1. Data Controller Information
The data controller responsible for processing your personal data under the General Data Protection Regulation (GDPR) is:
Treki
Email: support@treki.app2. Introduction
We operate the Treki mobile application and website (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. By using Treki, you agree to the collection and use of information in accordance with this policy.
3. Legal Bases for Processing (GDPR Art. 6)
We process your personal data under the following legal bases:
- Contract Performance (Art. 6(1)(b) GDPR): For account creation, authentication (including OAuth), and providing core application features (saving lists, reviews).
- Consent (Art. 6(1)(a) GDPR): For non-essential cookies, syncing with third-party APIs (Spotify/Apple Music), and optional push notifications.
- Legitimate Interest (Art. 6(1)(f) GDPR): For analyzing aggregated usage data to improve the application, ensuring security, and preventing fraud.
- Legal Obligation (Art. 6(1)(c) GDPR): For retaining data required by applicable laws.
4. Information We Collect & How We Use It
4.1 Information You Provide
- Account Data: Name, email address, password (hashed). (Basis: Contract Performance)
- Profile Data & Content: Bio, reviews, ratings, and lists. (Basis: Contract Performance)
4.2 Information Collected Automatically
- Usage & Device Data: Pages visited, actions taken, browser type, OS. (Basis: Legitimate Interest)
- Cookies: Essential session cookies for authentication. (Basis: Contract Performance)
4.3 Third-Party Integrations
- Spotify & Apple Music: By opting into Auto-Sync features, we process your top-read and recently-played tracks to populate your Treki feeds. You may revoke this access at any time. We do not permanently store raw JSON payloads from these APIs. (Basis: Consent)
- OAuth Providers: Apple or Google authentication data. (Basis: Contract Performance)
5. Legitimate Interest Explanation
When we rely on legitimate interest for processing (e.g., analytics and security monitoring), we conduct a balancing test to ensure your fundamental rights and freedoms are not overridden. We anonymize or aggregate analytics data where possible, ensuring minimal impact on your privacy while strictly using it to improve performance, detect bugs, and enhance platform security.
6. Third-Party Processors & Data Sharing
We do not sell your personal information. We operate using Data Processing Agreements (DPAs) with the following third-party processors necessary for the Service:
- Vercel Inc.: Hosting infrastructure and analytics (Vercel Analytics/Speed Insights).
- Neon / Supabase: Managed PostgreSQL database hosting.
- Google (Alphabet Inc.): Authentication processing for "Sign in with Google".
- Apple Inc.: Authentication processing for "Sign in with Apple" and push notifications (APNs).
- Expo Application Services: Mobile app build compilation and push notification dispatch.
7. International Data Transfers
Treki is accessible globally. Data processed by our sub-processors (like Vercel and Google) may be transferred to and maintained on servers located in the United States or other countries outside the European Economic Area (EEA).
We ensure these transfers comply with GDPR by confirming our vendors participate in the EU-US Data Privacy Framework (DPF) or rely on the European Commission's Standard Contractual Clauses (SCCs) as safeguards to protect your data.
8. Data Retention
We retain data strictly for specific, limited periods:
- Account Data & Content: Retained for as long as your account is active. Upon deletion, data is permanently erased from active databases within 30 days.
- Analytics & Logs: Retained for a maximum of 14 months before being anonymized or securely deleted.
- Third-Party API Tokens (Spotify/Apple): Instantly deleted upon revocation or account deletion.
9. Security Measures
We apply robust technical safeguards, surpassing generic standards:
- Encryption in Transit: All data is strictly enforced over TLS (HTTPS).
- Encryption at Rest: Databases utilize cloud-provider AES-256 encryption at rest.
- Access Control: Administrative access strictly limited via multi-factor authentication (MFA).
- Password Security: Passwords are one-way hashed using bcrypt.
10. Cookies & Tracking Technologies
We use cookies strictly transparently:
- Essential Cookies: Required to keep you securely logged in (e.g., JWT Session Tokens). Cannot be disabled.
- Analytics Cookies: Utilized (e.g., Vercel Analytics) only to measure performance. These activate only based on the legitimate interest of operating a functional global platform, with IP addresses anonymized by the provider.
11. Your GDPR Data Subject Rights
Under the GDPR, you possess the following rights concerning your personal data:
- Right to Access: Receive a copy of your personal data.
- Right to Rectification: Request correction of inaccurate data.
- Right to Erasure (Right to be Forgotten): Request deletion of your data via the Settings menu.
- Right to Restriction: Request limitation of how we process your data.
- Right to Data Portability: Obtain a structured, machine-readable export of your data.
- Right to Object: Object to processing based on legitimate interests (e.g., analytics).
To exercise these rights, email support@treki.app. We will respond within 30 days.
Right to Lodge a Complaint
If you believe our processing violates data protection laws, you have the right to lodge a complaint with your national supervisory authority (e.g., the European Data Protection Board or your local DPA).
12. Data Protection Officer (DPO)
Based on the scale of our data processing, we are not legally required to, and do not currently have, a formally appointed Data Protection Officer. However, privacy inquiries are handled directly by the Data Controller.
13. Contact Us
If you have questions, privacy concerns, or wish to exercise your rights, contact us at: