Legal

Privacy Policy

Last updated: May 21, 2026

This Privacy Policy describes how Brewapps LLC ("Creddy", "we", "us", or "our") collects, uses, and protects your personal information when you use the Creddy mobile application (the "App") and related services (collectively, the "Services").

Creddy is an iOS application that helps you track credit card benefits, statement credits, welcome bonuses, and reset windows. We designed Creddy with privacy as a foundation — we do not sell your data, we do not share it with advertisers, and we collect only what is needed to operate the App.

1. Who We Are

Brewapps LLC is the data controller for information collected through Creddy. We are a Delaware limited liability company. You can reach our privacy team at [email protected].

2. Information We Collect

2.1 Account Information

When you create a Creddy account, we collect your email address and (optionally) your display name. Account creation is handled by Supabase Auth, our authentication provider. Passwords are hashed using industry-standard algorithms and never stored in plaintext.

2.2 Cards You Add

Creddy lets you add credit cards from our catalog to track their benefits. We store only the card issuer and card name you select (e.g., "American Express Platinum", "Chase Sapphire Reserve"). We do not store:

  • Card numbers, expiration dates, or CVV codes
  • Bank login credentials or financial-account information
  • Statement balances, transaction history, or payment data
  • Your billing address

2.3 Benefit Usage You Log

When you mark a benefit as used inside the App, we store the dollar amount, the date, and any optional note you add. This information is tied to your account so we can show your tracking history back to you and warn you before benefits expire.

2.4 Subscription State

If you subscribe to Creddy Pro, the subscription state is managed by RevenueCat, our subscription-management provider, and the Apple App Store. We receive an anonymized identifier (Apple Original Transaction ID) and the product you purchased. We do not receive your payment information, credit card number, or Apple Account details.

2.5 Push Notifications

When you enable push notifications, we collect an Apple Push Notification Service (APNs) device token. This token is used solely to deliver reminders about expiring benefits and welcome-bonus milestones. You can disable notifications at any time from your iOS Settings.

2.6 Product Analytics

We use PostHog to understand how the App is used so we can improve it. PostHog collects anonymized event data — for example, which screens you visit, which features you interact with, your device model, and your iOS version. PostHog events do not contain card numbers, names, or email addresses.

2.7 Crash and Diagnostic Data

We may collect anonymized crash reports and performance metrics to diagnose bugs. This data is processed in aggregate and does not include personal identifiers.

3. How We Use Your Information

  • To provide, operate, and improve the App
  • To send you push notifications about benefits you might lose if you don't use them in time (only if you opt in)
  • To process and manage your Creddy Pro subscription
  • To respond to your support requests and communicate with you about your account
  • To detect, prevent, and investigate fraud, abuse, or security incidents
  • To comply with legal obligations

4. Third-Party Service Providers

We use a small number of trusted third-party service providers to operate Creddy. Each acts as a data processor under our instructions and is bound by data-processing terms.

  • Supabase (database + authentication) — stores your account, cards, and benefit-usage data. Operated in the United States and European Union.
  • RevenueCat (subscription management) — handles your Creddy Pro subscription state. Operated in the United States.
  • Apple Push Notification Service — delivers notifications to your device. Operated by Apple Inc.
  • PostHog (product analytics) — collects anonymized usage events. Operated in the United States.
  • Vercel (web hosting) — hosts the Creddy marketing website and CMS infrastructure.

5. What We Do Not Collect or Share

We want to be specific about what we do not do with your data:

  • We do not sell your data to third parties.
  • We do not share your data with advertising networks or data brokers.
  • We do not use your data for targeted advertising.
  • We do not share your data with credit card issuers or financial institutions.
  • We do not collect card numbers, CVVs, or any actual payment-instrument data.

6. No Affiliation with Card Issuers

Creddy is an independent application and is not affiliated with, endorsed by, or sponsored by American Express, Chase, Citi, Capital One, Bank of America, Discover, Wells Fargo, Barclays, Bilt, U.S. Bank, or any other credit card issuer. The benefit data shown in the App is collected from publicly available sources and is for informational purposes only. Always verify benefit terms with your card issuer before relying on them.

7. Data Retention

We retain your account data while your account is active. When you delete your account, we purge your personal information within 30 days, except where retention is required by law (for example, financial records required for tax compliance). Anonymized analytics data may be retained for up to 12 months for product-improvement purposes.

8. Your Privacy Rights

You have the following rights regarding your personal information:

  • Access — request a copy of the personal data we hold about you
  • Correction — request that we update inaccurate or incomplete data
  • Deletion — request that we delete your account and all associated data
  • Portability — request an export of your data in a machine-readable format
  • Objection — object to certain types of processing

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

8.1 California Residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act: the right to know what categories of personal information we collect, the right to delete, the right to correct inaccurate information, the right to limit the use of sensitive personal information, and the right to opt out of the sale or sharing of personal information. We do not sell or share personal information as defined by California law.

8.2 European Union / United Kingdom Residents (GDPR / UK GDPR)

If you are located in the European Union or United Kingdom, our lawful basis for processing your data is (a) the performance of our contract with you (operating the App), (b) your consent (where you opt in to notifications or analytics), and (c) our legitimate interests in operating and improving the Services. You have all rights granted by the GDPR / UK GDPR, including the right to lodge a complaint with your supervisory authority.

9. Children's Privacy

Creddy is not directed at children under the age of 13. We do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided us with personal information, please contact us at [email protected] and we will promptly delete it.

10. International Data Transfers

Your data may be transferred to, and processed in, countries other than your country of residence, including the United States and the European Union. Where transfers occur from the EU/UK to the US, we rely on the European Commission's Standard Contractual Clauses or equivalent safeguards.

11. Security

We protect your data using industry-standard safeguards:

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for data at rest in our database
  • Row-Level Security policies in Supabase that isolate every user's data from every other user's data
  • Apple-managed APNs for push notification delivery
  • Periodic security reviews and dependency audits

No system is perfectly secure. If we discover a breach affecting your data, we will notify you in accordance with applicable law.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you at least 30 days in advance by email (to the address associated with your account) and via an in-app banner. The "Last updated" date at the top of this page indicates the most recent revision. Your continued use of the Services after a material change constitutes acceptance of the revised Policy.

13. Contact Us

If you have questions about this Privacy Policy or how we handle your data, please contact:

Brewapps LLC
Privacy Team
Email: [email protected]