LEGAL

Privacy Policy

Last updated: May 22, 2026

1. Who we are

The Points Planner is operated by The Points Planner LLC, a single-member limited liability company organized in the United States. For the purposes of this policy, "we," "us," and "The Points Planner" refer to The Points Planner LLC. "You" means the person whose information is processed.

2. What we collect

2.1 Information you provide

When you sign up and use the service, we collect:

• Account info: your email address, your name, and a hashed version of the password you choose. We never store your password in readable form.
• Card selections: the credit cards you tell us you hold (for example, "Amex Platinum"). We only store the card name — never the card number, CVV, expiration date, or any other sensitive financial credential.
• Point balances: the point and mile balances you manually enter for the loyalty programs you track.
• Email preferences: which types of reminders you've opted into, your preferred send time, and your timezone.
• Watch list / dream trips: destinations, origins, cabin class, travel window, hotel tier, and any notes you add.
• Referral info: if you refer someone, we store the referral code you generated, and if they sign up, we store their name and email associated with your referrer record.
• Newsletter subscription: if you subscribe to The Move (our weekly newsletter) via the homepage form, we store your email address along with the time you subscribed, the time you confirmed your subscription, and any UTM parameters present in the URL you signed up from. This is separate from a full account — you do not need to create an account to subscribe.

2.2 Information collected automatically

When you interact with the service, certain information is collected automatically by the infrastructure we use:

• Authentication logs (Supabase): sign-in events and IP address, used for account security.
• Server and CDN logs (Netlify, Cloudflare): IP address, user-agent string, request URL, and timestamp, kept briefly for security and operational purposes.
• Subscription events (Stripe): when you start, change, or cancel a paid subscription, Stripe notifies us so we can update your account accordingly.

2.3 What we do NOT collect

• We do not collect credit card numbers, CVVs, or bank account numbers. Stripe handles all payment information directly — we only receive a customer ID from them.
• We do not run advertising SDKs or fingerprinting scripts, and we do not use third-party tracking pixels beyond the analytics setups (Google Analytics and the Reddit Pixel) described in Section 5.
• We do not sell or rent your information to anyone.
• We do not maintain profiles about you based on your behavior outside our service.

3. Why we collect it

We use the information we collect only to:

• Provide, maintain, and improve the service.
• Authenticate you and protect your account.
• Process your subscription and send related billing notices.
• Send transactional emails, including reminder emails you've opted into and notices about important changes to the service or your account.
• Generate personalized recommendations about benefits, transfer bonuses, and redemptions based on the cards and balances you've shared with us.
• Respond to support questions you send us.
• Detect and prevent fraud, abuse, and security incidents.
• Comply with legal obligations.

4. Who we share it with

We share personal information only with the service providers we need to operate the service, and only to the minimum extent necessary. These providers act as "processors" on our behalf and are contractually obligated to handle your data only to provide services to us.

• Stripe — processes payments. Stripe receives your name, email, and payment details directly; we receive only a customer ID and subscription status from Stripe.
• Supabase — hosts our database and authentication. Stores your account info, card selections, balances, email preferences, dream trips, and referral records.
• Resend — sends transactional emails (welcome, reminders, confirmations) and our weekly newsletter (The Move). Receives your email address and email content.
• Netlify — hosts the website and serverless functions. Processes HTTP requests you make to the service.
• Cloudflare — provides DNS and content delivery. Processes network metadata for requests.
• Google (Analytics) — provides website analytics (Google Analytics 4). Receives anonymized interaction data — pages viewed, approximate location (city level), device and browser type, and how you arrived at the site. See Section 5 for details and opt-out instructions.
• Reddit — when we run ads on Reddit, the Reddit Pixel on our site reports page visits and signups back to Reddit Ads so we can measure campaign performance. Receives event data (pages viewed, signup completions) and a cookie-based identifier. See Section 5 for details and opt-out instructions.

We may also share information (a) with your consent, (b) to comply with a lawful legal request, (c) to protect our rights, property, or safety or that of others, or (d) in connection with a merger, acquisition, or sale of assets, in which case you'll be notified and any new owner will be bound by this policy (or provide equivalent protection).

5. Cookies and similar technologies

We use cookies and local-storage items in two categories:

5.1 Essential cookies (always on)

• An authentication session cookie set by Supabase when you sign in, so you don't have to log in on every visit.
• Small functional cookies that Netlify and Cloudflare may set for security, rate limiting, and request routing.

These are necessary to operate the service and cannot be turned off without breaking core functionality.

5.2 Analytics cookies (Google Analytics 4)

We use Google Analytics 4 (GA4), a web analytics service provided by Google, to understand how visitors interact with the site so we can improve it. GA4 sets cookies that collect information such as:

• Pages you view and how long you spend on each.
• Your approximate location (city level, derived from IP address).
• The device, browser, and operating system you use.
• How you arrived at the site (for example, from a search engine, a referral link, or directly).

GA4 sends this data to Google's servers, where it is processed in accordance with Google's Privacy Policy. We use the data only in aggregate — to see how many visitors we're getting, where they come from, and which parts of the site they engage with. We do not use GA4 to identify individual users or build personal profiles for advertising.

If you prefer not to be tracked by Google Analytics, you have several options:

• Install the Google Analytics Opt-Out Browser Add-on, which Google provides for all major browsers.
• Use a browser that blocks tracking cookies by default (Brave, Firefox with strict privacy settings, Safari with cross-site tracking prevention).
• Use a privacy-focused browser extension or ad blocker that blocks analytics scripts.
• Clear cookies in your browser settings; note that if you clear the Supabase auth cookie, you'll also be signed out.

5.3 Advertising measurement cookies (Reddit Pixel)

When we run ads on Reddit, we use the Reddit Pixel — a small piece of tracking code provided by Reddit — to measure whether our ads are working. The pixel sets cookies that report two things back to Reddit:

• When you visit our site (a "page visit" event).
• When you complete a signup (a "signup" event).

Reddit uses this data to attribute ad clicks to outcomes and to help us optimize our campaigns. The pixel does not collect personal information like your name or email — only event signals and a cookie-based identifier. Data is processed in accordance with Reddit's Privacy Policy.

If you prefer not to be tracked by the Reddit Pixel, you have several options:

• Adjust your Reddit privacy settings to limit personalized advertising (if you have a Reddit account).
• Use a browser that blocks tracking cookies by default (Brave, Firefox with strict privacy settings, Safari with cross-site tracking prevention).
• Use a privacy-focused browser extension or ad blocker that blocks tracking pixels.
• Clear cookies in your browser settings; note that if you clear the Supabase auth cookie, you'll also be signed out.

6. Where your data is stored

Your data is stored on servers located in the United States, operated by the providers listed above. Stripe, Supabase, Resend, Netlify, Cloudflare, Google, and Reddit all have their own appropriate security measures in place.

7. How long we keep it

We retain your account data for as long as your account is active. If you delete your account:

• Your profile, cards, balances, preferences, dream trips, and referral records are deleted from our database, typically within 30 days.
• Transactional records required for tax, legal, or fraud-prevention purposes (for example, Stripe's payment records) are retained for as long as legally required, usually 7 years.
• Backups are rotated on a regular schedule and the data they contain is deleted within that rotation window.

You can delete your account at any time from your account settings, or by emailing contact@thepointsplanner.com.

8. Your rights and choices

Regardless of where you live, you can always:

• Access: ask us for a copy of the data we hold about you.
• Correct: update your name, email, cards, and balances directly in your account settings, or email us.
• Delete: delete your account and associated data.
• Opt out of emails: disable reminder emails in your email preferences; transactional emails (billing confirmations, security notices) will still be sent.
• Complain: contact us if you think we've mishandled your data.

If you're a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we've collected and to request deletion. We do not sell personal information, and we do not share personal information for cross-context behavioral advertising. To exercise your rights, email contact@thepointsplanner.com.

The Service is intended for users in the United States, but the same rights listed above will be honored regardless of where you live.

9. Children

The service is for adults — you must be 18 or older to use it. We do not knowingly collect personal information from anyone under 18. If you believe a minor has created an account, please email contact@thepointsplanner.com and we'll delete it.

10. Security

We take data security seriously:

• All traffic to and from the service is encrypted with HTTPS.
• Your password is hashed using industry-standard algorithms before being stored.
• Access to production data is limited to the operator of the service and the service providers listed above.
• We never store credit card numbers or banking credentials.

No system is perfectly secure. If we learn of a security incident that affects your personal information, we'll notify you as required by applicable law.

11. Changes to this policy

We may update this policy from time to time. If we make a material change, we'll post a notice on the service or email you before the change takes effect. The "Last updated" date at the top reflects the most recent revision.

12. Contact

Questions about this policy or your data? Email contact@thepointsplanner.com.

The Points Planner LLC
447 Sutter St, Ste 506 - 1013
San Francisco, CA 94108
United States