Privacy Policy

Effective Date: February 22, 2026

SuperPay Ai, Inc., a Delaware corporation (“SuperPay,” “we,” “us,” or “our”) operates the SuperPay mobile application, website at superpayrewards.com, and browser extension (collectively, the “Service”). This Privacy Policy describes how we collect, use, disclose, retain, and protect your personal information when you access or use the Service. It also explains your rights regarding your data and how you can exercise those rights.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices described herein, please discontinue use of the Service immediately.

1. Information We Collect

1.1 Account Information

When you create a SuperPay account, we collect the following information:

• Email address — used for account creation, authentication, login verification, password recovery, and essential service-related communications
• Full name — used to personalize your experience within the application
• Password — stored exclusively as a cryptographic hash using the bcrypt algorithm with a minimum cost factor of 12 rounds. We never store, transmit, or have access to your plaintext password
• Account preferences — your selected financial goals, notification preferences, and display settings

1.2 Financial Information

To provide personalized credit card recommendations, we collect and store:

• Last four (4) digits of card numbers — used exclusively for card identification and display purposes. We never collect, store, transmit, or process full card numbers (PANs), CVV/CVC codes, expiration dates, or magnetic stripe data
• Card metadata — card name, issuer, network (Visa, Mastercard, Amex, Discover), and card type (credit or debit) as entered by you
• Reward structures — base reward rates, category-specific bonus multipliers, rotating category schedules, annual fee amounts, and spending caps you configure
• Credit limits and balances — used solely for credit utilization calculations and optimization recommendations
• Transaction history — merchant names, merchant categories, transaction amounts, and dates that you log or that are imported via connected financial accounts
• Bank connection data (optional) — if you choose to connect your financial institution through our Plaid integration, we receive limited account information, transaction data, and card details as described in Section 5

1.3 Usage Data

• Financial goals — objectives you set (e.g., maximize cash back, earn travel points, protect credit health) that guide our recommendation engine
• Recommendation interactions — which card recommendations you view, accept, or dismiss, used to improve recommendation relevance
• Feature usage — which features of the Service you access and how frequently, used for product improvement
• Session data — authentication tokens and session identifiers stored securely to maintain your authenticated state
• Subscription status — your current plan tier (Free or Pro) and subscription metadata managed through RevenueCat

1.4 Browser Extension Data

If you install the SuperPay browser extension for Google Chrome or Apple Safari, we may collect:

• Merchant identification data — the name and domain of merchants detected on e-commerce checkout pages you visit, used solely to provide real-time card recommendations
• Purchase amount data — transaction amounts detected on checkout pages, used to calculate optimal card recommendations
• Extension preferences — your configured settings within the extension (e.g., enabled/disabled state, display preferences)

The browser extension operates locally on your device and only activates on detected checkout pages. It does not perform background tracking, monitor browsing history, or collect data from non-checkout pages.

1.5 Device and Technical Information

• Device type and operating system — (e.g., iOS, Android) to optimize app performance and compatibility
• App version — to ensure you receive appropriate feature support and updates
• IP address — collected transiently for security monitoring, rate limiting, and fraud prevention; not stored long-term or used for tracking
• Browser type and version — when accessing the web application or using the browser extension

1.6 Information We Do NOT Collect

SuperPay is intentionally designed to minimize the personal data we handle. We do not collect:

• Full credit or debit card numbers (PANs)
• CVV, CVC, or CID security codes
• Card expiration dates
• Bank account numbers or routing numbers (Plaid handles this directly)
• Social Security numbers or government-issued identification numbers
• Precise geolocation data (GPS coordinates)
• Contacts, photos, or media from your device
• Biometric data (fingerprints, facial recognition data)
• Health or medical information
• Racial or ethnic origin, political opinions, religious beliefs, or trade union membership
• General browsing history or activity outside the Service

2. How We Use Your Information

We process your personal information strictly for the following purposes:

• Provide and operate the Service — deliver personalized credit card recommendations, calculate reward optimization, and display credit utilization insights
• AI-powered categorization and explanations — use artificial intelligence (OpenAI GPT-4o-mini) to categorize merchants into reward categories and generate natural-language explanations for why a specific card is recommended for a given purchase
• Account management — create and maintain your account, authenticate your identity, and manage your subscription
• Subscription and billing — process Pro subscription purchases ($9.99/month, $99/year, or $199 lifetime) through RevenueCat and the applicable app store (Apple App Store, Google Play Store)
• Browser extension functionality — deliver real-time card recommendations on e-commerce checkout pages
• Service improvement — analyze aggregated, de-identified usage patterns to improve our recommendation algorithms, user interface, and overall product quality
• Security and fraud prevention — monitor for unauthorized access, detect anomalous activity, and protect the integrity of the Service
• Communications — send essential service-related notifications, including security alerts, policy updates, and account-related messages. We do not send unsolicited marketing emails without your explicit opt-in consent
• Legal compliance — fulfill our obligations under applicable laws, regulations, and legal processes

3. Legal Bases for Processing (GDPR Article 6)

For users located in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland, we process your personal data under the following legal bases as defined by the General Data Protection Regulation (GDPR):

• Performance of a contract (Article 6(1)(b)) — processing necessary to provide the Service you have requested, including account creation, card recommendations, reward optimization, and subscription management
• Legitimate interests (Article 6(1)(f)) — processing necessary for our legitimate interests, including improving the Service, ensuring security, preventing fraud, and conducting internal analytics on aggregated data. We balance these interests against your fundamental rights and freedoms
• Consent (Article 6(1)(a)) — where you have provided explicit consent, such as opting in to optional features (e.g., Plaid bank connection, marketing communications). You may withdraw consent at any time without affecting the lawfulness of prior processing
• Legal obligation (Article 6(1)(c)) — processing necessary to comply with applicable legal requirements, including tax regulations, law enforcement requests, and regulatory obligations

4. How We Protect Your Information

We implement industry-standard administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of your personal information:

4.1 Encryption

• Data in transit — all communications between your device and our servers are encrypted using HTTPS with TLS 1.2 or higher. We enforce HTTP Strict Transport Security (HSTS) to prevent protocol downgrade attacks
• Data at rest — sensitive data stored in our PostgreSQL database is protected using encrypted connections and storage-level encryption provided by our infrastructure provider

4.2 Password Security

• Passwords are hashed using the bcrypt adaptive hashing algorithm with a minimum cost factor of 12 rounds
• Plaintext passwords are never stored, logged, or accessible to any SuperPay personnel
• We enforce minimum password complexity requirements at the application layer

4.3 Access Controls

• Access to production systems and user data is restricted to authorized personnel on a strict need-to-know basis
• Administrative access requires multi-factor authentication
• All data access is logged and subject to periodic audit review

4.4 Infrastructure Security

• Our PostgreSQL database operates with encrypted connections, role-based access controls, and automated backups
• Application servers are hosted in secure, SOC 2-compliant data center environments
• We conduct regular security assessments and apply security patches in a timely manner

4.5 Incident Response

• We maintain a documented incident response plan for potential data security events
• In the event of a confirmed data breach affecting your personal information, we will notify you and applicable regulatory authorities within the timeframes required by applicable law (e.g., 72 hours under GDPR)
• Breach notifications will include the nature of the incident, the categories of data affected, and recommended protective measures

5. Data Sharing and Third-Party Services

We do not sell, rent, lease, or trade your personal information to third parties for their own marketing or commercial purposes. We share data only in the following limited, necessary circumstances:

5.1 Plaid (Financial Data Aggregation)

If you choose to connect your financial institution through Plaid, Inc., your banking credentials are provided directly to Plaid and are never transmitted to or stored by SuperPay. Plaid’s use of your data is governed by Plaid’s End User Privacy Policy. We receive only limited account and transaction data from Plaid necessary to populate your cards and transaction history within the Service.

5.2 RevenueCat (Subscription Management)

We use RevenueCat, Inc. to manage Pro subscription purchases and entitlements. RevenueCat processes your subscription transactions through the Apple App Store or Google Play Store and provides us with subscription status information (active, expired, trial). RevenueCat does not receive your financial card data or banking credentials. RevenueCat’s privacy practices are described in RevenueCat’s Privacy Policy.

5.3 OpenAI (AI-Powered Features)

We use OpenAI’s GPT-4o-mini model to provide merchant categorization and generate natural-language explanations for card recommendations. When we send data to OpenAI for processing:

• We transmit only merchant names, merchant categories, and card reward structures — never your name, email, passwords, or any personally identifiable information
• Data sent to OpenAI via API is not used by OpenAI to train or improve their models, pursuant to OpenAI’s API data usage policy
• OpenAI’s data handling practices are governed by OpenAI’s Privacy Policy

5.4 Infrastructure and Hosting Providers

We use third-party infrastructure providers (including cloud hosting, database hosting, and content delivery networks) to operate the Service. These providers process data on our behalf under contractual obligations that include confidentiality requirements and restrictions on further use of the data.

5.5 Legal and Regulatory Disclosures

We may disclose your personal information if required to do so by law or in the good-faith belief that such action is necessary to:

• Comply with a legal obligation, court order, subpoena, or government request
• Enforce our Terms of Service or investigate potential violations
• Protect and defend the rights, property, or safety of SuperPay, our users, or the public
• Detect, prevent, or otherwise address fraud, security, or technical issues

5.6 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.

6. International Data Transfers

SuperPay is operated from the United States. If you access the Service from outside the United States, including from the European Economic Area (EEA), United Kingdom, or other jurisdictions with data protection laws that differ from U.S. law, please be aware that your personal information will be transferred to, stored, and processed in the United States.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on the following transfer mechanisms as appropriate:

• Standard Contractual Clauses (SCCs) — approved by the European Commission under Commission Implementing Decision (EU) 2021/914
• UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as applicable
• Adequacy decisions — where the European Commission or UK Secretary of State has determined that the recipient country provides an adequate level of data protection
• Your explicit consent — where no other transfer mechanism is available and you have been informed of the potential risks

You may request a copy of the applicable transfer safeguards by contacting us at dpo@superpayrewards.com.

7. Your Rights Under GDPR (EU/EEA/UK Users)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and the UK GDPR:

• Right of access (Article 15) — request confirmation of whether we process your personal data and obtain a copy of the data we hold about you
• Right to rectification (Article 16) — request correction of inaccurate or incomplete personal data
• Right to erasure (Article 17) — request deletion of your personal data (“right to be forgotten”), subject to certain exceptions (e.g., legal compliance obligations)
• Right to restriction of processing (Article 18) — request that we limit processing of your personal data under certain circumstances
• Right to data portability (Article 20) — receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller
• Right to object (Article 21) — object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds
• Right to withdraw consent (Article 7(3)) — where processing is based on consent, withdraw your consent at any time without affecting the lawfulness of processing before withdrawal
• Right to lodge a complaint — file a complaint with your local data protection supervisory authority if you believe our processing violates applicable data protection law

To exercise any of these rights, please contact our Data Protection Officer at dpo@superpayrewards.com. We will respond to verified requests within thirty (30) days, or within the extended timeframe permitted by applicable law where necessary.

8. Your Rights Under CCPA/CPRA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information:

• Right to know — request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose for collection, and the categories of third parties with whom we share it
• Right to delete — request deletion of your personal information, subject to certain exceptions
• Right to correct — request correction of inaccurate personal information we maintain about you
• Right to opt out of sale/sharing — direct us not to sell or share your personal information for cross-context behavioral advertising
• Right to limit use of sensitive personal information — limit our use and disclosure of sensitive personal information to purposes necessary to perform the Service
• Right to non-discrimination — we will not discriminate against you for exercising any of your CCPA/CPRA rights

To exercise your rights under the CCPA/CPRA, please submit a verifiable consumer request by contacting us at privacy@superpayrewards.com. You may also designate an authorized agent to make a request on your behalf, provided the agent provides proof of written authorization. We will verify your identity before processing any request and respond within forty-five (45) days.

9. Your Rights Under Other State Privacy Laws

Residents of certain U.S. states may have additional rights under state-specific privacy legislation:

9.1 Virginia Consumer Data Protection Act (VCDPA)

Virginia residents have the right to access, correct, delete, and obtain a portable copy of their personal data, as well as the right to opt out of the processing of personal data for targeted advertising, sale, or profiling. To exercise these rights or appeal a decision regarding your request, contact us at privacy@superpayrewards.com.

9.2 Colorado Privacy Act (CPA)

Colorado residents have rights similar to those described above, including the right to access, correct, delete, and obtain a portable copy of their personal data, and the right to opt out of targeted advertising, sale, or certain profiling activities. You may exercise these rights by contacting us at privacy@superpayrewards.com. If we decline your request, you may appeal by contacting us, and we will respond to your appeal within forty-five (45) days.

9.3 Connecticut Data Privacy Act (CTDPA)

Connecticut residents have the right to access, correct, delete, and obtain a portable copy of their personal data, as well as the right to opt out of the processing of personal data for targeted advertising, sale, or profiling that produces legal or similarly significant effects. To exercise these rights, contact us at privacy@superpayrewards.com. If we decline your request, you may appeal and we will respond within sixty (60) days of receipt of the appeal.

For all state privacy rights requests, we will verify your identity before processing your request and will not discriminate against you for exercising your rights.

10. Data Retention and Deletion

We retain your personal information only for as long as reasonably necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by applicable law.

10.1 Active Accounts

While your account remains active, we retain all data associated with your account to provide and improve the Service.

10.2 Account Deletion

You may request deletion of your account at any time through the in-app Settings or by contacting us at privacy@superpayrewards.com. Upon account deletion:

• All personal information (name, email, hashed password) is permanently and irreversibly deleted
• All financial data (card information, reward structures, credit limits, balances) is permanently deleted
• All transaction history and recommendation data is permanently deleted
• All session tokens and authentication data are immediately invalidated and purged
• All Plaid access tokens (if applicable) are revoked and deleted
• Subscription entitlements are terminated (note: App Store/Play Store subscription billing must be cancelled separately through your respective app store)

Deletion is irreversible and typically completes within thirty (30) days. We may retain certain information for a limited period as necessary to comply with legal obligations, resolve disputes, or enforce our agreements. Any such retained data will be securely deleted upon expiration of the applicable retention period.

10.3 Inactive Accounts

We may send periodic reminders to accounts that have been inactive for an extended period. We reserve the right to delete accounts that have been inactive for more than twenty-four (24) months, subject to prior notice to the registered email address.

11. Children’s Privacy

SuperPay is not intended for, directed at, or designed to attract individuals under the age of eighteen (18). We do not knowingly collect, solicit, or maintain personal information from children under the age of thirteen (13) as defined by the Children’s Online Privacy Protection Act (COPPA), or under the age of sixteen (16) for users located in the EEA.

If we become aware that we have inadvertently collected personal information from a child under the applicable minimum age, we will take immediate steps to delete such information from our systems. If you believe that a child has provided us with personal data, please contact us immediately at privacy@superpayrewards.com so that we can investigate and take appropriate action.

12. Cookies, Tracking, and Browser Extension Data

12.1 Cookies

SuperPay uses only strictly necessary cookies required for authentication, session management, and security. These cookies are essential for the Service to function and cannot be disabled without affecting core functionality. We do not use:

• Advertising or behavioral targeting cookies
• Third-party analytics or tracking cookies
• Cross-site tracking technologies or pixels
• Social media tracking widgets or plug-ins
• Fingerprinting or device identification technologies beyond essential session management

12.2 Browser Extension Data Practices

The SuperPay browser extension (available for Google Chrome and Apple Safari) is designed with privacy as a foundational principle:

• The extension activates only on detected e-commerce checkout pages — it does not monitor or record general browsing activity
• Merchant and purchase amount data detected on checkout pages is transmitted to our servers only to generate real-time card recommendations and is not stored beyond the duration of the session
• The extension does not inject advertisements, redirect traffic, modify page content beyond the recommendation overlay, or collect data for any purpose other than providing card recommendations
• You may disable or uninstall the extension at any time through your browser settings

12.3 Do Not Track (DNT)

Because SuperPay does not engage in cross-site tracking, we treat all users equivalently regardless of browser Do Not Track (DNT) signal settings. Our data practices are consistent with a “Do Not Track” state by default.

13. Third-Party Links

The Service may contain links to third-party websites, applications, or services that are not owned or controlled by SuperPay. This Privacy Policy applies solely to information collected through the Service. We are not responsible for the privacy practices or content of third-party sites. We encourage you to review the privacy policies of any third-party services you access through links on or from the Service.

14. Changes to This Policy

We reserve the right to modify this Privacy Policy at any time. When we make material changes, we will:

• Update the “Effective Date” at the top of this page
• Provide prominent notice within the application (e.g., in-app notification or banner)
• For material changes that affect your rights or our data practices, send notification to the email address associated with your account at least thirty (30) days before the changes take effect

Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acknowledgment and acceptance of the updated terms. If you do not agree with the revised policy, you must discontinue use of the Service and may request deletion of your account.

15. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us through the following channels:

• General inquiries: hello@superpayrewards.com
• Privacy inquiries and data rights requests: privacy@superpayrewards.com
• Customer support: support@superpayrewards.com
• Data Protection Officer: dpo@superpayrewards.com
• Support portal: superpayrewards.com/support
• Phone: 1-424-777-9616
• Mailing address: SuperPay Ai, Inc., 1111B S Governors Ave # 47833, Dover, DE 19904

For GDPR-related inquiries, EU/EEA/UK residents may also contact our Data Protection Officer directly at dpo@superpayrewards.com. We will acknowledge receipt of your inquiry within five (5) business days and provide a substantive response within thirty (30) days.