← Back to home

Privacy Policy

Last updated: July 12, 2026

What we collect

PointPile collects the minimum needed to track your card benefits and tell you which card to use:

  • Account information from Google sign-in (name, email address)
  • Your card portfolio: which card products you hold, an optional nickname, the last four digits (optional, for telling twins apart), open/close dates, and annual-fee renewal dates
  • Benefit usage you record: credits marked used or dismissed, quarterly-category activations, signup-bonus spending progress, and earning-cap spend you log
  • Application history you provide for eligibility tracking (issuer, product, applied/opened/closed dates, bonus history)
  • If you sign in without an invitation, your email address is kept as a waitlist entry so we can contact you when access opens, along with a one-way (SHA-256) hash of your IP address used only for abuse prevention — the address itself is not stored, and the hash is deleted with the waitlist entry

What we never collect

PointPile does not connect to your bank or card accounts. We never ask for, and never store, online banking credentials, full card numbers, CVVs, transaction feeds, or Social Security numbers. Everything in PointPile is portfolio metadata you enter yourself.

How we use it

Your data is used to compute card recommendations, track credit deadlines and capture rate, and send you digest emails about expiring value. We do not sell your data and we do not use it for advertising.

Third-party services

  • Supabase — Authentication and database. Your data lives in a Supabase-hosted PostgreSQL database with row-level security: each household can only read its own rows.
  • Google — Sign-in only (OAuth). We receive your name and email address; PointPile requests no other Google data.
  • Anthropic (Claude) — Used to research the public card-benefits catalog (issuer benefit guides and terms). Your personal data — portfolio, usage, application history — is not sent to any AI service.
  • Fastmail or Resend — Sends the digest emails. Your email address and the digest contents pass through the configured email provider (Fastmail SMTP today; Resend is the supported alternative).
  • Fly.io & Cloudflare — Hosting and content delivery. Standard server logs (IP address, user agent) are processed to serve and protect the site.

Data security

All traffic is served over HTTPS with HSTS. Database access is enforced through row-level security policies, so households are isolated from each other at the database layer. Access during the private beta is limited to an email allowlist.

Data retention

Your data is retained while your account is active. You can request full deletion of your account, your household's data, or your waitlist entry at any time by emailing [email protected].

Contact

Questions about this policy? Reach out at [email protected].