Trust & safety

Security & privacy at TrunkPrep

You’re trusting us with your kid’s name, your contact info, and the choreography of your camp summer. Here’s a plain-language account of what we do to protect that — and what your rights are. Last updated 2026-05-09.

Our commitments

✓We never sell your data. Not to camps, not to advertisers, not to anyone. Period.
✓You see only your camp’s community. TrunkSwap listings are visible only to other parents at the same camp as one of your campers — never the open internet.
✓You control your data. You can edit, export, or permanently delete your account at any time. Deletion removes your packing lists, listings, and family info.
✓We don’t handle payments.When you sell on TrunkSwap, the buyer contacts you directly via Venmo, text, or email. We’re a listing board — not a payment processor or an escrow service.

What we collect

The minimum we need to make TrunkPrep work for you:

Type	What	Why
Account	Email, password (hashed), full name	So you can log in and we can address you by name in the app.
Camper	Name, age, camp, session dates	To load your camp’s official packing list and scope your TrunkSwap to the right camp.
Packing list	Items you add, quantities, store, link, notes, photo	The whole point of the app — your private list of what to buy and pack.
TrunkSwap listing	Item name, price, condition, photos, your contact channel(s)	So other parents at your camp can find your gear and reach you directly.
TrunkBunch (when launched)	Family bio details you choose to share — kid first name, age, hobbies, hometown, optional photo	So families at the same camp + session can introduce themselves before drop-off.

Who can see your data

You

Always see and edit everything in your account.

Other parents at the same camp

Can see only your active TrunkSwap listings and (when TrunkBunch launches) the parts of your family bio you opt to share. They cannot see your packing lists, post-camp inventory, or anything else.

The TrunkPrep team

Access account data only when needed — to support you, investigate a reported listing, or fix a bug. We log this access and never use your data for marketing.

No one else

Camps don't get a roster of your data. Advertisers don't get a feed. Search engines never index your account, your listings, your family bio, or anything else behind login.

How we secure it

Encryption in transit. Every page and every API request travels over HTTPS (TLS 1.3). HTTP Strict Transport Security is enabled site-wide.
Encryption at rest. Your data lives in a managed Postgres database (Supabase) with AES-256 disk encryption. Photos live in encrypted object storage scoped to your user ID.
Row-level security.Every table in our database has Row-Level Security (RLS) policies that prevent one user from reading or writing another user’s rows — enforced by the database, not by app code.
Camp scoping. TrunkSwap listings are visible only to authenticated users with a registered camper at the same camp. The marketplace is not a public feed.
Hardened headers. Modern browser protections — Content Security Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy — are applied to every response.
Authentication.Passwords are hashed with industry-standard algorithms (we never see them). Sessions use HTTP-only cookies; we don’t put auth tokens in local storage.
Rate limiting. Sensitive actions (creating listings, submitting reports) are rate-limited at the database layer to prevent abuse.
Photo restrictions. Uploads are size-capped (8 MB) and limited to image MIME types — no executable content, no arbitrary files.
Reporting & moderation. Any user can report a TrunkSwap listing for suspected fraud, scam, or policy violation. Reports go to our admin queue and are reviewed individually.

Children’s privacy

TrunkPrep is designed for parents, by parents. Children do not have their own accounts. Camper information is provided by you, the parent or legal guardian, in the course of organizing your child’s camp summer.

We collect the minimum information about a camper that the packing list and marketplace require: their name (used so you can label your own list), their age, and the camp they attend. We do not collect Social Security numbers, school records, medical information, or any other sensitive child data.

When TrunkBunch launches, kid bio fields will be optional and parent-controlled. Any photo of a child must be uploaded by the parent on the parent’s account; the child does not have a separate identity in our system. Kid-to-kid messaging will not exist without parental consent and moderation. We treat compliance with the Children’s Online Privacy Protection Act (COPPA) as a floor, not a ceiling.

If you believe we have collected information about a child in a way that does not meet this standard, contact us immediately and we will delete it.

Your rights

You can, at any time:

Access. View everything we have about you from your dashboard. Request a complete export by emailing us.
Correct. Edit any part of your account, campers, lists, listings, or bio at any time.
Delete.Permanently delete your account from Settings. We remove your packing lists, listings, family bio, and all associated photos. Some records may persist in encrypted backups for up to 30 days, after which they’re purged.
Withdraw consent. You can stop using TrunkPrep at any time. Deleting your account is the simplest way to withdraw consent for ongoing processing.
Object & complain.If you think we’re handling your data wrongly, write to us first — we’ll try to fix it. You also have the right to lodge a complaint with your local data-protection authority.

The hedge

We use commercially reasonable, industry-standard practices to protect your information. No system is 100% secure. We can’t guarantee against every possible attack — what we can guarantee is that we will tell you promptly if something goes wrong, and we will design every feature asking what would I want for my own kid? first.

TrunkSwap is a listing board. You make your own arrangements with buyers and sellers. We are not a party to those transactions, we don’t handle payments, and we can’t guarantee that any individual buyer or seller will behave honestly. Use the same judgment you’d use on any community marketplace.

This page is a plain-language summary of our security and privacy approach. It is not a contract; it does not replace our Terms of Service when those exist; and it may be updated from time to time. We will note material changes at the top of this page and notify active users by email.

Reach a human

Security concern, privacy question, or just want to talk to us about how your data is handled? Email alexis@theboldway.com and a real person will reply.

For suspected security vulnerabilities, please email us directly rather than posting publicly so we can fix it before disclosure.