Privacy Policy
Last updated: July 12, 2026
What we collect
PointPile collects the minimum needed to track your card benefits and tell you which card to use:
- Account information from Google sign-in (name, email address)
- Your card portfolio: which card products you hold, an optional nickname, the last four digits (optional, for telling twins apart), open/close dates, and annual-fee renewal dates
- Benefit usage you record: credits marked used or dismissed, quarterly-category activations, signup-bonus spending progress, and earning-cap spend you log
- Application history you provide for eligibility tracking (issuer, product, applied/opened/closed dates, bonus history)
- If you sign in without an invitation, your email address is kept as a waitlist entry so we can contact you when access opens, along with a one-way (SHA-256) hash of your IP address used only for abuse prevention — the address itself is not stored, and the hash is deleted with the waitlist entry
What we never collect
PointPile does not connect to your bank or card accounts. We never ask for, and never store, online banking credentials, full card numbers, CVVs, transaction feeds, or Social Security numbers. Everything in PointPile is portfolio metadata you enter yourself.
How we use it
Your data is used to compute card recommendations, track credit deadlines and capture rate, and send you digest emails about expiring value. We do not sell your data and we do not use it for advertising.
Third-party services
- Supabase — Authentication and database. Your data lives in a Supabase-hosted PostgreSQL database with row-level security: each household can only read its own rows.
- Google — Sign-in only (OAuth). We receive your name and email address; PointPile requests no other Google data.
- Anthropic (Claude) — Used to research the public card-benefits catalog (issuer benefit guides and terms). Your personal data — portfolio, usage, application history — is not sent to any AI service.
- Fastmail or Resend — Sends the digest emails. Your email address and the digest contents pass through the configured email provider (Fastmail SMTP today; Resend is the supported alternative).
- Fly.io & Cloudflare — Hosting and content delivery. Standard server logs (IP address, user agent) are processed to serve and protect the site.
Data security
All traffic is served over HTTPS with HSTS. Database access is enforced through row-level security policies, so households are isolated from each other at the database layer. Access during the private beta is limited to an email allowlist.
Data retention
Your data is retained while your account is active. You can request full deletion of your account, your household's data, or your waitlist entry at any time by emailing [email protected].
Contact
Questions about this policy? Reach out at [email protected].