Privacy Policy

Last updated: May 2026 (added: error monitoring, custom event analytics, opt-in trip-price email alerts)

PointSmart is operated by MFlash, Inc. ("we", "us"). This policy explains what data we collect when you use pointsmart.app, why we collect it, who we share it with, and how to control it. Plain English, no dark patterns.

1. What we collect

• Trip search inputs you type: origin, destination, dates, "stay in" location, trip type. We send these to our search providers (see Section 3) to fetch results. We don't link them to your identity.
• Card and balance data you enter: the credit cards you select and any point balances you type are stored only in your browser's localStorage on your device. We never receive a copy.
• Saved trips: same — your device only, never sent to our servers.
• Email address — only if you set up a price-drop "Watch this trip" alert: when you opt in to watch a trip, we store your email address together with that trip's route, dates, and price so we can email you if the fare drops. This is the only feature that sends personal data to our servers, and it's entirely opt-in. We use the email solely to send alerts for the trips you asked us to watch. Every alert email has a one-tap unsubscribe link that deactivates the watch. We do not use watch emails for marketing unrelated to your watched trips, and we don't sell or share them.
• Aggregate usage analytics: via Vercel Analytics (page views, country, referrer). No cookies, no PII, no fingerprinting. Used to understand which features are used.
• Custom feature events: via Vercel Analytics. When you submit a search, save a trip, add a card, switch theme, or click a "Book" / "Apply" / "Inspire" button, we record the event name plus non-personal context (e.g. airport codes for a search, card issuer name for a card-add, destination airline for a book-click). No names, emails, IDs, balances, or other personal data are sent. We use these to understand the user funnel and prioritize fixes.
• Performance metrics: via Vercel Speed Insights (page load timings). No personal data.
• Error monitoring: via Sentry. When the app throws an error in your browser, we send the stack trace, the URL you were on, the build identifier, and minimal browser context (browser version, OS, viewport size) so we can fix bugs. We have personally-identifiable info collection (sendDefaultPii) explicitly turned off; session replay is turned off; and we drop known third-party browser-extension noise before transmission. Sentry retains error data for 90 days by default.
• Server logs: when your browser calls our API endpoints, Vercel records IP address and timestamp for security and rate-limiting. Logs are auto-deleted after 30 days.

2. What we do not collect

• We do not require an account.
• We do not collect your name, address, or payment information. We collect an email address only if you voluntarily opt in to a "Watch this trip" price alert (see Section 1).
• We do not set tracking cookies.
• We do not run third-party advertising trackers.
• We do not sell or share data with data brokers.

3. Third parties we send data to

When you search a trip, we forward the necessary query data to:

• Duffel (privacy policy) — fetches real flight and hotel inventory.
• Anthropic (privacy policy) — used for AI-assisted features (best-deal reasoning, card lookup, daily sign-up bonus refresh).
• OpenStreetMap Nominatim (privacy policy) — used when you type a custom "stay in" location to convert it to coordinates.
• jsDelivr CDN — serves the world map TopoJSON file.
• Vercel (privacy policy) — our hosting provider and analytics processor.
• Sentry (privacy policy) — receives JavaScript error reports from your browser when the app crashes, so we can debug. PII collection is disabled, session replay is disabled.
• Neon (privacy policy) — our database provider. Stores "Watch this trip" alert records (your email + the route/dates/price you asked us to watch). Only used if you opt in to a price alert.

When you click an outbound link (Booking.com, Hotels.com, Agoda, Skyscanner, Kayak, an airline, a credit card issuer, etc.), you leave PointSmart and that destination's own privacy policy and cookies apply.

4. Affiliate tracking

Some outbound links contain affiliate identifiers so the partner can attribute the booking or card application to us and pay a commission. This identifier is included in the URL and is visible on hover. It does not include any data about you. We earn nothing if you visit those sites directly. See our Advertiser Disclosure for the full list.

5. Cookies and storage

PointSmart does not set tracking cookies. We use your browser's localStorage to remember your selected credit cards, point balances, saved trips, and light/dark theme preference. This data never leaves your device. You can clear it any time via your browser's "Clear site data" option.

6. Your rights

The only personal data we hold tied to you is an email address, and only if you set up a "Watch this trip" alert. Aside from that, we hold no per-user record. Specifically:

• Access: outside of any active trip-watch you created, all data we hold about your in-app activity is the aggregate analytics described in Section 1; no per-user record exists.
• Deletion (watches): click the unsubscribe link in any price-alert email to deactivate that watch. To remove your email entirely, email us at contact@pointsmart.app and we'll delete all watches associated with it.
• Deletion (device data): clear your browser's site data to wipe localStorage (cards, balances, saved trips, theme).
• Email us at contact@pointsmart.app for any access, correction, or deletion request.

If you are in the EU/UK, the legal basis for processing a watch email is consent (GDPR Art. 6(1)(a), which you can withdraw any time via the unsubscribe link); for the limited analytics and debugging processing it is legitimate interest (GDPR Art. 6(1)(f)). If you're in California, you have rights under CCPA; we honor deletion requests for watch emails and hold no other personal data tied to you.

7. Children

PointSmart is not directed at children under 13 and we do not knowingly collect data from them.

8. Changes to this policy

If we make material changes, we'll update the "Last updated" date above and, where the change affects an existing user, post a notice in the app.

9. Contact

Privacy or data questions: contact@pointsmart.app
Postal: MFlash, Inc., 112 West 9th Street, Los Angeles, CA 90015, USA