Privacy Policy

Pointify Travel Technologies, Inc. (“Pointify,” “we,” “us,” or “our”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform at pointifytravels.com, our mobile applications, APIs, and related services (collectively, the “Service”).

This policy complies with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

1. Information We Collect

1.1 Personal Information You Provide

When you create an account or use the Service, we may collect:

• Account information: Name, email address, phone number, and profile photo
• Payment information: Credit card details (processed and stored by Stripe; we do not store full card numbers)
• Passenger details: Names, dates of birth, passport numbers, and nationality for booking purposes
• Loyalty program information: Program names, membership numbers, and login credentials (encrypted)
• Communication data: Messages sent through our support channels

1.2 Search and Usage Data

We automatically collect data about how you use the Service:

• Search queries: Origins, destinations, dates, cabin classes, and passenger counts
• Booking history: Completed, canceled, and pending bookings
• Alert preferences: Fare alert configurations and notification preferences
• Feature usage: Which features you access and how frequently
• API usage: For developer accounts, API call logs and rate limit data

1.3 Technical Data

When you access the Service, we automatically collect:

• IP address and approximate geolocation
• Browser type, version, and operating system
• Device identifiers
• Referring and exit pages
• Timestamps and session duration

1.4 Loyalty Credentials

If you choose to sync your loyalty accounts, we collect your login credentials for those programs. These credentials are encrypted using AES-256 encryption before storage. We never store plaintext passwords. The encrypted credentials are used solely to log in to your loyalty accounts and retrieve balance and activity information. You can delete your stored credentials at any time.

1.5 Plaid Data

If you connect bank-linked loyalty programs through Plaid, Plaid collects your banking credentials directly. Pointify receives only the loyalty data that Plaid extracts (e.g., rewards balances), not your banking credentials. Plaid's own privacy policy governs data shared through their service.

2. How We Use Your Information

We use your information to:

• Provide, operate, and improve the Service
• Process flight and hotel searches
• Complete bookings and process payments
• Send fare alerts and price drop notifications
• Synchronize your loyalty account balances and activity
• Optimize points and miles recommendations
• Personalize your experience based on search history and preferences
• Communicate with you about your account, bookings, and Service updates
• Enforce our Terms of Service and prevent fraud
• Comply with legal obligations
• Generate anonymized, aggregated analytics to improve the Service

3. How We Share Your Information

We do not sell your personal data. We share information only in the following circumstances:

3.1 Travel Suppliers

When you make a booking, we share necessary passenger information (name, date of birth, passport details) with the relevant airline, hotel, or travel supplier to complete the reservation. This sharing is essential for the performance of the booking contract.

3.2 Payment Processors

Payment information is processed by Stripe. Stripe acts as an independent data controller for payment data. Please review Stripe's Privacy Policy for details on how they handle your payment information.

3.3 Plaid

If you use Plaid to connect loyalty accounts, your bank credentials and data are processed by Plaid in accordance with their privacy policy. We receive only derived loyalty data (balances, tier status).

3.4 Airline and Supplier APIs

To perform flight and hotel searches, we send query data (origin, destination, dates, passenger count) to third-party APIs including Duffel, Amadeus, Seats.aero, Kiwi, and SerpAPI. These queries do not include your personal identification unless you are completing a booking.

3.5 Proxy Services

Some search requests may be routed through proxy services to ensure reliable access to airline pricing data and to detect geo-pricing opportunities. These proxy services do not receive your personal information; they only route anonymized search requests.

3.6 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or government request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

4. Data Security

We implement robust security measures to protect your data:

• Encryption at rest: Loyalty credentials are encrypted with AES-256 before storage
• Encryption in transit: All data transmitted between your device and our servers uses TLS 1.3
• Row Level Security (RLS): Database-level access controls ensure users can only access their own data
• Authentication: Supabase Auth with secure session management
• Rate limiting: API endpoints are rate-limited to prevent abuse
• Access controls: Service role keys are restricted to server-side operations only
• Payment security: PCI-compliant payment processing through Stripe

While we use commercially reasonable measures to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

5. Cookies and Tracking Technologies

We use cookies and similar technologies for authentication, session management, and user preferences. For detailed information about the cookies we use, please see our Cookie Policy.

You can control cookie preferences through the cookie consent banner displayed on your first visit, or through your browser settings. Note that disabling essential cookies may prevent you from using certain features of the Service.

6. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

6.1 Right of Access

You have the right to request a copy of the personal data we hold about you. You can exercise this right through the data export feature in your account settings, or by contacting us.

6.2 Right to Rectification

You have the right to correct inaccurate personal data. You can update most information directly in your account settings.

6.3 Right to Erasure (Right to be Forgotten)

You have the right to request deletion of your personal data. You can delete your account and all associated data through the account deletion feature in your settings, or by contacting us. Upon deletion, we will permanently remove:

• Your profile and account information
• All stored loyalty credentials and balances
• Plaid connections and associated data
• Booking history and trip data
• Fare alerts and search history
• Price freeze records
• All other personal data

6.4 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format. Use the data export feature to download a JSON file containing all your data.

6.5 Right to Restrict Processing

You have the right to request that we limit the processing of your personal data in certain circumstances.

6.6 Right to Object

You have the right to object to processing of your personal data for direct marketing purposes. You can manage your notification preferences in your account settings.

6.7 Right to Withdraw Consent

Where we process your data based on consent, you have the right to withdraw that consent at any time. This does not affect the lawfulness of processing based on consent before its withdrawal.

Exercising Your Rights

To exercise any of these rights, contact us at privacy@pointifytravels.com. We will respond to your request within 30 days. For EU/EEA residents, if you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

7. Data Retention

We retain your personal data as follows:

• Account data: Retained while your account is active and for 30 days after deletion to allow recovery
• Booking records: Retained for 7 years for tax and legal compliance
• Search history: Retained for 12 months, then anonymized for aggregate analytics
• Loyalty credentials: Deleted immediately upon disconnection or account deletion
• Payment data: Retained by Stripe per their data retention policies; we retain transaction references for 7 years
• Communication logs: Retained for 3 years

After the retention period, data is permanently deleted or irreversibly anonymized.

8. International Data Transfers

Your data may be transferred to and processed in the United States, where our servers and service providers are located. If you are located in the EU/EEA, we ensure that such transfers comply with GDPR through appropriate safeguards, including Standard Contractual Clauses (SCCs) with our service providers.

9. Children's Privacy

The Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal data from a child under 16, we will promptly delete that information. If you believe a child has provided us with personal data, please contact us at privacy@pointifytravels.com.

10. Third-Party Links

The Service may contain links to third-party websites, including airline booking pages, hotel sites, and partner services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party site you visit.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service and updating the “Last updated” date. For significant changes, we may also send an email notification. Your continued use of the Service after the effective date of changes constitutes acceptance of the updated policy.

12. Legal Basis for Processing (GDPR)

For users in the EU/EEA, we process your personal data on the following legal bases:

• Contract performance: Processing necessary to provide the Service and fulfill bookings
• Legitimate interest: Improving the Service, preventing fraud, and ensuring security
• Consent: For optional features such as loyalty account sync, marketing communications, and non-essential cookies
• Legal obligation: Compliance with applicable laws and regulations

13. Contact Information

For questions or concerns about this Privacy Policy or our data practices, please contact us: