RebateTrail Privacy Policy
Effective Date: April 1, 2026
Last Updated: April 1, 2026
Welcome to RebateTrail (hereinafter referred to as “the Platform” or “we”). The Platform is operated by Mantu (Shanghai) Travel Consulting Co., Ltd. (缦途(上海)旅游咨询有限公司, registered address: Building 1-3, No. 63 Liantai Road, Baoshan District, Shanghai; hereinafter referred to as “the Company”). We fully understand the importance of your personal information and will do our utmost to protect the security of your personal information. This Privacy Policy (hereinafter referred to as “this Policy”) is intended to explain how we collect, use, store, share, and protect your personal information, as well as how you can manage your personal information.
Please carefully read and fully understand this Policy before using the Platform’s services. If you do not agree with any part of this Policy, you should immediately stop using the Platform’s services. By using the Platform’s services, you acknowledge that you have fully understood and agreed to this Policy.
This Policy applies to the processing of personal information you provide through the Platform’s website (rebatetrail.com) and related services.
1. How We Collect and Use Your Personal Information
We collect and use your personal information only to the extent necessary to fulfill the purposes described in this Policy. The following outlines the specific scenarios and purposes for which we collect personal information:
1.1 Registration and Login
When you register an account on the Platform, we collect the following information:
- Email address (required): used for account registration, identity verification, and receiving notifications
- Login password: stored in an irreversible encrypted form (bcrypt hash); we cannot access your plaintext password
- Display name (optional): used for display within the Platform
When you choose to log in via WeChat, with your authorization, we obtain the following information from WeChat:
- WeChat UnionID and OpenID: used to identify your WeChat identity and associate it with your Platform account
- WeChat nickname and avatar: used to display your account information
- Publicly available WeChat region and gender information: used to provide better localized services
1.2 Using Platform Services
When you use the cashback services, we collect the following information:
- Booking information: including booking reference number, check-in date, hotel brand, source platform, etc., used to verify your booking and calculate cashback
- Cashback preferences: including your preferred currency and language settings
1.3 Withdrawal and Payment
When you apply for a withdrawal, we need to collect the following information:
- Payment account information: including bank account, Alipay account, or WeChat Pay account and other payment information, used solely to pay cashback to you
- Transaction records: including cashback credits, withdrawal applications, balance changes, etc., used to maintain your financial records
1.4 Security and Risk Control
To safeguard the security of your account and the operation of the Platform, we automatically collect the following information:
- Device and network information: including IP address, browser type and version, operating system, etc.
- Login records: including login time, login method, session information, etc.
- Verification code records: records of one-time verification codes sent during email verification or password reset
1.5 Notifications and Communications
- Notification preferences: you may choose to receive in-app notifications and/or email notifications
- Notification content: including cashback status changes, withdrawal progress, referral rewards, and other Platform messages
1.6 Referrals and Rewards
When you participate in the referral program:
- Referral relationships: records of the association between referrers and referred users
- Referral code: the referral code you set
- Reward records: the triggering conditions and distribution status of referral rewards
2. How We Store Your Personal Information
2.1 Storage Location
Your personal information is stored on cloud database servers located in the Asia-Pacific region (Singapore). We use encrypted transmission (TLS/SSL) to ensure the security of data during transit.
2.2 Retention Period
We retain your personal information for the minimum period necessary to fulfill the purposes described in this Policy:
| Information Type | Retention Period | Description |
|---|---|---|
| Basic account information | Duration of account plus 30 days after deactivation | Grace period after deactivation to allow you to withdraw your deactivation request |
| Transaction and financial records | 3 years from the date of transaction completion | In accordance with the Accounting Law of the People’s Republic of China and other legal requirements |
| Login session information | 90 days | For security audit purposes |
| Verification code records | 30 days after expiration | Automatically cleared |
| Notification messages | Duration of account | You may delete read notifications at any time |
2.3 Processing After Account Deactivation
When your account is deactivated (including voluntary deactivation and closure due to prolonged inactivity), we will:
- Delete or anonymize your personally identifiable information after a 30-day grace period
- Transaction records required to be retained by law will be deleted after the statutory retention period expires
- Anonymized data no longer constitutes personal information and may continue to be used by us
3. How We Share, Transfer, and Publicly Disclose Your Personal Information
3.1 Sharing
We do not sell your personal information to third parties. We share your personal information with third parties only in the following circumstances:
| Third-Party Type | Information Shared | Purpose of Sharing |
|---|---|---|
| Email service provider | Email address, email content | Sending verification codes and notification emails |
| WeChat Open Platform | Authorization code (one-time use) | Enabling WeChat login functionality |
| Hotel data partners | Booking reference number, check-in date, source platform | Verifying booking information and confirming cashback eligibility |
| Exchange rate service provider | Currency pair information (no personal information) | Obtaining real-time exchange rates |
All third-party service providers are bound by contractual obligations and may only use your personal information to the extent necessary to provide services to us.
3.2 Transfer
In the event that the Company undergoes a merger, acquisition, asset transfer, or similar transaction involving the transfer of your personal information, we will require the new holder to continue to be bound by this Policy; otherwise, we will require them to obtain your authorization and consent anew.
3.3 Public Disclosure
We will not publicly disclose your personal information, except in the following circumstances:
- With your explicit consent
- When required by laws, regulations, legal proceedings, litigation, or competent government authorities
3.4 Cross-Border Transfer
As the Platform uses cloud database services located in Singapore, your personal information will be transferred outside the territory of the People’s Republic of China. We will comply with the relevant provisions of the Personal Information Protection Law of the People’s Republic of China (PIPL) to ensure that your personal information is adequately protected during cross-border transfer, including but not limited to:
- Ensuring that the overseas recipient’s data protection capabilities meet the standards required by law
- Adopting necessary security measures such as encrypted transmission
- Entering into data processing agreements with overseas recipients that stipulate their data protection obligations
4. How We Protect Your Personal Information
We adopt the following technical and administrative measures to protect the security of your personal information:
4.1 Technical Measures
- Encryption in transit: all data transmissions use TLS/SSL encryption
- Password security: user passwords are stored using the bcrypt algorithm in an irreversible encrypted form
- Access tokens: login credentials use randomly generated session tokens with a validity period of 7 days
- Database security: database connections are mandatorily encrypted with channel binding authentication enabled
4.2 Administrative Measures
- Strictly limiting the scope of personnel authorized to access personal information
- Providing security training to employees who may come into contact with personal information
- Establishing data security incident emergency response procedures
4.3 Security Incident Response
In the unfortunate event of a personal information security incident, we will, in accordance with the requirements of laws and regulations, promptly inform you of the basic circumstances of the security incident, its potential impact, the remedial measures we have taken or will take, and recommendations for you to independently prevent and mitigate risks. We will promptly notify you through push notifications, email, and other means.
5. Your Rights
In accordance with the Personal Information Protection Law of the People’s Republic of China (PIPL) and related laws and regulations, you enjoy the following rights with respect to your personal information:
5.1 Access and Copying
You have the right to access and copy your personal information. You may view your account information, transaction records, and notification preferences by logging into your Platform account.
5.2 Correction and Supplementation
When you discover that the personal information we process about you is inaccurate, you have the right to request that we correct or supplement it. You may directly modify certain information through the Platform settings or contact us for assistance.
5.3 Deletion
You may request the deletion of your personal information in the following circumstances:
- The processing purpose has been achieved, cannot be achieved, or the information is no longer necessary for achieving the processing purpose
- We have ceased to provide services, or the retention period has expired
- You withdraw your consent
- We process personal information in violation of laws, regulations, or our agreements with you
Please note: information that is required by laws and regulations to be retained (such as transaction records) will be deleted after the statutory retention period expires.
5.4 Account Deactivation
You have the right to deactivate your Platform account. After deactivation, we will process your personal information in accordance with Section 2.3 of this Policy.
Before deactivation, please note:
- Your account balance will be cleared upon deactivation; please complete any withdrawals in advance
- Pending cashback applications will no longer be processed
- Deactivation is irreversible (except during the grace period)
5.5 Withdrawal of Consent
You have the right to withdraw your previously given consent. Withdrawal of consent does not affect the validity of the processing of personal information carried out based on your consent prior to such withdrawal.
5.6 Personal Information Portability
Subject to the conditions prescribed by laws and regulations, you have the right to request the transfer of your personal information to another personal information processor designated by you.
5.7 How to Exercise Your Rights
You may exercise the above rights through the following means:
- In-Platform actions: manage settings after logging into your account
- Email: send your request to privacy#rebatetrail.com (please replace # with @)
We will respond to your request within 15 business days of receipt.
6. Cookies and Tracking Technologies
The Platform does not use browser cookies for user tracking. Our user authentication is based on a server-side session token mechanism (Bearer Token) stored in a database and does not rely on browser cookies.
We do not use third-party tracking tools or advertising tracking technologies to collect your browsing behavior data.
7. Protection of Minors
The Platform provides services exclusively to adults aged 18 and above. We do not knowingly collect personal information from minors under the age of 18. If we discover that we have collected personal information from a minor without verifiable parental or guardian consent, we will promptly delete the relevant information.
8. Revisions to This Policy
We may revise this Policy from time to time. The revised Policy will be published on the Platform with an updated date noted.
For material changes (such as collecting new types of personal information, changing the purposes of personal information use, or sharing personal information with new third parties), we will notify you through Platform announcements, email, or pop-up notifications before the changes take effect, and we will obtain your consent again.
If you do not agree with the revised Privacy Policy, you may choose to stop using the Platform’s services and deactivate your account.
9. Contact Us
If you have any questions, comments, or suggestions regarding this Policy, or wish to exercise your personal information rights, please contact us through the following means:
- Company name: Mantu (Shanghai) Travel Consulting Co., Ltd. (缦途(上海)旅游咨询有限公司)
- Registered address: Building 1-3, No. 63 Liantai Road, Baoshan District, Shanghai (上海市宝山区联泰路63号1-3幢)
- Privacy contact email: privacy#rebatetrail.com (please replace # with @)
We will respond to your request within 15 business days. If you are not satisfied with our response, you may also file a complaint with the personal information protection authority in Baoshan District, Shanghai (上海市宝山区).