for collection, and the categories of third parties with whom we share it
• Delete: Request deletion of your personal information, subject to legal exceptions
• Opt-out of sale: Treffix does not sell personal information. We will not begin selling your information without providing a clear opt-out mechanism
• Non-discrimination: We will not discriminate against you for exercising your CCPA rights

6.3 How to Exercise Your Rights

To exercise any of the above rights, email us at privacy@treffix.nl with the subject line "Privacy Rights Request". We will respond within 30 days (GDPR) or 45 days (CCPA) of receiving your request. We may ask you to verify your identity before fulfilling the request.

7. Cookies & Tracking

7.1 Session Cookies

We use session cookies that are strictly necessary for authentication and maintaining your logged-in state. These cookies are required for the Platform to function and cannot be disabled.

7.2 What We Do Not Use

Treffix currently does not use:

• Third-party advertising or tracking cookies
• Analytics platforms (Google Analytics, Mixpanel, Segment, etc.)
• Social media tracking pixels
• Fingerprinting or cross-site tracking technologies

If we introduce any non-essential cookies in the future, we will update this policy and implement a cookie consent mechanism.

8. Data Security

We implement appropriate technical and organizational security measures to protect your personal data:

• Encryption in transit: All data transmitted between your browser and Treffix's servers is encrypted using HTTPS/TLS
• Access controls: Supabase Row Level Security (RLS) policies ensure that users can only access their own data. Administrative access is restricted to authorized Treffix personnel
• Password security: Passwords are hashed using industry-standard algorithms via Supabase Auth. Plaintext passwords are never stored or transmitted
• TikTok token storage: OAuth tokens are stored in our database and used only for view verification. We recommend revoking TikTok access through TikTok's settings if you believe your tokens may have been compromised
• Instagram token storage: OAuth tokens are stored in our database and used only for Reel view verification. Tokens are automatically refreshed approximately every 60 days. Disconnect Instagram through your Treffix connections page if you believe your token may have been compromised

Despite these measures, no data transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security of your data. In the event of a data breach that affects your rights and freedoms, we will notify affected users and relevant supervisory authorities in accordance with applicable law.

9. International Data Transfers

Treffix is based in the Netherlands. Your data may be processed and stored in data centers located within the European Economic Area. Our infrastructure providers (Supabase, Stripe, TikTok, Meta Platforms) may process data in locations outside the EEA. Where data is transferred outside the EEA, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission, or transfers to countries with an adequacy decision.

10. Children's Privacy

The Treffix Platform is intended exclusively for users who are 18 years of age or older. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that we have inadvertently collected data from a minor, we will delete that account and all associated data immediately. If you believe a minor has registered on the Platform, please contact us immediately at privacy@treffix.nl.

11. Third-Party Links

The Platform may contain links to third-party websites (e.g., TikTok, Instagram, Stripe). This Privacy Policy applies only to the Treffix Platform. We are not responsible for the privacy practices of third-party sites and encourage you to review their privacy policies before providing any personal data.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Platform features. For material changes, we will notify registered users via email at least 14 days before the changes take effect. The effective date at the top of this page will always reflect the date of the most recent update.

13. Contact & Data Requests

For any questions about this Privacy Policy, to exercise your data rights, or to report a privacy concern:

• Privacy requests: privacy@treffix.nl (subject: "Privacy Rights Request")
• Legal inquiries: legal@treffix.nl
• GDPR data subject requests: respond within 30 days

You also have the right to file a complaint with your national supervisory authority. In the Netherlands, this is the Autoriteit Persoonsgegevens.