Privacy Policy

What This Policy Covers

This Privacy Policy describes how TrekX Ltd. ('TREKX', 'we', 'us', 'our') collects, uses, stores, shares, and protects personal data when you interact with the TREKX outdoor equipment platform. It applies to every part of the customer experience: browsing the product catalogue, creating an account, reading field guide articles, adding products to your cart, completing checkout, viewing order status, submitting return requests, writing product reviews, managing your loyalty points balance, contacting our support team, and using preference settings such as currency or unit system.

TREKX is structured as a multi-level outdoor commerce experience encompassing four product collections — Basecamp, Core, Explore, and Ascent — along with a guide library, a TREKX Points rewards programme, and a customer account dashboard. Different parts of your experience share information intentionally: your order history influences your points balance, your review eligibility depends on your purchase and delivery record, your account activity timeline reflects guide reading and order interactions, and your display preferences affect how prices and measurements appear throughout the storefront.

This policy also covers data processed by platform administrators when operating the TREKX back office, managing customer accounts, moderating reviews, handling refund and return requests, managing contact messages, and providing customer support. Administrators have access to order records, customer profiles, activity timelines, refund data, review data, and analytics derived from platform usage.

Who We Are

TrekX Ltd. ('TREKX') is the data controller responsible for personal data collected through this website and its associated services. Our registered correspondence address is 12 Aiguille du Midi, London, EC1A 1BB, England and Wales. Questions about data handling, rights requests, or concerns about this policy may be directed to privacy@trekx.com.

TREKX operates as an ecommerce platform focused on outdoor equipment and adventure gear. It is not a healthcare provider, financial institution, or regulated entity subject to sector-specific data protection regimes beyond standard commercial obligations. This policy is written in plain language to explain our data practices as clearly as possible. If you have questions about how your data is used, please contact us before continuing to use the platform.

Identity, Contact & Account Data

When you create an account or interact with TREKX as a registered user, we collect identity and contact information needed to provide your account, process purchases, and communicate with you. This includes:

• Your full name as entered during account creation or checkout.
• Your email address, which serves as your primary account identifier and the destination for order confirmations, return label notifications, and service messages.
• Your Clerk user ID and hashed credentials managed through Clerk-backed authentication — raw passwords are never stored by TREKX.
• Your shipping address including name, address line 1, optional address line 2, city, postcode, and country.
• Saved checkout preferences such as your preferred payment method reference managed through Stripe, and whether you have opted to receive marketing communications.
• Your Stripe customer ID where a Stripe customer record has been created for repeat payment management.

We do not knowingly collect personal data from children under 16. If you are under 16, please do not create an account or provide personal information through TREKX without parental or guardian guidance. If we become aware that a child under 16 has provided personal information without appropriate consent, we will delete that information promptly.

Transaction & Payment Data

When you place an order or request a return, we collect transaction data sufficient to create and manage the order record, prepare fulfilment, calculate TREKX Points, support return eligibility, and display your order history in the profile dashboard. This includes:

Demo orders created by the platform's seed scripts or automated cron jobs are marked as demonstration records and do not represent real payment transactions. These records exist to populate admin analytics, test fulfilment automation, and provide realistic-looking activity for platform development and demonstration purposes without processing real payments.

Technical & Usage Data

When you use the TREKX website, technical information is collected automatically by our hosting and security infrastructure. This may include:

• Your IP address and approximate geographic region for bot protection, rate limiting, and analytics.
• Browser type, version, and rendering engine.
• Operating system and device type.
• Page visit timestamps and session duration.
• Pages viewed, including product pages, collection pages, guide articles, checkout steps, cart interactions, and account sections.
• Referrer URL if you arrived at TREKX from an external link.
• Bot protection signals used by Vercel and Clerk to distinguish human users from automated or scripted traffic.

TREKX records a guide reading completion event when you scroll to the gear section near the bottom of a guide article. This event populates your account activity timeline, contributes to guide read-count statistics, and helps the platform surface relevant content. The tracking is intentionally limited to a single completion signal per guide visit and does not monitor granular word-level reading behaviour.

The platform may store customer activity events for actions such as placing an order, submitting a review, requesting a refund, and reading a guide. These events are visible in the activity timeline section of your profile dashboard and in the admin account detail page. They are used to provide a meaningful account history view and to help support staff understand customer context when handling enquiries.

Profile & Preference Data

TREKX stores preference and profile data that helps the platform display prices, unit measurements, and content in the format you expect. This includes your preferred display currency (e.g. USD, EUR, GBP, AUD, CAD, JPI, CNH), your preferred unit system (metric or imperial), your marketing email preference, and newsletter subscription status. These preferences may be stored in both account-level records and browser-side local storage to ensure a consistent experience whether you are signed in or browsing as a guest.

Where you submit a product review, TREKX stores the review title, rating (1–5 stars), written body, verified purchase flag, approved status, submission date, and any moderation metadata such as flagged status, flag reason, or deletion reason. Reviews are associated with both the reviewing customer record and the reviewed product record so the platform can prevent duplicate submissions for the same product and maintain accurate aggregate ratings. Review data may also be used to calculate a product's average rating and total review count shown publicly on the product page.

Service Delivery & Operations

The primary purpose for which we process personal data is the delivery of TREKX services. This includes:

1. Creating and securing your customer account through Clerk-backed authentication and session management.
2. Processing checkout payments via Stripe Payment Element and creating order records in Sanity including all line items, variants, and payment references.
3. Scheduling and managing fulfilment status updates (pending → processing → shipped → delivered) according to the shipping method selected at checkout, either automatically via cron-based automation or manually by administrators.
4. Sending transactional emails for order confirmation, processing, shipping notification, delivery confirmation, return label dispatch, refund approval, refund processing, and exchange fulfilment via Resend.
5. Calculating and updating your TREKX Points balance after each qualifying order, refund adjustment, or exchange, applying the configured earn rate and redemption rules.
6. Determining return eligibility based on the 30-day return window and the delivered fulfilment status of the associated order.
7. Processing return and exchange requests including reviewing reason, approving or rejecting the request, and updating the Stripe payment intent for cash refunds where applicable.
8. Enabling administrators to manually override fulfilment statuses, moderate customer reviews, manage customer accounts, process contact messages, and handle support requests through the admin back office.

Processing for these purposes is necessary for the performance of the contract between you and TREKX when you make a purchase, create an account, or request a service. Where processing is not strictly required for contract performance, it is based on our legitimate interest in operating a functional, secure, and well-supported platform.

Communications & Notifications

TREKX may contact you via email for the following purposes:

Demo seed records and automated cron purchases are configured to suppress email delivery, ensuring that synthetic accounts do not generate real communications or consume email sending quotas during development or demonstration operation.

Analytics & Platform Improvement

TREKX uses aggregated and anonymised data to understand how the platform is used and to improve the experience. The admin dashboard includes analytics such as total revenue, average order value, fulfilment status breakdown, review approval rates, return rates by reason, customer acquisition trends, and product performance metrics. These are computed from existing order, review, refund, and activity data and do not require separate third-party tracking cookies beyond Vercel's privacy-first analytics infrastructure.

Product review data contributes to the average rating and review count displayed on product pages. This information helps customers evaluate products and is computed from approved reviews only — pending, flagged, or deleted reviews are excluded from public-facing rating calculations. High review counts and strong average ratings may also influence how products are featured or badged on the platform.

Guide reading events contribute to guide read-count statistics and may inform how related guides or linked products are surfaced in the platform. TREKX does not sell behavioural profiles derived from guide reading activity, does not share reading history with third-party advertisers, and does not build cross-site profiles based on guide or product engagement.

Third-Party Service Providers

TREKX relies on a number of third-party service providers to operate the platform. Each provider receives only the minimum data necessary for their specific function and is contractually required to protect that data in accordance with their applicable privacy policies, data processing agreements, and legal obligations.

TREKX does not sell, rent, or license personal data to data brokers, advertising networks, or any unrelated third party. Our service providers are not permitted to use your data for their own unrelated marketing or profiling purposes.

Legal Requirements

TREKX may disclose personal data when required or permitted by applicable law, including in the following circumstances:

• Complying with tax reporting, accounting, VAT, and financial record-keeping obligations.
• Responding to lawful requests from law enforcement agencies, regulatory authorities, or courts with appropriate jurisdiction.
• Preventing, investigating, or taking action against fraud, abuse, illegal activity, or material violations of these Terms.
• Establishing, exercising, or defending legal claims in litigation, arbitration, or regulatory proceedings.
• Protecting the rights, property, or physical safety of TREKX, its customers, its team, or the general public.

Where disclosure to a public authority is legally required, TREKX will notify affected individuals to the extent permitted by law and will limit the scope of any disclosure to only what is required.

Access, Correction & Portability

Depending on your location and applicable data protection law, you have the right to:

1. Request a copy of the personal data TREKX holds about you, including account details, order history, review submissions, preference settings, and activity records (right of access).
2. Ask us to correct inaccurate, incomplete, or outdated personal information, such as a wrong name, email address, or preference setting associated with your account (right of rectification).
3. Receive a copy of data you have directly provided to us in a structured, commonly used, machine-readable format, where processing is based on consent or contract performance (right to data portability).

Many routine corrections can be made directly in your profile settings, including display name updates, currency preference changes, unit system preference, and marketing preference toggles. For requests requiring back-office changes — such as accessing a full account data export — contact privacy@trekx.com with sufficient detail to identify your account and the specific data you wish to access or correct.

Erasure, Restriction & Objection

You also have the right to:

1. Request deletion of your personal data where there is no lawful basis for us to continue processing it — for example, where data was collected solely on the basis of consent and you withdraw that consent, or where data is no longer needed for the purpose it was originally collected (right to erasure).
2. Ask us to restrict processing of your personal data where you contest its accuracy, object to its processing, or require it preserved for legal claims even where deletion would otherwise be appropriate (right to restriction).
3. Object to processing based on legitimate interests where those interests are overridden by your fundamental rights, including the right to opt out of direct marketing at any time without needing to provide a reason for your objection (right to object).

To exercise any of these rights, email privacy@trekx.com with a clear description of your request. TREKX will respond within 30 days. If we are unable to fulfil your request, we will explain the specific reason in plain language. If you remain dissatisfied, you may lodge a complaint with the Information Commissioner's Office (ICO) in the UK or your local data protection authority.

Technical Safeguards

TREKX implements reasonable technical and organisational measures to protect personal data from unauthorised access, disclosure, alteration, or destruction. These measures include:

• TLS encryption for all data transmitted between your browser and TREKX servers, ensuring credentials, order data, and personal information travel over an encrypted channel.
• Stripe-managed PCI-DSS compliance for all payment card data — raw card numbers, CVV codes, and full card data never touch TREKX servers.
• Clerk-managed authentication security, including hashed credential storage, JWT-based session token management, rate-limited login endpoints, and optional multi-factor authentication flows.
• Role-based access control in the admin back office, ensuring that order management, review moderation, account management, refund processing, and contact message access are restricted to authorised personnel only.
• Server-side validation on all write operations, including checkout, review submission, return requests, contact form submissions, points redemption, and admin actions.
• Webhook signature verification for all incoming Stripe payment events to prevent spoofed payment confirmations from triggering fraudulent order creation.
• Environment variable protection for all API keys, write tokens, Sanity dataset credentials, and Stripe secret keys — these are never exposed in client-side code.
• Rate limiting and bot protection on login, signup, checkout, review submission, return submission, and API endpoints via Vercel Edge infrastructure.

No internet-based service can guarantee perfect security. You are responsible for maintaining a strong and unique password for your TREKX account, keeping the email address associated with your account secure, signing out of TREKX on shared or public devices after each session, and reporting any suspected unauthorised access to security@trekx.com immediately.

Incident Response

If TREKX becomes aware of a security incident involving personal data, we will investigate promptly, take steps to contain and remediate the issue, assess the scope and category of data affected, and — where required by applicable law or where notification is necessary to protect affected individuals — provide appropriate notifications within legally required timeframes.

TREKX encourages responsible security disclosure. If you discover a potential vulnerability in the platform, contact security@trekx.com before making the finding public. Please include a description of the vulnerability, the steps to reproduce it, and the potential impact. TREKX will investigate, respond with acknowledgement, and provide a timeline for remediation.