⚗️PointAlchemy

Privacy Policy

Last updated: March 7, 2026

1. Information We Collect

Account Information

When you create an account, we collect your name, email address, and (if using email/password authentication) a securely hashed password. If you sign in with Google OAuth, we receive your name, email, and profile picture from Google.

Financial Data (via Plaid)

When you connect a credit card account through Plaid, we receive transaction data including: transaction amounts, dates, merchant names, and merchant categories. We use this data to determine which credit card earned the most rewards for each purchase and to provide optimization recommendations. We do not access your account numbers, card numbers, or login credentials. Plaid handles authentication directly.

User-Entered Data

You may manually enter credit card selections, loyalty program point balances, travel preferences, and spending estimates. This data is used solely to provide personalized recommendations.

Payment Information

Subscription payments are processed by Stripe. PointAlchemy does not store your payment card number, expiration date, or CVV. Stripe's privacy policy governs payment data handling.

Usage Data

We collect basic usage data including pages visited, features used, and error logs to improve the Service. We use browser localStorage to persist user interface preferences (e.g., view settings). We do not use third-party tracking cookies or advertising networks.

2. How We Use Your Information

  • Provide and personalize the Service (transaction enrichment, card recommendations, optimization reports)
  • Process subscription payments
  • Send transactional emails (account verification, password reset, subscription confirmations)
  • Send the PointAlchemy newsletter (if you opted in; you may unsubscribe at any time)
  • Detect and prevent fraud, abuse, and security incidents
  • Provide customer support, troubleshoot issues, and resolve billing inquiries
  • Improve the Service based on aggregated, anonymized usage patterns

Authorized PointAlchemy staff may access your account information, card portfolio, and transaction data as needed to operate the Service, provide support, and ensure data accuracy. Access is limited to personnel with a legitimate operational need and is logged in an internal audit trail.

3. Data Sharing

We share your data only with the following third-party service providers:

  • Plaid for financial account connection and transaction data retrieval
  • Stripe for subscription payment processing
  • Resend for transactional and newsletter email delivery
  • NextAuth.js / Google OAuth for authentication (Google sign-in only)

We do not sell, rent, or trade your personal information. Your individual transaction data, point balances, and card portfolio are never shared with credit card issuers, loyalty programs, or other third parties. We may use or share aggregated, anonymized data that cannot identify individual users, for example, trends, averages, and industry insights.

4. Affiliate Links

Some credit card links on the Service are affiliate links. When you click an affiliate link, the destination site may collect information about your visit. We do not share your PointAlchemy account data with affiliate partners. Affiliate relationships are disclosed in accordance with FTC guidelines.

5. Data Security

We implement industry-standard security measures including: AES-256-GCM encryption for sensitive data at rest (Plaid access tokens), bcrypt password hashing with 12 rounds, rate limiting on authentication endpoints, and HTTPS for all data in transit. Despite our efforts, no method of transmission or storage is 100% secure.

6. Data Retention

We retain your account data and transaction history for as long as your account is active. When you delete your account, all associated data (transactions, cards, reports, point balances, household memberships) is permanently deleted via database cascade. Stripe subscription records are canceled but may be retained by Stripe per their policies.

7. Your Rights

You have the right to:

  • Access your data through the Service's dashboard, transaction list, and export features
  • Export your transaction data in CSV format
  • Delete your account and all associated data through Settings
  • Disconnect linked financial accounts at any time
  • Unsubscribe from marketing emails via the unsubscribe link in any email
  • Opt out of the newsletter through your account settings

For California residents (CCPA): you have the right to know what personal information we collect, request its deletion, and opt out of its sale (we do not sell personal information). Contact us to exercise these rights.

8. Cookies and Local Storage

PointAlchemy uses essential cookies for authentication session management (NextAuth.js session tokens). We use browser localStorage to store UI preferences such as view mode selections. We do not use advertising cookies, tracking pixels, or third-party analytics that set cookies.

9. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 18, we will delete that information promptly.

10. International Users

The Service is hosted in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. By using the Service, you consent to this transfer.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a new “Last updated” date. Continued use of the Service after changes constitutes acceptance.

12. Contact Us

For privacy-related questions or to exercise your data rights, contact us at privacy@pointalchemy.com.