Privacy Policy

Last updated: April 2026

Who we are

Mega Rewards, LLC ("Mega Rewards", "we", "us", "our") is a New York limited liability company with offices at 10 Winthrop St., Rochester, New York 14607. We operate a B2B rewards and promotions platform that enables publishers and app developers ("Partners") to deliver reward offers to their end users.

Questions about this policy: privacy@trofeo.io

What this policy covers

This Privacy Policy describes how Mega Rewards processes personal data in two distinct contexts:

Visitors to our website — when you browse trofeo.io
End users of our Partners' applications — when our platform processes data on behalf of a Partner

These two contexts involve different roles and obligations, as explained below.

1. Website visitors

When you visit our website, we may collect the following data:

Data	Purpose	Legal basis	Retention
IP address, browser type, pages visited, referrer URL, timestamps	Website operation, security, and analytics	Legitimate interest	12 months
Name, email, company name (contact forms)	Responding to enquiries, follow-up communications	Legitimate interest / pre-contractual steps	Until the matter is resolved, or upon request

We use Google Analytics (via Google Tag Manager) to understand how visitors use our website. By continuing to use our website after accepting cookies, you consent to this use. You can withdraw consent at any time via the cookie settings banner.

We do not sell website visitor data or use it for advertising purposes.

2. End users of our Partners' applications

Mega Rewards acts as a Data Processor under the GDPR. Our Partners — the companies that integrate our platform into their products — act as Data Controllers.

Mega Rewards processes end-user data solely on behalf of and under the instructions of its Partners. Partners are responsible for ensuring they have the appropriate legal basis to collect and process their users' personal data.

Our relationship with each Partner is governed by a Data Processing Agreement (DPA). For more information, see our DPA page.

Data we may receive from Partners

Data	Purpose	Retention
IP address	Geo-targeting to serve regionally appropriate reward content	In accordance with the applicable DPA
User identifier (anonymised ID, email, or similar)	User deduplication and reward attribution	In accordance with the applicable DPA
Demographic and profile data (as provided by the Partner)	Eligibility filtering and personalisation of reward offers	In accordance with the applicable DPA
Behavioural data (impressions, clicks, conversions)	Reward attribution, reporting, and billing	In accordance with the applicable DPA
Survey and preference responses	Personalisation of reward offers, as instructed by the Partner	In accordance with the applicable DPA

3. International data transfers

Our platform is hosted on Amazon Web Services (AWS) in the United States (us-east-1). Personal data originating in the European Economic Area (EEA) or the United Kingdom is therefore transferred to and processed in the United States.

We ensure the lawfulness of these transfers through:

EU-US Data Privacy Framework (DPF) — AWS is certified under the DPF.
Standard Contractual Clauses (SCCs) — our Data Processing Addendum with AWS incorporates the 2021 SCCs approved by the European Commission.

4. Sub-processors

We engage the following sub-processors, which process personal data in the course of providing their services:

Sub-processor	Purpose	Location
Amazon Web Services (AWS)	Cloud infrastructure and hosting	USA
Cloudflare	Proxy, CDN, and security	USA
MaxMind	IP geolocation	USA
Rollbar	Error monitoring	USA
New Relic	Performance monitoring	USA
Redis Cloud (Redis Ltd.)	Cache and session management	USA
Bunny.net	Content delivery (CDN)	EU / USA
Better Stack	Log management and monitoring	USA / EU
Google LLC (Analytics, Tag Manager)	Website analytics	USA

All sub-processors are bound by contractual obligations consistent with GDPR requirements. This list is kept up to date and Partners are notified of material changes.

5. Data subject rights

If you are an end user of a Partner's application, your data rights (access, rectification, erasure, portability, restriction, objection) should be exercised with that Partner directly, as they are the Data Controller for your personal data. If you are unsure who the relevant Controller is, or if your request concerns data held directly by Mega Rewards, contact us at privacy@trofeo.io and we will assist or redirect your request.

If you are a visitor to our website, you may exercise any of the above rights by contacting privacy@trofeo.io.

6. Security

We implement technical and organisational measures appropriate to the risk, including encryption in transit (TLS 1.2 or higher) and at rest, access controls, and regular review of our security practices.

In the event of a personal data breach, we will notify affected Partners within 48 hours of becoming aware, so that Partners can fulfil their own notification obligations under applicable law.

7. Contact

Mega Rewards, LLC 10 Winthrop St., Rochester, New York 14607 privacy@trofeo.io

If you are located in the EEA or UK and have unresolved concerns about our data practices, you have the right to lodge a complaint with your local data protection supervisory authority.

8. Changes to this policy

We may update this policy periodically. Material changes will be communicated to Partners directly. The "last updated" date above reflects the most recent revision.