◆ LEGAL
Privacy policy
LAST UPDATED 2026-05-17

← Home

Privacy Policy

minmaxyourpoints™ is built and operated by Geon Yoo. Contact: geonjason@gmail.com.

What we collect

We collect only the information you type into the app yourself, plus the minimum required to log you in and keep the service running:

  • Email and password. Used to identify and authenticate your account. Your password is stored as a one-way bcrypt hash and we cannot recover it.
  • The cards you add to your wallet — IDs only (from our curated database) plus anything you enter as a custom card.
  • Monthly spending estimates you enter on onboarding and the suggestions page.
  • Points valuations you override from our defaults.
  • Trip goals you create (destination, travelers, target date, computed plan).
  • Sign-up-bonus progress you record (card, spend to date, deadline).
  • Household members you add (display name and relation to your wallet). Used so the planner can pool balances and SUB eligibility across the household.
  • B2B inquiries — if you submit the form at /business, we store the email, optional company name, optional team-size band, and optional message. Used only to reply to you.

We do not connect to your bank, see your transactions, ingest your statements, or receive any data from your card issuer. Every piece of data in your account was typed by you.

Automatic technical data

Like any web app, some information is collected automatically when you visit:

  • Traffic analytics (Vercel Analytics): aggregate page views, referrer, country, browser family. No cookies, no cross-site tracking, no personal identifiers.
  • Error reports (Sentry): when something crashes, we capture the stack trace, URL, browser, and your user ID so we can fix the bug. Not used for marketing.
  • Session cookies: one cookie to keep you signed in. No advertising cookies, no third-party trackers. See Cookies for the full list.
  • IP addresses for abuse prevention: when you submit unauthenticated forms (sign-in, sign-up, password reset, verification resend, B2B inquiry, /api/auth/verify), we record the IP in a rate-limit counter so a single source can't spam those endpoints. The counter rolls over hourly. We do not use IP for analytics, tracking, or profiling.

Who we share data with

We do not sell, rent, or trade your personal information. We use a small number of service providers to run the app; these are the only parties that touch your data:

  • Neon — hosts our Postgres database.
  • Vercel — hosts the app and provides analytics.
  • Resend — sends verification and account emails.
  • Sentry — receives error reports when the app crashes.
  • Anthropic — when you generate an AI wallet analysis on /rewards, the names of the cards in your wallet plus your spending estimates are sent to Anthropic's Claude API to generate the narrative. Anthropic's commercial-terms data-handling applies; the data is not used to train models. We do not send your email, password, or any unrelated personal information. The same Claude API is used by the transfer-bonuses cron and the T&C diff tracker to summarise publicly-scraped content, but those calls do not include any user data.

Each is bound by its own privacy practices. We send them the minimum data needed to provide their service.

Apply links

Some card detail pages include an Applybutton that opens the issuer's application page. These are plain links today — no affiliate tracking, no commissions. If that ever changes, we'll update this page and add a visible disclosure next to any Apply button with tracking. See our Terms of Service for the longer version.

Your rights

You can view and edit everything you've entered from within the app. To delete your account and all associated data, go to Account and use the delete-account button. Deletion is immediate and cascades to every piece of data we hold about you — cards, spending estimates, valuations, goals, and SUB progress. If the self-serve delete fails or you need a data export instead, email geonjason@gmail.com from your account's email.

If you're a resident of California, the EU, the UK, or another jurisdiction with data-protection laws, those laws give you specific rights (access, portability, deletion, correction, restriction). Send us the request and we'll honor it.

Children

This service isn't directed at children under 18 and we do not knowingly collect information from them. If you believe a child has created an account, contact us and we'll delete it.

Changes to this policy

We'll update this page when practices change. Material changes will be announced via the email address on your account.

© Min·Max — IndependentPrivacy by architectureManual entry only