Privacy Policy

Waiv is a credit card rewards optimizer. Our Chrome extension recommends the best card at checkout, and our web dashboard tracks your benefits, spending insights, and optimization opportunities.

• Account information: Email address and authentication data (managed by Supabase Auth).
• Card portfolio: Which card products you own (e.g. "Amex Gold"). We store card product IDs only — never card numbers, CVCs, or expiration dates.
• Transaction history: Merchant name, category, amount, and which card you used when you click "Use This Card" in the extension overlay.
• Benefit usage: How much of each card benefit you've used (e.g. "$180 of $300 travel credit").
• Feedback: Optional reports when a card recommendation is wrong.
• Spending profile (optional): If you connect via Plaid, we pull a one-time spending summary (category totals only) and immediately disconnect. See Section 5.

If you choose to store card details for autofill, they are encrypted entirely on your device using AES-256-GCM with a password you set. Specifically:

• Key derivation uses PBKDF2 with 100,000 iterations, SHA-256, and a random 16-byte salt per card.
• Each card is encrypted with a unique random 12-byte initialization vector (IV).
• Encrypted data is stored in chrome.storage.local — sandboxed to the extension, never synced to the cloud.
• Card numbers, CVCs, expiration dates, and cardholder names never leave your browser. They are never sent to our servers, Supabase, or any third party.
• Decryption requires your vault password every time. We do not store your password.

Server-side data (card portfolio, transactions, benefits) is stored in Supabase (PostgreSQL) with Row-Level Security (RLS) enabled on all user tables. This means:

• You can only read and write your own data. Other users cannot access your records, even with a valid session.
• Public data (card catalog, benefit definitions) is read-only and contains no personal information.
• Our backend uses a service-role key for admin operations only (e.g. reading anonymized feedback). User-facing queries go through RLS-protected paths.

If you connect a bank account via Plaid to calibrate spending insights:

• We pull transaction history once to build a spending profile (category totals and monthly averages).
• We immediately revoke the Plaid access token after the pull. We do not store Plaid credentials or maintain ongoing bank access.
• Only aggregated spending categories are saved (e.g. "dining: $450/month"). Individual bank transactions are not stored.
• You can request deletion of your spending profile at any time.

• Recommend the best credit card at checkout based on your portfolio and the merchant category.
• Track benefit usage and send reminders for expiring credits.
• Improve recommendation accuracy using anonymized, aggregated feedback.
• Display your optimization score and rewards history on the dashboard.

• Never sell your data. Not to advertisers, data brokers, or any third party.
• Never store card numbers on our servers. Card details only exist in the encrypted vault on your device.
• Never maintain bank access. Plaid tokens are revoked immediately after the one-time pull.
• Never log personal information. Server logs contain only route paths and status codes, never emails, card data, or financial details.

We use privacy-respecting analytics to understand product usage. We track:

• Page views (path only, no query parameters).
• Funnel events (signup started, extension connected, etc.).
• Feature usage counts (e.g. "recommendation shown").

We never track: email addresses, card IDs, transaction amounts, merchant names, or any personally identifiable information in analytics.

• Access: View all data we hold about you in your dashboard.
• Deletion: Delete your account and all associated data at any time. Email nishita@waivme.com or use the account settings page.
• Portability: Request an export of your data in a machine-readable format.
• Correction: Update or correct your information at any time.

For privacy questions or data requests, contact us at nishita@waivme.com.