PointAlchemy

Privacy Policy

Last updated: April 20, 2026

This policy explains what we collect, why we collect it, and what we do (and don't do) with it. If anything here is unclear, email privacy@pointalchemy.comand we'll walk you through it.

1. Information We Collect

Account Information

When you create an account we collect your name, email address, and a securely hashed password if you sign up with email. If you sign in with Google, we receive your name, email, and profile picture from Google.

Financial Data (via Plaid)

When you connect a credit card through Plaid, we receive transaction amounts, dates, merchant names, and merchant categories, plus basic account metadata like the institution name, account nickname, last four digits, and account type. That data is what lets us tell you which card earned the most rewards on each purchase and build your optimization reports. We do not pull or store your account balances.

We do notreceive your full account numbers, full card numbers, CVV, expiration date, online banking credentials, Social Security Number, routing number, identity documents, investment holdings, or loan terms. Plaid handles the bank login itself, so we never see those credentials. We also configure Plaid Link to show you credit card accounts only. Checking, savings, loan, and investment accounts don't appear as selectable options.

Plaid is our data processor and operates under our agreement with them and their own End User Privacy Policy. You can review or revoke any app's access to your bank data at my.plaid.com (the Plaid Portal). Under CFPB Section 1033, your authorization to share data with us is valid for up to 12 months from your most recent authorization. We'll prompt you to re-authorize before that window closes.

User-Entered Data

You can manually enter credit cards, loyalty program point balances, travel preferences, and spending estimates. We use this only to produce recommendations for you.

Payment Information

Subscription payments run through Stripe. PointAlchemy does not store your payment card number, expiration date, or CVV. Stripe's privacy policy covers how they handle that data.

Usage Data

We collect basic usage data such as pages visited, features used, and error logs so we can find bugs and improve the product. Your browser's localStorage holds UI preferences like view settings. We do not run advertising cookies or third-party tracking networks.

2. How We Use Your Information

  • To run the Service: transaction enrichment, card recommendations, optimization reports.
  • To process your subscription payments.
  • To send transactional emails (account verification, password reset, subscription confirmations).
  • To send the PointAlchemy newsletter, if you opted in. You can unsubscribe at any time.
  • To detect and stop fraud, abuse, and security incidents.
  • To help you with support questions and billing issues.
  • To improve the product using aggregated, anonymized usage patterns.

Authorized PointAlchemy staff may look at your account, card portfolio, or transaction data when it's needed to run the Service, help you with a support request, or verify data accuracy. Access is limited to people with a real operational reason to see it, and every access is logged in an internal audit trail.

3. Data Sharing & Subprocessors

We do not sell, rent, or trade your personal information. We share your data only with the following service providers, who act on our behalf under written agreements that hold them to at least the same confidentiality and security standards described here:

  • Plaid: financial account connection and transaction retrieval. Plaid is our data processor and is separately governed by the Plaid End User Privacy Policy.
  • Stripe: subscription payment processing.
  • Resend: transactional and newsletter email delivery.
  • Sentry: application error monitoring. PII is scrubbed from event payloads before they leave our infrastructure.
  • Neon: managed PostgreSQL database hosting.
  • Vercel: web application hosting and content delivery.
  • NextAuth.js / Google OAuth: authentication for Google sign-in.

We do not sell, rent, or trade your personal information. Your individual transaction data, point balances, and card portfolio are never shared with card issuers, loyalty programs, advertisers, or any other third party. We may publish aggregated, anonymized statistics that cannot identify an individual user, like industry averages or trends.

4. Affiliate Links

Some credit card links on the Service are affiliate links. When you click one, the destination site may collect information about your visit. We do not share your PointAlchemy account data with any affiliate partner. Affiliate relationships are disclosed in line with FTC guidelines.

5. Data Security

We take a layered approach to keeping your data safe. Plaid access tokens and other sensitive values are encrypted at rest with AES-256-GCM. Passwords are hashed with bcrypt at 12 rounds. All data in transit uses TLS 1.2 or higher. Rate limits on authentication and administrative endpoints fail closed rather than letting abuse through. Incoming webhooks are signature-verified. Admin access follows a least-privilege role model, with per-admin audit logging. Error-monitoring payloads are scrubbed of personally identifiable information, access tokens, and authentication headers before they leave our infrastructure. No method of transmission or storage is perfectly secure, but we design with the assumption that every layer will eventually be tested.

Breach Notification

If a security breach affects your personal data, we'll notify you without undue delay, and no later than 30 days after discovery (or sooner if applicable law requires it). The notice will describe what happened, what data was involved, what we've done to fix it, and what you can do to protect yourself.

6. Data Retention

We keep your account data and Plaid-derived transaction history for as long as your account is active, because the product's historical charts and optimization reports rely on long-running history. When you disconnect a card, we permanently delete the transactions and linked-card records tied to that connection within 60 seconds. When you delete your account, a cascading delete removes everything attached to it within 60 seconds (transactions, cards, reports, point balances, household memberships, notifications, and subscription metadata). Authorization and revocation records stay for at least three years to satisfy CFPB Section 1033 record-keeping. Operational logs (webhook events, job runs, email events) are capped at 90 days. See our Data Retention Policy for the full picture.

7. Your Rights

You can always:

  • Access your data through your dashboard, transaction list, and export features.
  • Export your transaction data as CSV.
  • Delete your account (and everything tied to it) from Settings.
  • Disconnect linked financial accounts anytime.
  • Unsubscribe from marketing emails using the link at the bottom of any email.
  • Opt out of the newsletter in your account settings.

California residents (CCPA/CPRA): California law gives you a few extra rights:

  • Right to Know: ask for a copy of the personal information we've collected about you in the last 12 months.
  • Right to Delete: ask us to delete your personal information. You can do this yourself from Settings, or email us.
  • Right to Opt Out of Sale: we don't sell your personal information to anyone.
  • Right to Non-Discrimination: we won't hold it against you for exercising any of these rights.

To exercise any of these rights, email privacy@pointalchemy.com. We'll respond to verifiable requests within 30 days, or sooner if applicable law requires. If we need more time (up to the 45-day maximum CCPA allows), we'll let you know in writing within the first 30 days.

8. Cookies and Local Storage

PointAlchemy uses essential cookies for authentication session management (NextAuth session tokens). Your browser's localStorage holds UI preferences like view mode. We do not use advertising cookies, tracking pixels, or any third-party analytics that sets cookies.

9. Children's Privacy

The Service isn't intended for anyone under 18, and we don't knowingly collect data from children. If we find out we've collected information from someone under 18, we'll delete it right away.

10. International Users

The Service is hosted in the United States. If you're using it from somewhere else, your information will be transferred to and processed here. By using PointAlchemy, you're agreeing to that transfer.

11. Changes to This Policy

We may update this policy from time to time. If we make a meaningful change, we'll post the updated version on this page with a new “Last updated” date. Continuing to use the Service after a change means you accept the update.

12. Contact Us

Any privacy questions, or ready to exercise one of your rights? Email us at privacy@pointalchemy.com.