TroveStays — Cookie and Tracking Notice
Hong Kong does not require a consent-banner-style cookie notice. This notice is published because we believe in being open about what we store on your device. It is part of our Privacy Policy (
02-privacy-policy.md).
TroveStays is delivered to you as a mobile app (iOS and Android) and a website (desktop and mobile web). On the mobile app, "cookies" in the browser sense do not apply; instead we use the device's secure storage. On the website we use ordinary browser storage and a small number of strictly necessary cookies. This notice covers both.
1. What we store on your device
| Where it lives | What it is | Why |
|---|---|---|
| Expo SecureStore / browser HTTP-only cookie or local-storage | Your TroveStays authentication session — a token that proves you are signed in | Keep you signed in between visits without you having to re-enter your password each time |
| AsyncStorage (mobile) / localStorage (web) | Your preference settings (preferred currency, language, dark/light mode if applicable) and a small cache of hotel rates so the app is faster | Performance and continuity of preferences |
| In-memory | Your active checkout state, the post you are currently scrolling, your impression buffer (which posts you have seen for more than ~2.5 seconds) | Operating the current screen and feeding the impression upload that runs when you change tab or close the app |
| Server-side, tied to your account, not your device | Your record of seen posts | Avoiding showing you the same post twice; ranking the Discover feed |
On the web, the only cookies we set are strictly necessary ones — the authentication cookie above, and a session-balance cookie. We do not set advertising cookies and we do not allow third-party advertising trackers on our pages.
2. What we do not do
- We do not run third-party advertising trackers. No Google Ads, Facebook Pixel, TikTok Pixel, ad-network beacons, or equivalent.
- We do not sell behavioural data. We do not share what you do on TroveStays with data brokers, advertising networks, or behavioural-profiling vendors.
- We do not currently use a third-party analytics SDK. At the date of this notice, in-app analytics consist only of structured logging on our own infrastructure for engineering and reliability purposes (for example, recording whether a rate cache lookup hit or missed). If we adopt a third-party analytics tool (such as a product-analytics platform), we will update this notice before doing so and, where required, ask for your consent.
- We do not fingerprint your device. We do not run scripts whose purpose is to assemble a device fingerprint.
3. Third-party storage incidental to features you use
The following third-party services we integrate with may set their own cookies or use their own storage on your device when you use the feature they support. They do so under their own privacy policies, which apply between you and them.
| Provider | When | What for |
|---|---|---|
| LiteAPI / Stripe payment iframe | When you are on the checkout screen entering card details | To operate the secure payment widget — required for PCI compliance |
| Mux video player | When you watch a video on a post | To play the video and to report basic playback telemetry to Mux |
| Google Maps (Android only) | When you view a map within the app | To render map tiles and (with your permission) show your position |
| OpenStreetMap (iOS / web) | When you view a map | To render map tiles |
We require these providers by contract to handle personal data in line with their published privacy policies and applicable law.
4. Your controls
- Sign out of the app to clear the authentication session.
- Reset your preferences in the Profile screen, which clears the locally-cached preferences.
- Clear browser cookies and storage for the TroveStays website from your browser's settings to reset the web experience entirely.
- Uninstall the app to clear all TroveStays on-device storage on that device. (Some storage may persist on iCloud / Google Backup until those backups are rotated; that is outside our control.)
- Disable push notifications in your device's notification settings to stop the device-side push token from being used.
5. Changes
We may update this notice from time to time. The change procedure in clause 15 of the Terms applies.
Version history
| Version | Date | Notes |
|---|---|---|
| 1.0 | 2026-06-11 | Initial public version. |