Privacy Policy

PointsIQ ("we," "us," or "our") is a travel points optimization service. Our app and website help you track credit card portfolios, loyalty balances, and plan award travel using AI-powered recommendations. Contact us at privacy@pointsiq.app.

We collect only what you voluntarily provide:

• Account data: email address used to create your account.
• Profile data: display name, home airports, preferred cabin class, travel frequency, credit score band, Chase 5/24 count, and overall travel goals text.
• Card portfolio: credit card names, issuers, annual fees, open dates, and welcome-bonus status. We do not collect card numbers, CVVs, or any sensitive payment credentials.
• Loyalty balances: point and mile balances you enter manually for each program.
• Household members: nicknames and travel profiles for additional travelers you add (e.g., a partner or family member). No separate account or identity verification is required for household members.
• Travel goals: trip descriptions you enter to ground AI recommendations.
• Usage data: number of AI prompts used per day, for rate-limiting purposes.
• Communications: messages you send to the AI assistant within the app.

• Deliver personalized credit card and award travel recommendations.
• Power the AI assistant — your profile context is sent to our AI provider (see Section 5) to generate responses.
• Enforce plan limits (free tier: 5 AI queries/day).
• Send optional email alerts about card bonuses or point expiry if you opt in.
• Improve the service through aggregated, anonymized analytics.

All data is stored in Supabase (hosted on AWS us-east-1) with row-level security — you can only read and write your own data. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). We do not sell your data to third parties.

We share data with the following processors only to the extent necessary to operate the service:

• Supabase — authentication, database, and storage. Privacy policy.
• OpenRouter / AI model providers — your profile context and chat messages are sent to generate AI responses. No data is used to train models. Privacy policy.
• Vercel — hosting and serverless functions. Privacy policy.

We do not share data with advertisers, data brokers, or any other parties.

We retain your data for as long as your account is active. When you delete your account (see Section 8), all personal data is permanently deleted within 24 hours. Aggregated, anonymized usage statistics may be retained indefinitely.

Depending on your jurisdiction you may have the right to:

• Access a copy of your personal data.
• Correct inaccurate data — editable directly in the app under My Cards.
• Delete your data — use the in-app Delete Account option or email us.
• Portability — request a JSON export of your data by emailing us.
• Object to or restrict processing — contact us at the address below.

To exercise any right, email privacy@pointsiq.app. We respond within 30 days.

You can permanently delete your account and all associated data at any time directly within the app: open the sidebar, scroll to the bottom, and tap Delete account. Alternatively, email privacy@pointsiq.app and we will process your request within 5 business days.

PointsIQ is not directed at children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it promptly.

We may update this policy from time to time. We will notify you of material changes via email or an in-app notice at least 14 days before they take effect. Continued use of the service after the effective date constitutes acceptance.

Questions or requests: privacy@pointsiq.app