GDPR & Data Privacy
Last updated: April 2026Our commitment
Mega Rewards, LLC is committed to processing personal data responsibly and in compliance with the EU General Data Protection Regulation (GDPR), the UK GDPR, and equivalent applicable privacy laws. This page is intended for our Partners — the publishers and app developers who integrate the Mega Rewards platform — and explains how we handle data protection in practice.
Our role under the GDPR
Mega Rewards operates as a Data Processor (Art. 28 GDPR). Our Partners are the Data Controllers.
This distinction matters:
Mega Rewards processes end-user data solely on behalf of and under the instructions of its Partners. Partners are responsible for ensuring they have the appropriate legal basis to collect and process their users' personal data.
What data we process
On behalf of our Partners, we may process the following categories of personal data relating to their end users:
- IP addresses (used for geo-targeting)
- User identifiers (anonymised IDs, email addresses, or similar references)
- Demographic and profile data (as provided by the Partner)
- Behavioural data (reward impressions, clicks, conversions)
- Survey and preference responses (where the Partner has enabled our questions feature)
We do not process special categories of personal data (Art. 9 GDPR) unless explicitly agreed upon and documented in a separate addendum to the DPA.
International data transfers
Our infrastructure runs on Amazon Web Services (AWS) in the United States (us-east-1). Data originating in the EEA or UK is transferred to the US under the following safeguards:
- EU-US Data Privacy Framework — AWS holds current DPF certification.
- Standard Contractual Clauses (2021) — incorporated into our AWS Data Processing Addendum.
Our DPA with Partners includes the relevant transfer mechanisms to cover any onward transfer of EEA/UK personal data.
Sub-processors
We maintain a current list of sub-processors in our Privacy Policy. Partners are notified in advance of any intended changes to our sub-processor list, providing sufficient time to object if warranted.
Security measures (Art. 32)
We implement and maintain appropriate technical and organisational measures, including:
- Encryption of data in transit (TLS 1.2 or higher) and at rest
- Role-based access controls and principle of least privilege
- Multi-factor authentication for access to production systems
- Regular review of access permissions, including offboarding procedures
- Error monitoring and alerting for anomalous behaviour
- Network access controls that restrict access to production systems to authorised traffic only
- Defined incident response and breach notification procedures
Data subject rights support
When Partners receive data subject requests (access, erasure, rectification, portability, restriction, objection), Mega Rewards will assist the Partner in fulfilling those requests within a reasonable timeframe, in accordance with our DPA obligations.
Partners should direct data subject requests to their own processes in the first instance. If assistance from Mega Rewards is required, contact privacy@trofeo.io.
Data Processing Agreement
All Partners who process personal data of individuals located in the EEA or the United Kingdom through the Mega Rewards platform are required to enter into a Data Processing Agreement with us. Our DPA covers:
- Subject matter and duration of processing
- Nature and purpose of processing
- Categories of personal data and data subjects
- Obligations and rights of the Controller
- Sub-processor management
- International transfer safeguards
- Security measures
- Breach notification procedures
- Return and deletion of data upon termination
To request or review our DPA, visit our DPA page or contact privacy@trofeo.io.
Contact
Mega Rewards, LLC 10 Winthrop St., Rochester, New York 14607 privacy@trofeo.io