Privacy Policy

1. Introduction / Controller
MDNCT OÜ ("we", "us", or "our") operates the Trema platform, including the website tre.ma (“Public Pages”) and the Trema Manager mobile application (the “App”) (collectively the “Service”).
Company: MDNCT OÜ
Address: Sepapaja 6, 15551 Tallinn, Estonia
Privacy inquiries: privacy@tre.ma
General support: support@tre.ma
Account requests: accounts@tre.ma
This Privacy Policy explains what personal and non-personal data we collect, how we use it, who we share it with, the legal bases that apply (where applicable), and the rights you have.

2. Scope — two contexts
This single Policy covers:
Visitors of Public Pages (tre.ma) — persons who visit pages published on the tre.ma domain (these pages are public by design); and
Users of Trema Manager (mobile app) — professional account holders (owners / managers) who use the app to create and manage Trema pages.
Where a provision differs between the Public Pages and the App, we clearly indicate it.
Target audience: Trema Manager is intended for professional users (18+). We do not target children or knowingly collect data from minors.

3. Definitions (short)
User Content: photos, videos, text, and other content uploaded by you to create Trema pages.
Account Data: information used to register and authenticate an account (e.g., email).
Service Providers / Processors: third parties acting on our behalf (listed below).

4. What we collect

A. Public Pages (tre.ma) — site analytics & page data
Page content & media: content that page owners publish (public).
Website analytics: we use Umami to collect aggregated, non-personal website metrics (page views, referrer, browser/OS, device type, country-level location, time). Umami is configured to generate aggregated/anonymous statistics and is not used to build individual user profiles. (You can manage cookies/consent via the website cookie UI where applicable.)

B. Trema Manager — mobile app (current version)
Account Information: email address (login), first name, last name, phone number (optional), account metadata.
User Content: photos, videos, text uploaded via the App to build Trema pages. These are stored in Cloudflare R2.
Authentication / session data: session identifiers and authentication state (stored in Supabase) necessary to operate and secure the App.
Device / technical data: minimal technical data necessary to operate the App (e.g., device model, OS version) only as required for compatibility and service delivery — no analytics or behavioural tracking is performed in this App version.
Permissions: Photo Library access (read / write) only when you choose to import media; the App does not request camera, location, or push notification permissions in this release.

5. How we use the data (purposes)
We process data to:
Provide, operate and maintain the Service (hosting pages, delivering media).
Authenticate and secure accounts and sessions.
Allow you to create, edit, publish and delete Trema pages and uploaded media.
Provide support, process deletion requests, respond to legal requests.
For Public Pages: generate aggregated visit statistics via Umami to help owners understand traffic.
Prevent abuse and enforce our Terms (moderation, takedown processing).

6. Legal basis (where GDPR applies)
Performance of a contract / provision of service: account creation, hosting pages, and authentication.
Legitimate interests: operating, improving and securing the Service, preventing fraud and abuse, analytics for Public Pages (when aggregated).
Consent: when required (e.g., cookies on the website), we will obtain and record user consent.

7. Third-party processors & transfers
We use the following third-party service providers (processors):
Cloudflare (R2) — media hosting and CDN for photos and videos.
Supabase — authentication and session management.
Umami — aggregated website analytics for Public Pages.
Your data may be processed in jurisdictions outside your country of residence. Where applicable, we implement appropriate safeguards (for example, Standard Contractual Clauses, other lawful transfer mechanisms) or rely on processors that provide adequate protections. If you want details about processor locations or safeguards, contact privacy@tre.ma.

8. Data retention
Account & user content: we keep an account and its User Content for as long as the account exists.
Deletion requests: when you request account deletion (in-app or at https://touch.tre.ma/delete-account) we permanently delete your account data, uploaded media, and associated public page within 72 hours. Backups or cached copies may persist for a limited period for disaster recovery and legal compliance; these are deleted as soon as reasonably practicable (typically within 90 days).
Aggregated analytics: retained as aggregated, non-personal statistics.

9. Your rights (EU / GDPR & general)
Where applicable you may have rights to:
Access the personal data we hold about you.
Rectify inaccurate or incomplete data.
Request deletion of your personal data (we provide an in-app deletion button and web deletion at https://touch.tre.ma/delete-account). We will process deletion requests within 72 hours.
Request restriction or object to processing, where applicable.
Request portability of your data in a structured, commonly used format.
Lodge a complaint with your local supervisory authority (for EU users, the Estonian Data Protection Inspectorate or relevant EU authority).
To exercise your rights, contact privacy@tre.ma. We may require identity verification before actioning requests.

10. How to request deletion (practical)
Use the in-app “Delete Account” button, or visit: https://touch.tre.ma/delete-account.
We will acknowledge receipt and confirm when deletion is complete (via the email associated with the account).
Deletion includes account credentials, User Content (photos, videos), and removal of the public Trema page. We may keep minimal records for legal compliance for statutory retention periods.

11. Content on public Trema pages & moderation
Content published to tre.ma is public by default. Page owners are responsible for User Content they publish.
We provide reporting tools and an email contact for abuse reports. When a report is received we evaluate and may remove or restrict access to content if it violates our Terms, applicable law or third-party rights.
Copyright or intellectual property complaints should be sent to privacy@tre.ma with a clear takedown request (see DMCA-style instructions below).

12. Security
We use industry standard technical and organizational measures (encryption in transit (TLS) and secure storage) to protect personal data. However, no security is absolute. Report suspected breaches to privacy@tre.ma immediately.

13. Cookies & similar technologies (Public Pages)
On the public website we may use cookies/ similar technologies. Umami is configured to collect aggregated analytics and is not used to build individual profiles. Cookie settings and any consent options are available on the site.

14. Changes to this Privacy Policy
We may update this Policy. We will publish the revised policy on about.tre.ma/privacy with a new Effective Date and, where required by law, notify you of significant changes.

15. Contact & Data Protection Authority
MDNCT OÜ
Sepapaja 6, 15551 Tallinn, Estonia
privacy@tre.ma
If you are in the EU and wish to lodge a complaint you may also contact the Estonian Data Protection Inspectorate (or local authority).

16. Copyright takedown / DMCA-style notices (how to file)
To file a copyright infringement complaint, send an email to privacy@tre.ma including: (a) identification of the copyrighted work, (b) the URL(s) of the infringing content, (c) your contact information, (d) a statement that you have a good-faith belief the use is unauthorized, (e) a statement under penalty of perjury that you are the copyright owner or authorized to act, and (f) your electronic signature. We will respond and process valid claims.