Privacy Policy

Perkmon ("Perkmon," "we," "our," or "us") operates the Perkmon marketing site at perkmon.com and the Perkmon web application at perkmon.app. This Privacy Policy explains what personal information we collect, how we use and disclose it, and the rights you have. It applies to visitors and users worldwide, including residents of the United States, the European Economic Area (EEA), and the United Kingdom. The data controller responsible for your personal information is Perkmon (perkmon.com).

We collect the following categories of personal information: • Identifiers (for example, email address, display name, device/app identifiers) • Profile and account settings (for example, currency, timezone, notification preferences) • Card and benefit tracking records you create in the Service • Transaction and subscription records (managed by our payment processors; we do not receive full card numbers) • Usage, diagnostics, and security logs • Support and feedback communications

We collect personal information from: • You directly (when you register, configure settings, add cards/benefits, or contact us) • Your device/browser (usage, diagnostics, and security events) • Service providers acting on our behalf (for hosting, analytics, and communications)

We use personal information to: • Provide and maintain the Perkmon service • Track benefits, reminders, and account features • Process payments and manage subscriptions • Secure accounts and detect abuse, fraud, and service issues • Respond to support requests and product feedback • Measure and improve product performance and reliability

If you are in the EEA or UK, we process your personal information only where we have a legal basis to do so. Depending on the context, our legal bases are: • Performance of a contract — to provide the Service you request and manage your account and subscription • Legitimate interests — to secure accounts, prevent fraud and abuse, run analytics, and improve our Service, balanced against your rights and subject to your right to object and to opt out via Global Privacy Control • Legal obligation — to comply with applicable laws and respond to lawful requests • Consent — where you provide it for optional features or communications; you may withdraw it at any time

We do not sell or share personal information with third parties for their own marketing or advertising purposes. We disclose personal information only to service providers and contractors as needed to operate the Service (for example, cloud hosting, data storage, analytics, and communications), for security and legal compliance, and during a business transfer if ownership changes.

We share personal information with the following service providers (processors), each acting on our behalf and under contract. Each provider has its own privacy policy governing its handling of data.

Paid plans are billed through Stripe (for web and app subscriptions) and through the Apple App Store and Google Play for in-app purchases. These processors collect and handle your payment information directly under their own privacy policies. We do not store full payment card numbers, CVVs, or payment credentials. We receive limited transaction metadata (such as plan, status, and the last four digits of a card) needed to manage your subscription. Perkmon is a perks-tracking tool, not a financial institution; we do not access your card accounts, balances, statements, or banking credentials.

We retain personal information only as long as needed for the purposes described in this policy, including security, legal, and operational needs. Retention standards by data type are: • Account profile and card/benefit records: while your account is active, then deleted or de-identified after verified account deletion requests • Support and feedback records: retained for customer support, quality review, and legal recordkeeping needs • Security and diagnostic logs: typically retained for up to 12 months for security monitoring and incident response • Backups: retained on a rolling basis and typically removed within 90 days under backup lifecycle controls

We use administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit and at rest through our infrastructure providers. We do not store full payment card numbers, CVVs, or payment credentials.

We use essential cookies and local storage to keep you signed in, secure sessions, and remember app preferences, and we use Google Analytics cookies to understand usage. We do not use third-party advertising cookies. Where your browser sends a Global Privacy Control (GPC) signal, we do not load Google Analytics at all, so it sends, collects, and processes no data (see "U.S. State Privacy Rights").

Perkmon offers an optional Chrome extension that syncs the card and loyalty offers you already see when you are signed in to supported issuer and loyalty websites. When you install it, Chrome shows a broad permission prompt — something like "read and change your data on all websites." That prompt sounds broad, but Perkmon only uses website access to sync the issuer and loyalty offers on the supported sites you choose to connect. The extension only runs on the supported sites you actively choose to sync. It does not browse the web in the background and does not read unrelated websites. It activates only when you open Perkmon in the side panel and start a sync for a provider you have connected. When you start a sync, the extension reads only the offer and benefit information already visible in your signed-in session on that supported site, plus the last 4 digits of a card so we can match offers to the right card in your wallet. It does not read your passwords, security codes (CVV), or full card or bank account numbers, and it does not collect the content of unrelated web pages. Website access is optional. You can decline the permission, remove access in Chrome at any time, or uninstall the extension, and the rest of Perkmon will keep working.

Subject to applicable law, you may request to: • Know/access categories and specific pieces of personal information • Correct inaccurate personal information • Delete personal information, subject to legal exceptions • Receive a portable copy of eligible data • Opt out of sale/share (Perkmon does not sell or share personal information for cross-context behavioral advertising) How to submit requests: email [email protected] with the subject "Privacy Request" or contact us through the in-app feedback feature. We verify requests by matching account details and may request additional information reasonably necessary to verify identity. If you are in the EEA/UK or a U.S. state with comprehensive privacy laws, see the two sections below for additional rights and timelines specific to your region.

If you are in the EEA or UK, subject to applicable law you have the right to: • Access, verify, and obtain a copy of your personal information • Correct inaccurate personal information • Erase your personal information ("right to be forgotten") • Restrict or object to our processing • Data portability • Withdraw consent at any time, without affecting prior processing • Lodge a complaint with your local supervisory or data protection authority To exercise these rights, email [email protected]. We respond within one month of a verifiable request (extendable by up to two further months for complex requests, with notice), free of charge, as required by the GDPR.

Residents of U.S. states with comprehensive privacy laws — including California, Virginia, Colorado, Connecticut, Texas, and Oregon, among others — may, subject to applicable law: • Access the personal information we hold about you • Correct inaccurate personal information • Delete personal information, subject to legal exceptions • Obtain a portable copy of eligible data • Opt out of targeted advertising, sale, or profiling • Receive non-discriminatory treatment for exercising these rights Sale/share. We do not sell or share end-user personal information with third parties for their own marketing or advertising purposes. Our use of analytics cookies (Google Analytics) may be considered a "sale," "share," or "targeted advertising" under some state laws; you may opt out as described below. Global Privacy Control. Because there is no uniform "Do Not Track" standard, we do not respond to DNT signals. If your browser sends a Global Privacy Control (GPC) signal, we treat it as a valid request to opt out of any sale, share, or targeted advertising and abide by it in a frictionless manner; specifically, when a GPC signal is present we do not load Google Analytics at all (its script is never requested), so it sends, collects, and processes no data. Sensitive personal information. The only "sensitive personal information" we collect is your account login credentials. We use it solely to authenticate you and operate the Service, never to infer characteristics about you, and we do not engage in profiling that produces legal or similarly significant effects. California disclosures (last 12 months): • Categories collected: identifiers, profile/account settings, card/benefit records, usage/security logs, support communications • Business/commercial purposes: service delivery, security, troubleshooting, communications, and product improvement • Categories disclosed for business purposes: identifiers, account settings, card/benefit records, diagnostics, and communications to service providers • Sold or shared for cross-context behavioral advertising: none, except as noted above regarding analytics cookies We do not permit third parties to collect personal information through our Service for their own cross-site behavioral advertising purposes. How to submit and appeals. Email [email protected] with the subject "Privacy Request" or use in-app feedback. We verify requests by matching account details. We respond to U.S. state requests within 45 days, extendable once by up to 45 days. If we deny a request, residents of states with an appeal right (including Virginia, Colorado, Connecticut, Texas, and Oregon) may appeal by replying to the denial notice or emailing [email protected] within 30 days; we respond to appeals within the statutory window for your state (for example, 60 days in Virginia and Colorado).

Perkmon is not directed to children and we do not target children. We do not knowingly collect personal information from children under 13 in the United States, or under the applicable digital-consent age (which ranges from 13 to 16 depending on the country; 13 in the UK) in the EEA/UK. If you believe a child has provided us personal information, contact [email protected] and we will delete it upon verified request from a parent or guardian.

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy and updating the "Last updated" date. We encourage you to review this policy periodically.

Operator / data controller: Perkmon (perkmon.com) Privacy contact: [email protected]