Privacy Policy

1. Introduction

Zurp, LLC (“zurp,” “we,” “our,” or “us”) operates the zurp web application and related services (collectively, the “Service”). Zurp is a credit card benefit optimization platform that helps you understand, track, and maximize the value of your credit card rewards, credits, and perks.

This Privacy Policy explains what information we collect, how we use it, who we share it with, and what choices you have. It applies to all users of the Service, including visitors to zurp.com and users who connect their credit card accounts.

By using zurp, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

2. Information We Collect

2.1 Information You Provide Directly

• Account information: When you create a zurp account, we collect your email address. You may also provide a display name.
• Card selection: You tell us which credit card(s) you hold (e.g., Chase Sapphire Reserve, Amex Gold). We use this to load the correct benefit catalog and generate personalized insights. We do not collect your card number, CVV, expiration date, or any payment credentials.
• Preferences and settings: Your notification preferences, benefit tracking settings, and any manual inputs such as self-reported benefit usage (e.g., marking a hotel credit as redeemed).
• Communications: If you contact us for support or provide feedback, we collect the content of those communications.

2.2 Information Collected Through Plaid

When you connect your credit card account to zurp, we use Plaid, Inc. (“Plaid”) as a secure intermediary to access your financial data. You authenticate directly with your financial institution through Plaid's interface — zurp never sees, handles, or stores your bank login credentials.

Through Plaid, we receive:

• Transaction history: Up to 24 months of transaction data from your connected credit card account, including merchant name, transaction amount, date, and Plaid's categorization (e.g., “FOOD_AND_DRINK”). This is the primary data source for our insight engine.
• Account metadata: Account name, type (credit card), institution name, and last four digits of the account number. We use this to identify which card is connected and display it in the app.

We do NOT receive through Plaid: your full card number, CVV, PIN, Social Security number, login credentials, account balances, or any information from non-credit-card accounts (checking, savings, investment, etc.) unless you explicitly connect them.

2.3 Information Collected Automatically

• Usage data: Pages viewed, features used, insights dismissed or acted upon, session duration, and interaction patterns within the app.
• Device information: Browser type and version, operating system, screen resolution, and device identifiers.
• Log data: IP address, access timestamps, referring URLs, and error logs.
• Cookies and similar technologies: We use essential cookies for authentication and session management. See Section 8 (Cookies) for details.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Generate personalized benefit insights — competitor redirects, unused credit alerts, ROI calculations (using transaction history, card selection, and benefit catalog)
• Track benefit usage — credit utilization across monthly, semi-annual, and annual periods (using transaction history and benefit period rules)
• Power the Compare feature — show what you'd gain or lose by switching cards (using transaction history and card benefit catalogs)
• Detect spending patterns — identify recurring subscriptions to surface optimization opportunities (using merchant names, amounts, and dates)
• Send alerts — expiring credits, enrollment reminders, and spending cap warnings (using benefit period data and user preferences)
• Improve the Service — fix bugs and develop new features (using usage data, device info, and aggregated transaction patterns)
• Respond to support requests — communicate with you (using account info and communications content)
• Prevent fraud and comply with legal obligations — enforce our Terms of Service (using account info, device info, and log data)

We do NOT use your data to: make credit decisions, report to credit bureaus, sell to advertisers, build advertising profiles, underwrite insurance, or evaluate your creditworthiness. Zurp is a benefit optimization tool, not a financial product.

4. How We Share Your Information

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We do not rent, trade, or otherwise monetize your data.

We may share information with the following categories of recipients, solely for the purposes described:

4.1 Service Providers

• Plaid, Inc. — financial data aggregation; secure connection between your bank and zurp. Plaid returns transaction data and account metadata to zurp.
• Cloud infrastructure (Vercel, Neon) — hosting, data storage, and compute. All Service data is encrypted at rest and in transit.
• Email/notification providers — delivering alerts and communications. Only email address and notification content are shared.

All service providers are bound by data processing agreements that restrict their use of your data to the specific services they provide to us.

4.2 Legal and Safety Disclosures

We may disclose your information if we believe in good faith that disclosure is necessary to:

• Comply with applicable law, regulation, legal process, or governmental request
• Enforce our Terms of Service or other agreements
• Protect the rights, property, or safety of zurp, our users, or the public
• Detect, prevent, or address fraud, security, or technical issues

4.3 Business Transfers

If zurp is involved in a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service before your information becomes subject to a different privacy policy.

4.4 With Your Consent

We may share your information for other purposes with your explicit consent.

5. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. Specific retention periods:

• Account information: Duration of account + 30 days after deletion (grace period for account recovery)
• Transaction data (from Plaid): Duration of account + 30 days after deletion, or up to 24 months of history, whichever is shorter
• Derived insights and benefit tracking: Duration of account + 30 days
• Usage and analytics data: Up to 24 months
• Log data: Up to 12 months
• Support communications: Up to 36 months

When you delete your account, we initiate deletion of your personal data within 30 days. Some data may persist in encrypted backups for up to 90 days before being permanently purged. We may retain anonymized, aggregated data that cannot be used to identify you indefinitely for statistical and product improvement purposes.

6. Data Security

We implement industry-standard security measures to protect your information:

• Encryption in transit: All data transmitted between your browser, zurp's servers, and Plaid is encrypted using TLS 1.2 or higher.
• Encryption at rest: All stored data, including transaction records and account information, is encrypted using AES-256 encryption. Plaid access tokens are encrypted using AES-256-GCM before storage.
• Access controls: Access to user data is restricted to authorized personnel on a need-to-know basis, protected by multi-factor authentication and role-based access controls.
• Plaid security: Your bank credentials are handled exclusively by Plaid, which maintains SOC 2 Type II certification, uses AES-256 encryption, and is regularly audited by independent security firms. Zurp never receives or stores your bank login credentials.
• Infrastructure: Our infrastructure is hosted on SOC 2-certified cloud providers with built-in DDoS protection, automated patching, and continuous monitoring.
• Incident response: We maintain a security incident response plan. In the event of a data breach affecting your personal information, we will notify you and relevant authorities in accordance with applicable law.

No method of electronic transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

7. Your Rights and Choices

7.1 All Users

• Access and portability: You can request a copy of the personal information we hold about you in a structured, machine-readable format.
• Correction: You can update your account information at any time through the app settings, or request that we correct inaccurate data.
• Deletion: You can delete your account at any time. This will trigger deletion of your personal data as described in Section 5.
• Disconnect Plaid: You can disconnect your financial institution at any time through the app or through Plaid's portal (my.plaid.com). Disconnecting stops new data from flowing to zurp. You can also request deletion of data Plaid holds about you directly through Plaid.
• Opt out of communications: You can unsubscribe from marketing emails at any time. Transactional emails (e.g., security alerts, account changes) cannot be opted out of while your account is active.

7.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

• Right to know: You may request the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it.
• Right to delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to correct: You may request correction of inaccurate personal information.
• Right to opt out of sale/sharing: zurp does not sell your personal information and does not share it for cross-context behavioral advertising. Therefore, there is no sale or sharing to opt out of.
• Right to limit use of sensitive personal information: We collect financial account information (transaction data) which may be considered sensitive personal information under CPRA. We use this data only as necessary to provide the Service as described in this policy.
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise these rights, contact us at support@zurp.com or use the in-app privacy controls. We will verify your identity before processing your request. You may also designate an authorized agent to make a request on your behalf.

Categories of personal information collected in the preceding 12 months: Identifiers (email, IP address); financial information (transaction data, account metadata via Plaid); internet activity (usage data, device info); inferences (derived insights, benefit tracking calculations).

7.3 European Economic Area, UK, and Swiss Residents

If you are located in the EEA, UK, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) or equivalent legislation, including the rights to access, rectify, erase, restrict processing, data portability, and object to processing. You also have the right to lodge a complaint with your local supervisory authority.

Our legal bases for processing are: performance of our contract with you (providing the Service), your consent (where applicable), our legitimate interests (improving the Service, preventing fraud), and compliance with legal obligations.

7.4 Other U.S. State Privacy Rights

Residents of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws may have similar rights to access, correct, delete, and opt out of certain processing. Contact support@zurp.com to exercise these rights.

8. Cookies and Tracking Technologies

• Essential/Session cookies: Authentication, session management, CSRF protection. Duration: session / 30 days. Cannot be disabled (required for the Service to function).
• Preference cookies: Remembering your settings and display preferences. Duration: 1 year. Can be disabled via browser settings.

We do not use advertising cookies or tracking pixels. We do not engage in cross-site tracking. We honor Global Privacy Control (GPC) signals and Do Not Track (DNT) browser signals.

9. Third-Party Services and Links

The Service may contain links to third-party websites or services, including credit card issuer websites (Chase, American Express, etc.), Plaid's portal, and benefit partner merchants. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing them with your information.

Plaid: When you connect your financial account through Plaid, Plaid's own privacy policy (available at plaid.com/legal) governs Plaid's collection and use of your data. You can manage your Plaid connections at my.plaid.com.

10. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at support@zurp.com.

11. International Data Transfers

Zurp is based in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction. Where required, we rely on standard contractual clauses, adequacy decisions, or other approved transfer mechanisms to ensure appropriate safeguards for international transfers.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (sent to the address associated with your account) and/or by posting a prominent notice on the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

We encourage you to review this policy periodically. The “Last Updated” date at the top of this document indicates when the policy was most recently revised.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Zurp, LLC
Email: support@zurp.com