Launching in--DAYS·--HRS·--MIN·--SEC
ChainPointsChainPointsON TIME · ––:––
AboutHow it worksPricingFAQFeedback

Legal

Privacy Policy

Effective April 2026  ·  Last updated July 9, 2026

ChainPoints (chainpoints.app) is a Chrome browser extension that overlays Google Flights with personalized credit card points transfer recommendations. This Privacy Policy explains what personal information we collect when you use ChainPoints, how we use it, with whom we share it, and what rights you have over it. Please read it carefully.

1.Interpretation and Definitions

Interpretation

Words with capitalized initial letters have the meanings defined below. These definitions apply whether the terms appear in singular or plural form.

Definitions

  • –Account — a unique account created for You to access the Service or parts of the Service.
  • –Affiliate — an entity that controls, is controlled by, or is under common control with a party, where "control" means ownership of 50% or more of the voting securities.
  • –Booking Data — the trip details we store when you choose to save a trip or start a booking, as described in Section 2.
  • –Chrome Extension — the ChainPoints browser extension available on the Chrome Web Store that overlays Google Flights with points transfer recommendations.
  • –Company (referred to as "we," "us," or "our") — ChainPoints (operated by WayPoints Lab LLC).
  • –Device — any device that can access the Service, such as a computer or mobile device.
  • –GDPR — the EU General Data Protection Regulation 2016/679.
  • –CCPA/CPRA — the California Consumer Privacy Act as amended by the California Privacy Rights Act of 2020.
  • –Personal Data — any information relating to an identified or identifiable individual. Under GDPR this includes any identifier such as a name, ID number, location data, or online identifier. Under CCPA/CPRA this includes any information that identifies, relates to, or could reasonably be linked with a particular consumer or device.
  • –Referral Data — your referral code and the record of referrals you make or receive, as described in Section 2.
  • –Search Data — the airline route and travel date associated with a flight you view while using the Chrome Extension.
  • –Service — the ChainPoints Chrome Extension and the chainpoints.app website, collectively.
  • –Service Provider — any third-party company or individual that processes data on our behalf to facilitate or improve the Service.
  • –Usage Data — data collected automatically from your use of the Service, such as the number of searches performed and which features you use.
  • –Wallet Data — the credit card program names, loyalty program names, and points balances you manually enter into the Service.
  • –You — the individual accessing or using the Service.

2.What We Collect

We collect only the data required to provide the Service, process your subscription, and improve the product. Below is an exhaustive list of what we collect and why.

Account Information

When you create an account, we collect your email address and a hashed password. You may also sign in using your Google account via OAuth, in which case we receive your email address and basic profile information (name and profile picture) from Google. We do not receive your Google password. We do not currently support sign-in via Apple or other third-party authentication providers.

Wallet Data

The Service allows you to manually enter the names of your credit card rewards programs (e.g., Chase Ultimate Rewards, Amex Membership Rewards) and the point balances you hold in those programs, as well as any airline or hotel loyalty program balances. This data is used to calculate personalized transfer paths.

We never connect to your bank or financial institution. We never collect actual credit card numbers, CVV codes, expiration dates, bank account numbers, or any financial credentials.

Search Data

When you use the Chrome Extension on Google Flights, we record the airline route (origin and destination airport codes) and travel date associated with flights you view. This data is stored in your account and linked to your user ID for the following purposes:

  • –To avoid counting the same search twice toward your monthly search limit, and to carry forward your remaining monthly usage count if you delete and re-create your account within the same 30-day window.
  • –To recommend the most appropriate subscription tier based on your search patterns (e.g., whether you primarily search domestic or international routes).
  • –To send you relevant account communications, such as a targeted offer to upgrade to Pro if you frequently search routes where Pro features provide significant additional value.

While you are browsing flights, we do not record the cash prices shown, the specific flights you click on, or any other activity beyond the route and date described above. If you choose to save a trip or start a booking, we store that trip's details as described under Booking and Saved Trips below.

Booking and Saved Trips

When you choose to save a trip or begin booking one (for example, by selecting Proceed to Booking), we store a record of that trip so you can find it later in your account. That record includes the route, travel dates, cabin, number of travelers, the points and transfer steps we recommended, the flight's estimated cash price, and the estimated savings from paying with points instead of cash. We store this only for trips you actively choose to save or book. It is not created for flights you simply view. These records are kept for a limited time and are removed when you delete your account.

Usage Data

We collect a monthly count of the number of award searches you perform. This count is used to enforce free-tier search limits and to determine eligibility for Pro features. Individual product-usage events (such as a search being run or a booking page being opened) are also recorded as Analytics Data, described below.

Subscription and Billing Information

We collect and store your subscription status (Free or Pro), your billing period, and a customer identifier issued by our payment processor. We do not store full payment card numbers. All payment card data is handled exclusively by our third-party payment processor and is subject to their privacy policy and PCI-DSS compliance obligations.

Device and Technical Data

Our website and extension may collect standard technical data including your browser type and version, operating system, and IP address. This data is used for security, fraud prevention, and basic operational diagnostics.

Error and Crash Data

We use an error monitoring service to capture technical error reports when the Service crashes or malfunctions. These reports may include a stack trace and, in some cases, contextual data about the state of the application at the time of the error (such as which feature you were using). We take steps to minimize the inclusion of personal data in error reports, but some incidental user context may be captured.

Analytics Data

We use analytics providers to understand how users interact with the chainpoints.app website and the Chrome Extension. For the website, we use a product analytics provider and Google Analytics; analytics data may include pages visited, session duration, and similar behavioral data, and these tools load only after you accept cookies through our consent banner. For the Extension, this includes product-usage events such as running a live award search, viewing or switching booking options, selecting flights, and opening a booking page, together with the associated flight route and trip type. Analytics events never include your points balances, sign-in tokens, or full page addresses. When you are signed in, these product-usage events are associated with your account (your email and user ID) so we can understand how individual users experience the product and improve it, for example to see where free-tier limits get in your way and offer you a relevant upgrade. We do not sell this data. Our own analytics events are not used for advertising; the separate advertising pixel described below runs only with your consent.

Advertising Data

With your consent, the chainpoints.app website uses an advertising pixel from Meta (Facebook). It records that your browser visited our pages, along with standard device information, and we use it to measure how well our ads perform and to show ads for ChainPoints to people who have visited our site (retargeting). It never receives your points balances, wallet contents, or account details. The pixel does not load unless you accept cookies, and you can decline or withdraw your consent at any time using the consent banner or the cookie preferences link in Section 5.

Affiliate Interaction Data

When you click a "Proceed to Booking" link within the Service that navigates you to an airline or travel booking partner's website, we and/or our affiliate partner may record that a click occurred and, if a qualifying booking is completed, attribute a commission to ChainPoints. We do not receive details of your booking, your payment information, or any personal data entered on the third-party booking site. Affiliate click tracking is subject to the privacy practices of our affiliate network partner.

Communications Data

If you contact us by email, we retain the content of that correspondence to respond to your inquiry and to maintain a record of support interactions. If you submit feedback or a bug report through the app, we also collect your email address, the page you were on, basic information about your browser, and any screenshot you choose to attach, so we can understand and resolve the issue.

Referral Information

If you take part in our referral program, we store your referral code, a record of which accounts you referred and which account referred you, and any rewards you earn. We use this to operate the program and to prevent abuse such as self-referral or fake accounts.

Waitlist Information

If you join our waitlist, we collect your email address and, if you choose to tell us, how you heard about ChainPoints. We use this to let you know when access is available and to understand which channels bring people to us.

3.What We Do Not Collect

Never collected or stored

  • ✕Credit card numbers, CVV codes, expiration dates, or any payment credentials.
  • ✕Bank account credentials or any connection to your financial institution.
  • ✕Your Google Flights browsing history, search history on other websites, or any general browsing activity outside the scope described in Section 2.
  • ✕The flights you click and the cash prices shown while browsing, beyond the route and date. (If you choose to save or book a trip, that trip's details are stored as described in Section 2.)
  • ✕Geolocation data.
  • ✕Biometric identifiers.
  • ✕Demographic data (race, ethnicity, national origin, religion, health information, or similar sensitive categories).
  • ✕Data from social media accounts.

4.How We Use Your Data

We use the personal data we collect for the following purposes:

  • –Providing and operating the Service — including calculating transfer paths, rendering overlay recommendations on Google Flights, and enforcing usage limits.
  • –Account management — authenticating you and maintaining your account.
  • –Subscription and billing — processing your Pro subscription, verifying your plan status, and sending payment receipts and renewal notices.
  • –Transactional communications — sending account-related emails including welcome messages, password reset requests, and security notices.
  • –Marketing communications — sending promotional emails, product updates, and special offers. You may opt out of marketing emails at any time by clicking the unsubscribe link in any such email or by contacting us. Opting out does not affect transactional communications.
  • –Targeted upgrade communications — using your Search Data to identify when free-tier features are limiting your experience and sending you a targeted offer to upgrade to Pro. You may opt out as described above.
  • –Saved trips and bookings — storing trips you choose to save or book so you can view them later in your account, including the estimated savings from paying with points.
  • –Referral program — administering referral codes and rewards and preventing referral abuse such as self-referral or fake accounts.
  • –Waitlist and launch updates — letting you know when access is available and understanding which channels bring people to ChainPoints.
  • –Support and troubleshooting — reviewing feedback and bug reports, including any screenshot you attach, to diagnose and resolve issues.
  • –Product improvement — analyzing product-usage data, which for signed-in users is associated with your account, to understand feature adoption and improve the Service.
  • –Security and fraud prevention — monitoring for unauthorized access and protecting the integrity of the Service.
  • –Legal compliance — fulfilling our obligations under applicable law.
  • –Business transfers — in connection with a merger, acquisition, or sale of assets (see Section 7).

5.Tracking Technologies and Cookies

Website Cookies

The chainpoints.app website uses the following categories of cookies:

CategoryTypePurpose
Essential / AuthenticationSessionRequired to authenticate you and maintain your logged-in session. The Service cannot function without these.
AnalyticsPersistentSet by our analytics providers (our product analytics service and Google Analytics) to measure website traffic and feature usage. For signed-in users, usage events are associated with your account (email and user ID); we do not sell this data. Set only after you accept cookies in our consent banner.
Advertising (Meta Pixel)PersistentSet by the Meta (Facebook) pixel to measure the performance of our ads and to enable retargeting of site visitors. Set only after you accept cookies in our consent banner.
Consent PreferencePersistent (local storage)Remembers whether you accepted or declined analytics and advertising cookies, so we don't ask on every visit. Contains no personal data.
Affiliate TrackingPersistentPlanned — not yet active. Will be set when you click a booking link, to attribute completed bookings to ChainPoints for commission purposes. This cookie will only be active once an affiliate program is live.

Analytics and advertising cookies are optional: they are set only after you accept them in our consent banner, and declining them does not limit the Service. at any time to change your choice. You can also instruct your browser to refuse all cookies or to alert you when cookies are being sent. Disabling essential cookies will prevent you from using the authenticated portions of the Service.

Chrome Extension

The Chrome Extension does not use cookies. It uses Chrome's built-in secure local storage (chrome.storage.local) to cache your wallet data for performance. This data never leaves your browser except to sync with your account in our database when you are signed in.

Do Not Track

Our Service does not currently respond to Do Not Track (DNT) browser signals, as no uniform standard for DNT compliance has been adopted. We will update this section if that changes.

6.Data Retention

We retain your personal data for as long as your account is active or as necessary to provide the Service. Specifically:

  • –Account deletion — when you request deletion of your account, we permanently delete your account information, wallet data, search data, saved trips, and usage records immediately. We do not retain this data in backups after deletion is processed.
  • –Anti-abuse records — to enforce our free-tier limits and to prevent abuse of one-time offers such as promotional free access and referral rewards, we retain a small set of records after account deletion. Each stores a one-way cryptographic hash (SHA-256) of your email address, which cannot be reversed to recover the email, together with only the minimum information needed to enforce the relevant limit (for example, your remaining monthly search count, whether an email has already used a launch offer, or referral participation). The search-limit record is retained for 30 days and then automatically purged. The records that prevent repeat use of one-time promotional and referral offers are retained for as long as needed to enforce a single use per person. We retain no other personal data after deletion.
  • –Inactive accounts — we do not currently have an automatic deletion policy for inactive accounts. We will notify you in advance if this changes.
  • –Billing records — we may retain transaction records (amount, date, subscription tier) for the period required by applicable tax and accounting law, even after account deletion. These records do not include your wallet data or search history.
  • –Error logs — crash and error reports are retained for a rolling period of 90 days before automatic deletion.
  • –Communications — email correspondence with our support team is retained for 12 months.

7.Disclosure of Your Personal Data

Service Providers

We share your personal data with third-party Service Providers that help us operate the Service. These include providers of database and authentication infrastructure, backend API hosting, award pricing data, payment processing, error monitoring, analytics, and email delivery. Each Service Provider is contractually required to process your data only on our instructions, to maintain appropriate security measures, and not to use it for their own purposes.

We do not permit our Service Providers to sell your personal data.

Affiliate Partners

When you click a booking link, the affiliate network or booking partner may receive a click identifier and, if a booking is completed, a transaction reference. No personally identifiable information beyond what is standard in affiliate tracking (e.g., a pseudonymous click ID) is shared for this purpose.

Shared Trip Links

You can choose to create a shareable link to one of your saved trips. Anyone who has that link can view the trip details it contains, so share it only with people you trust. You can revoke a link at any time from your account.

Business Transfers

If the Company is involved in a merger, acquisition, asset sale, or similar transaction, your personal data may be transferred as part of that transaction. We will notify you via email or a prominent notice on the Service before your data becomes subject to a different privacy policy.

Legal Requirements

We may disclose your personal data if required to do so by law or in the good-faith belief that such disclosure is necessary to: (a) comply with a legal obligation; (b) protect and defend the rights or property of the Company; (c) prevent or investigate possible wrongdoing in connection with the Service; (d) protect the personal safety of users or the public; or (e) protect against legal liability.

International Transfers

Your data is processed primarily in the United States. If you are located in the European Economic Area (EEA) or United Kingdom, your data is transferred to and stored in a country whose data protection laws may differ from those in your jurisdiction. Where required by GDPR, we rely on Standard Contractual Clauses or other lawful transfer mechanisms to safeguard cross-border transfers.

8.Security

We use industry-standard technical and organizational measures to protect your personal data, including encryption in transit (TLS) and encryption at rest. Access to your data is restricted to personnel and systems that require it to operate the Service.

No method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the appropriate authorities as required by applicable law.


9.GDPR Privacy (European Users)

If you are located in the European Economic Area or United Kingdom, the following additional provisions apply. The Company acts as the Data Controller for the personal data described in this Policy.

Legal Bases for Processing

We process your personal data on the following legal bases:

Processing ActivityLegal Basis
Account creation and authenticationPerformance of a contract (Art. 6(1)(b) GDPR)
Wallet data and transfer path calculationsPerformance of a contract (Art. 6(1)(b) GDPR)
Subscription and billingPerformance of a contract (Art. 6(1)(b) GDPR)
Transactional emailsPerformance of a contract (Art. 6(1)(b) GDPR)
Search data (deduplication and tier recommendation)Legitimate interests (Art. 6(1)(f) GDPR) — necessary to prevent abuse of usage limits and to provide relevant service recommendations
Targeted upgrade communicationsLegitimate interests (Art. 6(1)(f) GDPR), subject to your right to object
Marketing emails and newslettersConsent (Art. 6(1)(a) GDPR) — you may withdraw consent at any time
Analytics (website)Consent (Art. 6(1)(a) GDPR) via cookie consent
Advertising and retargeting (website pixel)Consent (Art. 6(1)(a) GDPR) via cookie consent — you may withdraw at any time
Analytics (Extension product usage)Legitimate interests (Art. 6(1)(f) GDPR) — measuring how signed-in users use features, associated with your account, to improve the Service; subject to your right to object
Error monitoringLegitimate interests (Art. 6(1)(f) GDPR) — necessary to maintain service stability and security
Legal compliance and fraud preventionLegal obligation (Art. 6(1)(c)) and legitimate interests (Art. 6(1)(f) GDPR)
Saved trips and bookingsPerformance of a contract (Art. 6(1)(b) GDPR)
Referral program and abuse preventionLegitimate interests (Art. 6(1)(f) GDPR) — operating a program you choose to join and preventing fraud
Waitlist sign-up and launch updatesConsent (Art. 6(1)(a) GDPR) — you may withdraw at any time
Feedback and bug reportsLegitimate interests (Art. 6(1)(f) GDPR) — diagnosing and resolving issues
Anti-abuse records retained after deletionLegitimate interests (Art. 6(1)(f) GDPR) — preventing repeat abuse of usage limits and one-time offers

Your Rights under GDPR

If you are in the EEA or UK, you have the following rights:

  • –Right of access — to request a copy of the personal data we hold about you.
  • –Right to rectification — to request correction of inaccurate or incomplete data.
  • –Right to erasure — to request deletion of your data where there is no overriding legitimate reason to continue processing it.
  • –Right to restriction — to request that we limit how we use your data in certain circumstances.
  • –Right to data portability — to receive your data in a structured, commonly used, machine-readable format and to transmit it to another controller.
  • –Right to object — to object to processing based on legitimate interests (including profiling) or for direct marketing purposes. Where you object to direct marketing, we will cease processing immediately.
  • –Right to withdraw consent — where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • –Right to lodge a complaint — you have the right to lodge a complaint with your local data protection authority in the EEA or with the Information Commissioner's Office (ICO) in the UK.

Exercising Your GDPR Rights

To exercise any of the above rights, contact us at support@chainpoints.app. We may ask you to verify your identity before responding. We will respond within 30 days, with a possible extension of an additional 30 days for complex requests (with prior notice).

10.CCPA/CPRA Privacy (California Residents)

This section applies to residents of California and supplements the information in this Policy.

Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information as defined under CCPA/CPRA:

CategoryExamplesCollected
A: IdentifiersEmail address, account ID, IP addressYes
B: Personal information (Cal. Civ. Code § 1798.80(e))Name equivalent (email address used as identifier)Yes
C: Protected classification characteristicsRace, gender, age, etc.No
D: Commercial informationSubscription history, billing records, saved trips and bookings you choose to create, referral participationYes
E: Biometric informationFingerprints, facial recognitionNo
F: Internet / network activityFlight routes and dates searched via the Extension; feature-usage events in the Extension; website page visitsYes
G: Geolocation dataPrecise physical locationNo
H: Sensory dataAudio, visual recordingsNo
I: Professional or employment informationJob historyNo
J: Education informationAcademic recordsNo
K: InferencesProfiles built from the aboveNo
L: Sensitive personal informationAccount login credentials (email + password)Yes

Sources of Personal Information

  • –Directly from you — account registration, wallet data entry, and support correspondence.
  • –Automatically — from your use of the Chrome Extension and website (search data, usage counts, technical data).
  • –From Service Providers — error monitoring and analytics providers may supply processed technical data.

Business Purposes for Collection

We collect the categories listed above for the purposes described in Section 4 of this Policy.

Sale or Sharing of Personal Information

We do not sell your personal information in the traditional sense of the word. We do not exchange your personal data for monetary compensation. However, under the broad definition of "sale" in CCPA/CPRA, certain sharing with analytics, advertising, and affiliate partners may constitute a sale or sharing. The categories that may be shared in this manner are: Category A (Identifiers) and Category F (Internet/network activity). In particular, if you accept cookies on our website, our advertising partner (Meta) receives website visit data for cross-context behavioral advertising.

You have the right to opt out of the sale or sharing of your personal information. The fastest way to opt out of advertising sharing is to decline cookies in our consent banner (or change your choice via the cookie preferences link in Section 5). You can also contact us at support@chainpoints.app.

Your Rights under CCPA/CPRA

  • –Right to know — to request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom it has been shared.
  • –Right to delete — to request deletion of your personal information, subject to certain exceptions (e.g., completing a transaction, legal compliance).
  • –Right to correct — to request correction of inaccurate personal information.
  • –Right to opt out of sale/sharing — as described above.
  • –Right to limit use of sensitive personal information — to request that we limit our use of sensitive personal information (login credentials) to purposes necessary to provide the Service.
  • –Right not to be discriminated against — we will not deny you the Service, charge you different prices, or provide a different level of service because you exercised any of these rights.

Exercising Your CCPA/CPRA Rights

To submit a verifiable consumer request, contact us at support@chainpoints.app. You or an authorized representative registered with the California Secretary of State may make a request. We will respond within 45 days, with a possible extension of an additional 45 days with prior notice.

Requests are free of charge. We will not respond to more than two requests per 12-month period per consumer.

California's Shine the Light Law (Cal. Civil Code § 1798.83)

California residents with an established business relationship may request, once per year, information about how we share personal data with third parties for their direct marketing purposes. To make such a request, contact us at support@chainpoints.app.

Minor Users (Cal. Business and Professions Code § 22581)

California residents under 18 who are registered users may request removal of content they have publicly posted. To request removal, contact us at support@chainpoints.app from the email address associated with your account. Note that removal may not be complete or comprehensive where the law does not require or permit it.

11.Children's Privacy

The Service is not directed to anyone under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at support@chainpoints.app and we will promptly delete the information. If we become aware that we have collected personal data from a child under 13 without verifiable parental consent, we will take steps to remove that information immediately.

If we need to rely on consent as a legal basis and your country requires parental consent, we may require your parent's or guardian's consent before collecting and using your data.

12.Links to Third-Party Websites

The Service contains links to airline booking sites, travel partner websites, and other third-party services. If you click a link and leave chainpoints.app or the Extension's context, you will be subject to the privacy policy of that third-party site. We have no control over and assume no responsibility for the content, privacy practices, or terms of any third-party sites.

We recommend reviewing the privacy policy of any site you visit before providing personal information.

13.Changes to This Policy

We may update this Privacy Policy from time to time. When we make a material change, we will notify you by email (if you have an account) and post a prominent notice on chainpoints.app prior to the change taking effect. The "Last Updated" date at the top of this page will reflect the most recent revision.

Your continued use of the Service after changes take effect constitutes your acceptance of the revised Policy. If you do not agree to the changes, you must stop using the Service and may request deletion of your account as described in Section 6.

14.Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email

support@chainpoints.app

Company

ChainPoints (operated by WayPoints Lab LLC)

Data Controller (GDPR)

ChainPoints (operated by WayPoints Lab LLC)

Also see our Terms of Service.

Feedback·Privacy·Terms

© 2026 ChainPoints