Governance
Corporate
IncentiveTrips is operated as a property of Woodring Ventures. Ownership and accountability for the business, its data, and its editorial standards rest with the company’s leadership.
Editorial governance
Editorial and commercial functions are kept distinct. Rankings are produced under published methodologies; commercial relationships never alter organic scores. Sponsored and promoted content is labeled and separated. Affiliations that could present a conflict — such as our founder’s industry ties — are disclosed on the relevant pages.
Data governance
We practice data minimization (collect only what a feature needs), purpose limitation (use it only for that feature), and defined retention. A current list of subprocessors is maintained in our Privacy Policy.
Risk management
- Data & privacy risk — mitigated by minimization, access controls, encryption, and honoring deletion requests.
- Security risk — reduced by using managed, audited infrastructure, isolating secrets, and least-privilege access to production.
- Payment risk — fully outsourced to Stripe; card data never touches our systems.
- Editorial & reputational risk — managed through published methodologies, clear labeling, disclosure, and a right for organizations to submit verified data.
- Vendor risk — we rely on established providers (below) and limit the data each one processes to its function.
Compliance
Privacy laws
We align our practices with the EU/UK GDPR and the California CCPA/CPRA, including rights of access, deletion, correction, and portability, and a commitment not to sell personal information. Requests are handled per our Data Deletion process.
Payment security
Payments are processed by Stripe, a PCI-DSS Level 1 certified provider. IncentiveTrips does not store or transmit raw cardholder data.
Platform compliance
Where we integrate third-party platforms, we adhere to their terms — including the Meta Platform Terms and Developer Policies for any connected Facebook or Instagram account. Platform Data is used only to deliver requested features and is never sold.
Security controls
| Control | Practice |
|---|---|
| Encryption | TLS in transit; encryption at rest via infrastructure providers |
| Authentication | Managed auth with hashed credentials (Supabase) |
| Access control | Least-privilege access to production; service-role keys server-side only |
| Secrets | Stored in encrypted environment configuration, never in source code |
| Payments | PCI-DSS Level 1 processing by Stripe; no card data on our systems |
| Data isolation | Row-level security enabled; public and privileged data separated |
Subprocessors
Vercel (hosting), Supabase (database, auth, storage), Stripe (payments), Resend (email), Meta Platforms (Facebook/Instagram, when connected), Anthropic (AI features), and Google/SerpAPI (public ranking data). See the Privacy Policy for purposes.
Reporting a concern
To report a security issue, data concern, or compliance question, email security@incentivetrips.com. We acknowledge reports promptly and investigate in good faith.