Privacy Policy
PointSmart is operated by MFlash, Inc. ("we", "us"). This policy explains what data we collect when you use pointsmart.app, why we collect it, who we share it with, and how to control it. Plain English, no dark patterns.
1. What we collect
- Trip search inputs you type: origin, destination, dates, "stay in" location, trip type. We send these to our search providers (see Section 3) to fetch results. We don't link them to your identity.
- Card and balance data you enter: the credit cards you select and any point balances you type are stored only in your browser's localStorage on your device. We never receive a copy.
- Saved trips: same — your device only, never sent to our servers.
- Aggregate usage analytics: via Vercel Analytics (page views, country, referrer). No cookies, no PII, no fingerprinting. Used to understand which features are used.
- Performance metrics: via Vercel Speed Insights (page load timings). No personal data.
- Server logs: when your browser calls our API endpoints, Vercel records IP address and timestamp for security and rate-limiting. Logs are auto-deleted after 30 days.
2. What we do not collect
- We do not require an account.
- We do not collect your name, email, address, or payment information.
- We do not set tracking cookies.
- We do not run third-party advertising trackers.
- We do not sell or share data with data brokers.
3. Third parties we send data to
When you search a trip, we forward the necessary query data to:
- Duffel (privacy policy) — fetches real flight and hotel inventory.
- Anthropic (privacy policy) — used for AI-assisted features (best-deal reasoning, card lookup, daily sign-up bonus refresh).
- OpenStreetMap Nominatim (privacy policy) — used when you type a custom "stay in" location to convert it to coordinates.
- jsDelivr CDN — serves the world map TopoJSON file.
- Vercel (privacy policy) — our hosting provider.
When you click an outbound link (Booking.com, Hotels.com, Agoda, Skyscanner, Kayak, an airline, a credit card issuer, etc.), you leave PointSmart and that destination's own privacy policy and cookies apply.
4. Affiliate tracking
Some outbound links contain affiliate identifiers so the partner can attribute the booking or card application to us and pay a commission. This identifier is included in the URL and is visible on hover. It does not include any data about you. We earn nothing if you visit those sites directly. See our Advertiser Disclosure for the full list.
5. Cookies and storage
PointSmart does not set tracking cookies. We use your browser's localStorage to remember your selected credit cards, point balances, saved trips, and light/dark theme preference. This data never leaves your device. You can clear it any time via your browser's "Clear site data" option.
6. Your rights
Because we don't hold personal data tied to you, there's typically nothing for us to retrieve, correct, or delete. Specifically:
- Access: all data we hold about your in-app activity is the aggregate analytics described in Section 1; no per-user record exists.
- Deletion: clear your browser's site data to wipe localStorage.
- Email us at contact@pointsmart.app if you believe data about you is held in error.
If you are in the EU/UK, the legal basis for the limited processing we do is legitimate interest (operating the service, debugging) per GDPR Art. 6(1)(f). If you're in California, you have rights under CCPA — but again, we hold no personal data tied to you, so requests resolve to "no record".
7. Children
PointSmart is not directed at children under 13 and we do not knowingly collect data from them.
8. Changes to this policy
If we make material changes, we'll update the "Last updated" date above and, where the change affects an existing user, post a notice in the app.
9. Contact
Privacy or data questions: contact@pointsmart.app
Postal: MFlash, Inc., 112 West 9th Street, Los Angeles, CA 90015, USA