TroveStays All legal documents

Version 1.0.1 · Effective 2026-06-22 · Operated by Kindleye Limited (Hong Kong)

TroveStays — Personal Information Collection Statement

This document brings together the short, plain-language notices we show you at the point where each category of personal data is collected. The PDPO requires us to give you this information at the time we collect your data; this document is the master text from which the on-screen notices are taken. The longer description of how we handle your personal data is in our Privacy Policy (02-privacy-policy.md).

Four variants are set out below — one for each collection point in the Service.


How this PICS is given to you in the app

Variant When you see it
A — Account signup On the signup screen, immediately above the "Create account" button
B — Booking checkout On the checkout screen, immediately above where you enter the guest details
C — Creator payout onboarding On the Creator-payouts screen, immediately above the "Connect Stripe" button
D — Content creation (camera / photo library) In the iOS / Android system permission dialog text and in an in-app explainer immediately before that dialog is shown

The on-screen text is a condensed version of the relevant variant below; the underlying meaning is the same.


Variant A — Account signup

About the personal data you are giving us now

When you create your TroveStays account we collect: your email address, a password (which we store only as a salted hash and never see in plain text), a username, and a display name. You may optionally add an avatar, a bio, an Instagram handle, your preferred currency, and your nationality.

Why we collect it. To create and operate your account, to authenticate you when you sign in, to show your public profile to other TroveStays Users, to tailor prices to your preferred currency, and to comply with our legal obligations.

Is supply obligatory? Email, password, username, and display name are mandatory — without them we cannot create your account. The other fields are voluntary. You can edit or remove them in your profile.

Who else sees it. Your username, display name, avatar, bio, and Instagram handle are shown publicly on the Platform. Other personal data on this screen is not shared with third parties at signup, except with our database, authentication, and (where you opt in) push-notification providers as described in our Privacy Policy.

Your rights. You have the right under the Personal Data (Privacy) Ordinance (Cap. 486) to ask whether we hold personal data about you, to obtain a copy of it, and to correct it. Send any such request to support@trovestays.com. We respond within 40 days.


Variant B — Booking checkout

About the personal data you are giving us now

To make this booking we collect: the first name, last name, and email address of each guest, and a phone number for the lead guest. We also record the dates, room type, number of adults, number of children and their ages, and number of rooms that you have selected.

Why we collect it. To make the booking with the hotel via our merchant-of-record partner LiteAPI, so the hotel knows who is coming and how to reach you, and so we can support you if anything goes wrong with the stay.

Card details. Your card number, expiry, and security code are entered into a secure payment window hosted by LiteAPI and supported by Stripe. TroveStays never sees or stores your card data.

Is supply obligatory? Yes for all the fields shown on this screen — the booking cannot be completed without them. The hotel and LiteAPI require these fields to operate the booking.

Who else sees it. We send the guest names, the lead guest's email and phone, the dates, and the occupancy to LiteAPI so they can confirm the booking with the hotel. Card data goes from the payment window to Stripe. We do not store the phone number ourselves — it is passed through to LiteAPI only. See our Privacy Policy for the full picture.

Your rights. You can ask us at support@trovestays.com for a copy of your booking-related personal data, or to correct it. You can also see your booking history in the Trips screen.


Variant C — Creator payout onboarding

About the personal data you are giving us now — and what goes directly to Stripe

To pay your earnings out to you we use Stripe Connect. On this screen we ask you to confirm your bank country, and Stripe then asks you for the information it needs to identify you and to send you money — typically your legal name, date of birth, residential address, government identification documents, tax identification number, and bank account details. You enter that information into a Stripe-hosted flow, not into TroveStays.

What TroveStays itself keeps. We keep a record of your Stripe connected-account identifier (an opaque code, not a bank account number), the bank country you told us, the status of your KYC with Stripe (whether it is complete, what is outstanding, whether payouts are enabled), and the payout history (when, how much, in what currency, and whether the payout succeeded). We do not store your bank account number, identity documents, or tax ID.

Why. We need this information to operate creator payouts and to comply with Stripe's terms, anti-money-laundering law, and sanctions-screening obligations.

Is supply obligatory? Yes if you wish to receive payouts — without completing Stripe KYC we cannot pay you. You can continue to use TroveStays as a Traveller without onboarding to Stripe.

Who else sees it. Your KYC data is held by Stripe under Stripe's privacy notice. We see only what Stripe tells us about your account status. Payout records may be shared with our auditors, tax authorities, regulators, or law-enforcement bodies where we are required by law.

Your rights. Your rights of access and correction in respect of the personal data TroveStays holds are exercisable through support@trovestays.com. Rights in respect of the KYC data held by Stripe are exercisable through Stripe's privacy team — we will help you find them on request.


Variant D — Content creation (camera / photo library)

About the data your device is about to give us

When you tap "Create post" we ask your device for permission to access your camera (if you want to capture a new photo or video) or your photo library (if you want to upload one you have already taken).

Why. The selected photo or video is then uploaded to our video host Mux (for videos) or to our storage system Supabase Storage (for photos), so that we can publish it on the TroveStays Platform under your account.

Is supply obligatory? No — you can use the TroveStays Service without ever posting content. If you decline the permission, you simply cannot create a post.

What else gets sent. The photo or video file itself, the post caption you write, the hotel you tag, and (where you opt in) a link to your booking for the "Verified Stay" badge. Background photo data ("metadata", such as device model and the location where the photo was taken) may be embedded in the file by your device; we strip GPS metadata from photos on upload where technically feasible, but we cannot guarantee removal in every case. If you are concerned about embedded metadata, strip it on your device before uploading.

Who else sees it. Your video is processed by Mux. Your photo is stored in Supabase Storage. Once approved, your content is shown to other TroveStays Users.

Your rights. You can delete any post you have created from the post-detail screen, and the underlying video/photo will be deleted from Mux / Supabase Storage within a reasonable time. To raise a privacy concern about content, write to support@trovestays.com.


Common rights and contacts (applies to all variants)

All requests and complaints to: support@trovestays.com.


Version history

Version Date Notes
1.0 2026-06-11 Initial public version.