What we collect, why, and how to take it back.
Plain-language privacy policy. Maple Rewards is a Canadian-resident credit-card rewards optimizer. We hold the minimum data needed to compute your missed rewards and answer your chat questions — nothing more — and you can export or delete all of it from the account settings page.
1. Who we are
Maple Rewards is operated by a sole proprietorship based in Ontario, Canada. The data controller for the purposes of PIPEDA and GDPR is the founder, reachable at hello@maplerewards.app.
2. What we collect
We collect only what we need to deliver the product. Three categories:
- Account data — email address, display name, hashed password (or Google account ID if you signed in with Google), the timestamp of your last login.
- Rewards data — the credit cards you tell us you carry, point balances you enter, applications you record, missed-rewards reports we compute. We never see your real bank account or card number. Spending entries are typed by you or imported from a CSV you upload — we do not link to your bank.
- Operational data — IP address (for rate-limiting), user-agent string, the chat messages you send to our AI assistant. Chat history is kept so you can scroll back; you can delete a conversation at any time.
We do not collect: real-time bank transactions, government IDs, social insurance numbers, biometrics, location beyond IP-derived city, or browser fingerprints.
3. Why we collect it
We use your data exclusively to deliver the product features you signed up for:
- Optimizer + missed-rewards — your wallet and spend entries feed the algorithm that ranks cards and identifies leakage.
- AI chat — your messages plus a wallet snapshot are sent to Anthropic (our LLM provider) per query.
- Award alerts — your saved trips drive the background worker that probes airline award availability.
- Account integrity — IP + user-agent are kept short-term for rate-limit and abuse detection.
We do not sell data, run ads, or share anything with marketing networks.
4. Sub-processors we use
To run the service we share specific data with these vendors. Each is contractually bound to use the data only for the stated purpose.
| Vendor | What they see | Why |
|---|---|---|
| Anthropic (US) | Your chat message + wallet snapshot | LLM responses |
| Stripe (US) | Email, name, billing address | Payment processing |
| Resend (US) | Email address, message body | Outbound email |
| Apify (Czech Republic) | Airline routes you search | Award availability scraping |
| SerpAPI (US) | Airline routes you search | Cash-price comparison |
| Tavily (US) | None — internal cron only | Promo blog scraping |
| Google (US) | Email, name (only if you used Google sign-in) | OAuth login |
5. Cookies and storage
We use three classes of browser storage:
- Essential cookies — your session token (httpOnly, secure) and CSRF token. Cannot be disabled — the product breaks without them.
- Functional localStorage — your sidebar collapsed state, last-visited route, accepted cookie banner. You can clear this from your browser at any time.
- No tracking cookies, no third-party ad cookies, no fingerprinting. If we ever wire analytics (PostHog or similar), we will update this policy and re-prompt for consent.
6. Your rights
You have these rights regardless of where you live. Quebec residents (Law 25), EU/UK residents (GDPR), and US/elsewhere users — same rights, same one-click flows:
- Right to access — download every byte of data we hold about you as JSON from account settings → "Export my data."
- Right to correction — edit your profile + wallet entries directly in the app.
- Right to deletion — "Delete my account" in settings. We mark your account deleted immediately; the rows are hard-deleted from our database after a 30-day grace period (long enough to undo accidental deletion, short enough to be defensible).
- Right to portability — the export above is plain JSON. You can take it anywhere.
- Right to withdraw consent — opt out of the weekly missed-rewards email from any digest footer, or revoke entirely by deleting your account.
- Right to object / restrict processing — email us at hello@maplerewards.app and we will respond within 30 days.
7. Retention
Active accounts: data is kept for the life of your account.
Deleted accounts: a soft-delete marker is set immediately. After 30 days a background job hard-deletes all rows associated with that user (cards, spend, applications, chat history, refresh tokens, push subscriptions). Audit log retains the deletion timestamp for 12 months to comply with anti-fraud requirements.
Anonymous sessions (you used the site without signing up) expire after 90 days of inactivity.
8. Children
Maple Rewards is not directed at users under 18. If you are a parent and believe your child has signed up, email us at hello@maplerewards.app and we will delete the account.
9. Where we store data
The primary database is hosted in Canada. Sub-processor data may transit to the US (Stripe, Anthropic, Resend) or EU (Apify). All transfers occur under standard contractual clauses or equivalent legal mechanisms.
10. Security
Passwords are hashed with bcrypt. Sessions use JWT (15-minute access tokens, 30-day refresh with rotation). API traffic is HTTPS-only. We do not write payment card numbers to our database — Stripe handles all card data and we only see a customer ID. We use defense-in-depth practices (CSRF tokens, rate limiting, JWT reuse detection) and rotate provider API keys quarterly.
11. Changes to this policy
If we make material changes — new sub-processors, new data categories, new purposes — we will email registered users and post a banner in-app for 30 days. The "last updated" date at the top of this page always reflects the latest revision.
12. Complaints
If you believe we have mishandled your data, please contact us first at hello@maplerewards.app. You also have the right to lodge a complaint with the Office of the Privacy Commissioner of Canada or, for EU residents, your local supervisory authority.
See also: Terms of Service.