Privacy Policy

1.Interpretation and Definitions

Interpretation

Words with capitalized initial letters have the meanings defined below. These definitions apply whether the terms appear in singular or plural form.

Definitions

• –Account — a unique account created for You to access the Service or parts of the Service.
• –Affiliate — an entity that controls, is controlled by, or is under common control with a party, where "control" means ownership of 50% or more of the voting securities.
• –Chrome Extension — the ChainPoints browser extension available on the Chrome Web Store that overlays Google Flights with points transfer recommendations.
• –Company (referred to as "we," "us," or "our") — ChainPoints (operated by WayPoints Lab LLC).
• –Device — any device that can access the Service, such as a computer or mobile device.
• –GDPR — the EU General Data Protection Regulation 2016/679.
• –CCPA/CPRA — the California Consumer Privacy Act as amended by the California Privacy Rights Act of 2020.
• –Personal Data — any information relating to an identified or identifiable individual. Under GDPR this includes any identifier such as a name, ID number, location data, or online identifier. Under CCPA/CPRA this includes any information that identifies, relates to, or could reasonably be linked with a particular consumer or device.
• –Search Data — the anonymized airline route and travel date associated with a flight you view while using the Chrome Extension.
• –Service — the ChainPoints Chrome Extension and the chainpoints.app website, collectively.
• –Service Provider — any third-party company or individual that processes data on our behalf to facilitate or improve the Service.
• –Usage Data — data collected automatically from your use of the Service, such as the number of searches performed.
• –Wallet Data — the credit card program names, loyalty program names, and points balances you manually enter into the Service.
• –You — the individual accessing or using the Service.

2.What We Collect

We collect only the data required to provide the Service, process your subscription, and improve the product. Below is an exhaustive list of what we collect and why.

Account Information

When you create an account, we collect your email address and a hashed password. You may also sign in using your Google account via OAuth, in which case we receive your email address and basic profile information (name and profile picture) from Google. We do not receive your Google password. We do not currently support sign-in via Apple or other third-party authentication providers.

Wallet Data

The Service allows you to manually enter the names of your credit card rewards programs (e.g., Chase Ultimate Rewards, Amex Membership Rewards) and the point balances you hold in those programs, as well as any airline or hotel loyalty program balances. This data is used to calculate personalized transfer paths.

We never connect to your bank or financial institution. We never collect actual credit card numbers, CVV codes, expiration dates, bank account numbers, or any financial credentials.

Search Data

When you use the Chrome Extension on Google Flights, we record the airline route (origin and destination airport codes) and travel date associated with flights you view. This data is stored in your account and linked to your user ID for the following purposes:

• –To avoid counting the same search twice toward your monthly search limit, and to carry forward your remaining monthly usage count if you delete and re-create your account within the same 30-day window.
• –To recommend the most appropriate subscription tier based on your search patterns (e.g., whether you primarily search domestic or international routes).
• –To send you relevant account communications, such as a targeted offer to upgrade to Pro if you frequently search routes where Pro features provide significant additional value.

We do not record the cash prices of flights you view, the specific flights you click on, or any other browsing activity beyond the route and date described above.

Usage Data

We collect a monthly count of the number of award searches you perform. This count is used to enforce free-tier search limits and to determine eligibility for Pro features. We do not record timestamps or sequences of individual searches.

Subscription and Billing Information

We collect and store your subscription status (Free or Pro), your billing period, and a customer identifier issued by our payment processor. We do not store full payment card numbers. All payment card data is handled exclusively by our third-party payment processor and is subject to their privacy policy and PCI-DSS compliance obligations.

Device and Technical Data

Our website and extension may collect standard technical data including your browser type and version, operating system, and IP address. This data is used for security, fraud prevention, and basic operational diagnostics.

Error and Crash Data

We use an error monitoring service to capture technical error reports when the Service crashes or malfunctions. These reports may include a stack trace and, in some cases, contextual data about the state of the application at the time of the error (such as which feature you were using). We take steps to minimize the inclusion of personal data in error reports, but some incidental user context may be captured.

Analytics Data

We use a third-party analytics provider to understand how users interact with the chainpoints.app website. Analytics data may include pages visited, features used, session duration, and similar behavioral data. This data is used in aggregate to improve the product and is not used to build individual user profiles for advertising purposes.

Affiliate Interaction Data

When you click a "Proceed to Booking" link within the Service that navigates you to an airline or travel booking partner's website, we and/or our affiliate partner may record that a click occurred and, if a qualifying booking is completed, attribute a commission to ChainPoints. We do not receive details of your booking, your payment information, or any personal data entered on the third-party booking site. Affiliate click tracking is subject to the privacy practices of our affiliate network partner.

Communications Data

If you contact us by email, we retain the content of that correspondence to respond to your inquiry and to maintain a record of support interactions.

3.What We Do Not Collect

4.How We Use Your Data

We use the personal data we collect for the following purposes:

• –Providing and operating the Service — including calculating transfer paths, rendering overlay recommendations on Google Flights, and enforcing usage limits.
• –Account management — authenticating you and maintaining your account.
• –Subscription and billing — processing your Pro subscription, verifying your plan status, and sending payment receipts and renewal notices.
• –Transactional communications — sending account-related emails including welcome messages, password reset requests, and security notices.
• –Marketing communications — sending promotional emails, product updates, and special offers. You may opt out of marketing emails at any time by clicking the unsubscribe link in any such email or by contacting us. Opting out does not affect transactional communications.
• –Targeted upgrade communications — using your Search Data to identify when free-tier features are limiting your experience and sending you a targeted offer to upgrade to Pro. You may opt out as described above.
• –Product improvement — using aggregated, anonymized usage data to understand feature adoption and improve the Service.
• –Security and fraud prevention — monitoring for unauthorized access and protecting the integrity of the Service.
• –Legal compliance — fulfilling our obligations under applicable law.
• –Business transfers — in connection with a merger, acquisition, or sale of assets (see Section 7).

5.Tracking Technologies and Cookies

Website Cookies

The chainpoints.app website uses the following categories of cookies:

You can instruct your browser to refuse all cookies or to alert you when cookies are being sent. Disabling essential cookies will prevent you from using the authenticated portions of the Service.

Chrome Extension

The Chrome Extension does not use cookies. It uses Chrome's built-in secure local storage (chrome.storage.local) to cache your wallet data for performance. This data never leaves your browser except to sync with your account in our database when you are signed in.

Do Not Track

Our Service does not currently respond to Do Not Track (DNT) browser signals, as no uniform standard for DNT compliance has been adopted. We will update this section if that changes.

6.Data Retention

We retain your personal data for as long as your account is active or as necessary to provide the Service. Specifically:

• –Account deletion — when you request deletion of your account, we permanently delete your account information, wallet data, search data, and usage records immediately. We do not retain this data in backups after deletion is processed.
• –Usage tombstone — to prevent abuse of the free-tier monthly search limit, we retain a one-way cryptographic hash (SHA-256) of your email address and the number of searches you performed in the current month at the time of account deletion. This record is retained for 30 days and is used solely to ensure that deleting and re-registering with the same email address does not reset your monthly search count. The hash cannot be reversed to recover your email address. After 30 days it is automatically purged.
• –Inactive accounts — we do not currently have an automatic deletion policy for inactive accounts. We will notify you in advance if this changes.
• –Billing records — we may retain transaction records (amount, date, subscription tier) for the period required by applicable tax and accounting law, even after account deletion. These records do not include your wallet data or search history.
• –Error logs — crash and error reports are retained for a rolling period of 90 days before automatic deletion.
• –Communications — email correspondence with our support team is retained for 12 months.

7.Disclosure of Your Personal Data

Service Providers

We share your personal data with third-party Service Providers that help us operate the Service. These include providers of database and authentication infrastructure, backend API hosting, award pricing data, payment processing, error monitoring, analytics, and email delivery. Each Service Provider is contractually required to process your data only on our instructions, to maintain appropriate security measures, and not to use it for their own purposes.

We do not permit our Service Providers to sell your personal data.

Affiliate Partners

When you click a booking link, the affiliate network or booking partner may receive a click identifier and, if a booking is completed, a transaction reference. No personally identifiable information beyond what is standard in affiliate tracking (e.g., a pseudonymous click ID) is shared for this purpose.

Business Transfers

If the Company is involved in a merger, acquisition, asset sale, or similar transaction, your personal data may be transferred as part of that transaction. We will notify you via email or a prominent notice on the Service before your data becomes subject to a different privacy policy.

Legal Requirements

We may disclose your personal data if required to do so by law or in the good-faith belief that such disclosure is necessary to: (a) comply with a legal obligation; (b) protect and defend the rights or property of the Company; (c) prevent or investigate possible wrongdoing in connection with the Service; (d) protect the personal safety of users or the public; or (e) protect against legal liability.

International Transfers

Your data is processed primarily in the United States. If you are located in the European Economic Area (EEA) or United Kingdom, your data is transferred to and stored in a country whose data protection laws may differ from those in your jurisdiction. Where required by GDPR, we rely on Standard Contractual Clauses or other lawful transfer mechanisms to safeguard cross-border transfers.

8.Security

We use industry-standard technical and organizational measures to protect your personal data, including encryption in transit (TLS) and encryption at rest. Access to your data is restricted to personnel and systems that require it to operate the Service.

No method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the appropriate authorities as required by applicable law.

9.GDPR Privacy (European Users)

If you are located in the European Economic Area or United Kingdom, the following additional provisions apply. The Company acts as the Data Controller for the personal data described in this Policy.

Legal Bases for Processing

We process your personal data on the following legal bases:

Your Rights under GDPR

If you are in the EEA or UK, you have the following rights:

• –Right of access — to request a copy of the personal data we hold about you.
• –Right to rectification — to request correction of inaccurate or incomplete data.
• –Right to erasure — to request deletion of your data where there is no overriding legitimate reason to continue processing it.
• –Right to restriction — to request that we limit how we use your data in certain circumstances.
• –Right to data portability — to receive your data in a structured, commonly used, machine-readable format and to transmit it to another controller.
• –Right to object — to object to processing based on legitimate interests (including profiling) or for direct marketing purposes. Where you object to direct marketing, we will cease processing immediately.
• –Right to withdraw consent — where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• –Right to lodge a complaint — you have the right to lodge a complaint with your local data protection authority in the EEA or with the Information Commissioner's Office (ICO) in the UK.

Exercising Your GDPR Rights

To exercise any of the above rights, contact us at support@chainpoints.app. We may ask you to verify your identity before responding. We will respond within 30 days, with a possible extension of an additional 30 days for complex requests (with prior notice).

10.CCPA/CPRA Privacy (California Residents)

This section applies to residents of California and supplements the information in this Policy.

Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information as defined under CCPA/CPRA:

Sources of Personal Information

• –Directly from you — account registration, wallet data entry, and support correspondence.
• –Automatically — from your use of the Chrome Extension and website (search data, usage counts, technical data).
• –From Service Providers — error monitoring and analytics providers may supply processed technical data.

Business Purposes for Collection

We collect the categories listed above for the purposes described in Section 4 of this Policy.

Sale or Sharing of Personal Information

We do not sell your personal information in the traditional sense of the word. We do not exchange your personal data for monetary compensation. However, under the broad definition of "sale" in CCPA/CPRA, certain sharing with analytics and affiliate partners may constitute a sale or sharing. The categories that may be shared in this manner are: Category A (Identifiers) and Category F (Internet/network activity).

You have the right to opt out of the sale or sharing of your personal information. To exercise this right, contact us at support@chainpoints.app.

Your Rights under CCPA/CPRA

• –Right to know — to request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom it has been shared.
• –Right to delete — to request deletion of your personal information, subject to certain exceptions (e.g., completing a transaction, legal compliance).
• –Right to correct — to request correction of inaccurate personal information.
• –Right to opt out of sale/sharing — as described above.
• –Right to limit use of sensitive personal information — to request that we limit our use of sensitive personal information (login credentials) to purposes necessary to provide the Service.
• –Right not to be discriminated against — we will not deny you the Service, charge you different prices, or provide a different level of service because you exercised any of these rights.

Exercising Your CCPA/CPRA Rights

To submit a verifiable consumer request, contact us at support@chainpoints.app. You or an authorized representative registered with the California Secretary of State may make a request. We will respond within 45 days, with a possible extension of an additional 45 days with prior notice.

Requests are free of charge. We will not respond to more than two requests per 12-month period per consumer.

California's Shine the Light Law (Cal. Civil Code § 1798.83)

California residents with an established business relationship may request, once per year, information about how we share personal data with third parties for their direct marketing purposes. To make such a request, contact us at support@chainpoints.app.

Minor Users (Cal. Business and Professions Code § 22581)

California residents under 18 who are registered users may request removal of content they have publicly posted. To request removal, contact us at support@chainpoints.app from the email address associated with your account. Note that removal may not be complete or comprehensive where the law does not require or permit it.

11.Children's Privacy

The Service is not directed to anyone under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at support@chainpoints.app and we will promptly delete the information. If we become aware that we have collected personal data from a child under 13 without verifiable parental consent, we will take steps to remove that information immediately.

If we need to rely on consent as a legal basis and your country requires parental consent, we may require your parent's or guardian's consent before collecting and using your data.

12.Links to Third-Party Websites

The Service contains links to airline booking sites, travel partner websites, and other third-party services. If you click a link and leave chainpoints.app or the Extension's context, you will be subject to the privacy policy of that third-party site. We have no control over and assume no responsibility for the content, privacy practices, or terms of any third-party sites.

We recommend reviewing the privacy policy of any site you visit before providing personal information.

13.Changes to This Policy

We may update this Privacy Policy from time to time. When we make a material change, we will notify you by email (if you have an account) and post a prominent notice on chainpoints.app prior to the change taking effect. The "Last Updated" date at the top of this page will reflect the most recent revision.

Your continued use of the Service after changes take effect constitutes your acceptance of the revised Policy. If you do not agree to the changes, you must stop using the Service and may request deletion of your account as described in Section 6.

14.Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: