Log in Sign up
Welcome to the Trevul.com launch! We are glad you are here, please help us grow!

Your USDA hardiness zone

Trevul shows you plants that grow where you live. Pick your zone and we'll filter the marketplace to plants that survive in your climate. Don't know your zone? Look it up by zip.

Draft, pending legal review. Version 0.26-2026-06-09 — effective June 9, 2026.

Privacy Policy

The short version: we collect what we need to run an auction marketplace, no more. We don't sell your information. We share it only with the service providers who actually do the work — Stripe and PayPal for payments, Cloudflare for site delivery and image storage, Hetzner Cloud for hosting, ZeptoMail for emails — plus law enforcement if legally required. The longer version is below.

1. Who this applies to

This Privacy Policy describes how Trevul LLC ("Trevul", "we", "us") collects, uses, and shares information about you when you use the Trevul website at trevul.com or interact with us by email or other channels.

2. What we collect

We collect a few categories of information:

Information you give us directly

  • Account info: username, email address, display name, password (stored as a hash, never the plaintext).
  • Hardiness zone: your USDA zone, used to filter listings to plants that grow in your climate.
  • Seller location: the US state you ship from, collected before your first listing.
  • Listing content: photos, descriptions, prices, shipping details, and other information you provide when creating a listing.
  • Communications: messages you send to support, dispute submissions, and similar.

Information collected by our payment processors

  • Stripe (card method). For sellers: when you set up payouts, Stripe collects your full legal name, date of birth, address, government-issued ID, last 4 digits of SSN (full SSN may be required for verification or 1099-K issuance over IRS thresholds), and US bank account details. Trevul does not see, store, or have access to this information. Stripe holds it; we receive only the resulting capability flags ("ready to receive payouts"). For buyers: when you complete a card purchase, your card information is collected and stored by Stripe. We receive a token referencing it for future charges if you opt to save the card.
  • PayPal (PayPal method). For sellers: when you connect PayPal via Partner Referrals, PayPal collects your PayPal Business account credentials and any KYC information PayPal requires for receiving payments. Trevul does not see, store, or have access to your PayPal login or balance. PayPal returns your merchant id and a few capability flags; that's all we keep. For buyers: when you save PayPal for one-click purchases, PayPal collects the consent and stores it as a Vault payment token. We receive a token id we use to capture future Orders.

Information collected automatically

  • Technical data: IP address, browser type and version, device characteristics, pages viewed, referrer URL, timestamps.
  • Cookies and similar: a session cookie (so you stay logged in), a CSRF token cookie (to prevent forgery attacks), and a signed two-factor cookie (so we don't challenge you for a code on every login from the same device for 24 hours). For anonymous visitors, we may store your selected hardiness zone in a session cookie. We don't use third-party advertising trackers.
  • Email engagement (sparingly): ZeptoMail tracks whether transactional emails (verification codes, login codes, password reset links, sale notifications) were delivered. We don't open-track or click-track marketing because we don't currently send marketing.

3. Why we collect it

We use the information we collect to:

  • Provide and operate the Service (let you log in, list, bid, buy, get paid),
  • Verify your email address and protect against unauthorized account access (two-factor codes),
  • Match listings to buyers' hardiness zones,
  • Process payments through Stripe (card method) or PayPal (PayPal method),
  • Communicate with you about your account, transactions, support requests, and material changes to these Terms or this Policy,
  • Detect, prevent, and respond to fraud, abuse, security incidents, or violations of our Terms,
  • Comply with legal obligations (tax reporting, law enforcement requests, marketplace facilitator sales-tax rules).

We do not use your information to build advertising profiles. We don't sell your personal information to anyone.

4. Who we share it with

We share information with a small number of vendors who help us run the Service. Each of them has its own privacy policy and terms; you can read theirs through the linked names below.

Vendor What it does What it sees
Stripe Card payments, seller KYC, payouts Buyer card data; seller identity, ID, bank
PayPal PayPal payments, seller onboarding (Partner Referrals) Buyer PayPal account auth; seller PayPal Business account
Cloudflare DNS, CDN, DDoS protection IP, request metadata for every page load
Hetzner Cloud Hosting (web + database VMs running CockroachDB) Everything we store at rest
Cloudflare R2 Listing photo + message attachment storage and delivery Images you upload
Zoho (ZeptoMail) Transactional email delivery Recipient email + body of each email we send

We may also disclose information when we believe in good faith that disclosure is required by law, by court order, or to protect the rights, property, or safety of Trevul, our users, or the public — for example, in response to a valid subpoena or to investigate suspected fraud. We'll resist overly broad requests and will notify you when we're able to, unless prohibited by law or the request involves an imminent threat.

If Trevul is acquired or merges with another company, your information may transfer as part of that transaction. We'll let you know before that happens, and the acquirer will be bound by this Policy with respect to the information transferred.

5. How long we keep it

We keep account information for as long as your account is active. After you delete your account, we'll delete or anonymize most of your information within 90 days, except where we need to keep it to:

  • complete pending transactions (payouts, refunds, dispute resolution),
  • comply with tax retention requirements (typically 7 years for transaction records),
  • preserve evidence in a legal proceeding,
  • defend against fraud (suspended accounts may be retained longer to prevent re-registration).

6. Your rights

You can review and update most of your account information through your profile page. For everything else, contact privacy@trevul.com and we'll:

  • Confirm what personal information we have about you,
  • Correct inaccuracies,
  • Delete your information, subject to the retention exceptions above,
  • Export your information in a machine-readable format.

California, Virginia, Colorado, Connecticut, and Utah residents have specific privacy rights under their state laws (CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA respectively). EU/UK residents have rights under GDPR / UK-GDPR. We respond to verifiable requests under any of these regimes. We don't currently offer cross-border data transfer mechanisms, so practically, EU/UK residents using a US marketplace are an edge case for now — contact us if you have one.

7. Cookies in detail

We use cookies sparingly, all first-party, all functional or security-related:

  • sessionid — keeps you logged in across page loads. HttpOnly, Secure, expires when the browser session ends or after 14 days of inactivity, whichever comes first.
  • csrftoken — prevents cross-site request forgery on form submissions.
  • trevul_2fa — confirms your device passed two-factor verification recently. Signed (HMAC), HttpOnly, Secure, 24-hour TTL.
  • hardiness_zone (anonymous visitors only) — remembers your selected USDA zone so listings filter correctly across page loads. Cleared when the session ends.

We don't use analytics cookies, advertising cookies, or third-party trackers. If we ever add analytics, we'll update this policy and add a cookie banner.

8. Children's privacy

Trevul is not directed to children under 13, and we don't knowingly collect personal information from anyone under 13. If we learn we've collected information from a child under 13, we'll delete it. Users between 13 and 18 should not use Trevul without parental consent; our Terms require users to be 18 or older.

9. Security

We take reasonable steps to protect your information, including encryption in transit (TLS), encryption at rest for backups, hashed passwords (PBKDF2), hashed two-factor codes, and access controls on our infrastructure. No system is 100% secure; if you suspect your account has been compromised, contact us immediately.

10. International users

Trevul is operated from the United States and is currently available only to users physically located in the continental United States. Our servers and most of our vendors are also US-based. If you access Trevul from outside the US, you're transferring your information to a country whose data-protection laws may differ from your own.

11. Changes to this Policy

We may update this Privacy Policy from time to time. For material changes, we'll notify you by email at least 30 days before the change takes effect. Non-material updates take effect immediately, and the current version is always at trevul.com/privacy.

12. Contact

Trevul LLC
8 The Green, STE B
Dover, DE 19901
United States
Privacy: privacy@trevul.com
General support: support@trevul.com

Version 0.26-2026-06-09 — effective June 9, 2026.