What we collect, and what we don't.

This Privacy Policy describes how AwardSnitch ("AwardSnitch," "we," "us") handles information when you visit the site, search for routes, create an account, subscribe to Snitchium, or send us a message. By using the site you agree to the practices described below.

AwardSnitch is operated as an independent project from the United States. The site is intended for users worldwide; specific rights for users in California, the EU/UK, and other jurisdictions are described near the end of this page.

We collect information you choose to give us:

• Email address. Required to create an account. We use it to send sign-in links (a passwordless "magic link" plus a six-digit code), billing receipts, and the limited account emails you opt into.
• Account preferences. Your home airport, default cabin, currencies you hold, sort preferences, and any other choices you save. These exist to personalize search results — never shared.
• Sign-in via Google. If you sign in with Google, we receive your name, email, and profile picture from Google's identity service. We don't access your Gmail, Drive, contacts, or any other Google data.
• Messages you send us. When you submit the contact form we receive your email, optional name, message topic, the message itself, and the IP/user-agent metadata captured for abuse prevention.
• Billing information. If you subscribe to Snitchium, payment details (card number, billing address) are collected and stored by our payment processor — never by us. We receive only the information needed to confirm payment status (customer ID, subscription ID, plan, period end).

When you load a page, our servers and standard web infrastructure receive information typical of any website visit:

• Your IP address and approximate region.
• Your browser type, operating system, and device characteristics.
• The pages you view, the routes you search, and the time of each visit.
• Referrer information — the link or search that brought you here.
• Per-account search counts, used to enforce free-tier limits.

We use this information to operate and improve the site, to debug errors, to enforce rate limits and prevent abuse, to measure aggregate usage, and to maintain security. We do not use it to build a personal advertising profile of you and we don't share it with advertising networks.

AwardSnitch sets a small number of cookies and uses similar browser-storage mechanisms:

• Session cookie. A signed, HTTP-only cookie that keeps you logged in. Required for account features to work.
• Preference storage. Remembers things like your cabin, sort order, and filter choices so the site doesn't reset every visit.
• Security/CSRF tokens. Short-lived values that protect account-changing requests from being forged across sites.
• Aggregate analytics. Privacy-respecting analytics so we can see which pages and routes are useful. No cross-site tracking, no user-level advertising profile.

We do not use third-party advertising cookies and we do not participate in cross-site tracking networks. You can clear cookies in your browser settings at any time; doing so will sign you out and reset preferences.

AwardSnitch is built on standard cloud infrastructure. The providers below process limited information on our behalf, bound by contract to use it only for the purposes we direct:

• Hosting and database. Our hosting and database providers store the data described above and serve the site.
• Stripe — payment processing for Snitchium subscriptions. Stripe collects and stores all payment-card data directly; we never see or store full card numbers. Stripe's own privacy policy governs that data.
• Resend — transactional email delivery (sign-in links, billing receipts, refund confirmations, replies to messages you send us).
• Google — if you choose to sign in with Google, Google's identity service authenticates you. Google's own privacy policy governs that interaction.

We do not sell your personal information and we do not allow service providers to use it for their own marketing.

We keep data only as long as we need it for the purpose it was collected:

• Account records persist until you delete your account.
• Magic-link tokens and codes expire in 15 minutes.
• Session records expire after the session ends or after a period of inactivity.
• Server logs and rate-limit counters are retained for up to 30 days for security and abuse prevention.
• Billing records required by law (receipts, tax records) are retained for the period the law requires (typically up to 7 years).
• Contact-form messages are retained until the matter is resolved, then deleted.

Some links on AwardSnitch may be affiliate or referral links — for example, credit-card application links. When you click one and complete an offer on the partner's site, the partner may inform us that the referral originated from AwardSnitch. We do not receive your full application data, financial information, or credit-bureau details. See our Disclaimer for the full affiliate disclosure.

We do not sell or license user data to third parties for AI training, and we do not allow AI providers to use it to train their models. We may use AI-assisted tooling internally to draft replies, classify incoming messages, or help curate award-chart updates; any such use runs against our own data and does not feed third-party training pipelines.

AwardSnitch is not directed at children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child has provided us information, contact us through the contact form and we will delete it.

You can access, correct, export, or delete the personal information we hold about you by signing in to your account dashboard or by submitting a request through the contact form (pick "Privacy / data rights"). We respond within 30 days, sooner where law requires.

You can unsubscribe from any optional emails using the link in those emails. Transactional emails (sign-in links, billing receipts) are required to operate the service and cannot be unsubscribed without closing the account.

California residents have specific rights under the California Consumer Privacy Act, as amended by the CPRA. These include the right to know what personal information we collect, the right to access and delete it, the right to correct inaccuracies, the right to data portability, and the right to opt out of "sale" or "sharing" of personal information.

We do not sell or share your personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. We also do not use sensitive personal information for purposes that would require an opt-out. To exercise any CCPA/CPRA right, use the contact form and select "Privacy / data rights." You may designate an authorized agent; we will verify the agent's authority before responding.

If you are in the EU, EEA, or UK, the General Data Protection Regulation (and UK GDPR) give you rights to access, rectify, erase, restrict processing of, object to processing of, and port your personal data. You also have the right to lodge a complaint with your local data-protection authority.

Our lawful bases for processing are: (a) contract — to operate features you've signed up for; (b) legitimate interests — security, fraud prevention, service improvement, balanced against your rights; (c) consent — for optional cookies or marketing email where required; and (d) legal obligation — for tax/billing records.

When personal data is transferred outside the EEA/UK to the United States, we rely on the European Commission's adequacy decisions or Standard Contractual Clauses with our service providers, as applicable.

We take reasonable technical and organizational measures to protect information against unauthorized access, loss, or alteration: HTTPS everywhere, server-side session tokens, hashed credentials where applicable, rate limiting on sensitive endpoints, and least-privilege access to production systems. No internet service is perfectly secure, however, and we cannot guarantee absolute security.

If you discover a security issue, please report it through the contact form (pick "Security disclosure") before disclosing publicly.

AwardSnitch is operated from the United States. If you use the site from another country, you understand that information about you may be transferred to and processed in the United States, which may have different data-protection rules than your home country. Where required by law, we rely on appropriate transfer mechanisms (see EU / UK section above).

We may update this Privacy Policy from time to time. Material changes will be reflected by updating the "Last updated" date at the top of the page; significant changes may also be announced via email or an in-app notice. Continued use of AwardSnitch after a change means you accept the updated policy.

Questions about this policy, or about the information we have on file, can be submitted through the contact form.