Privacy Policy

1. Who we are

Savvy Roam ("Savvy Roam," "we," "us") is operated by Aevi Labs. Savvy Roam is a personalized travel rewards platform that helps you maximize miles, points, status, and upgrades based on the home airport you fly from and the way you travel. This policy explains what we collect, how we use it, and the choices you have.

2. Information we collect

We collect the following categories of data:

• Account information. When you sign in with Google (and, in future, Apple), we receive your name, email address, and a stable identifier from the provider. If you use Apple's private relay, we receive only the relay email. We do not see your social login password.
• Onboarding and profile data. Your home airport, travel frequency, destinations of interest, loyalty program memberships, and any other answers you provide during onboarding or in your account settings.
• Status Path data. Tier goals, point/mile balances you enter, and the activity log entries (flights, spend, status matches, promotions) you use to project your status earning.
• Brag Cards. Milestones you choose to share, an optional public display handle, photos you upload, and the referral codes generated for cards you share.
• Recommendation feedback. Thumbs up/down responses and similar signals you provide on the recommendations we surface.
• Affiliate click activity. When you click an "Apply" or partner link, we record the click, the offer, a unique click ID, and (if reported back by the network) whether it converted. We use this both to improve recommendations and to be paid by partners. See § Affiliate disclosures below.
• Device and log data. IP address, approximate location derived from IP (used to suggest your home airport), browser type, operating system, referring page, and timestamps. We use server logs for security and abuse prevention.
• Analytics and error data. If you accept analytics in the consent banner, PostHog records product usage events. We use Sentry to collect error reports. Neither is used for advertising. See § Cookies and local storage.

We do not collect government IDs, passport numbers, payment card numbers, or bank account information. Credit card applications and bookings happen on the partner's own site, not on Savvy Roam.

3. How we use your information

• To deliver the core product: matching you to a hub, ranking airlines and hotel/car partners, recommending cards and sweet spots, and projecting status progress.
• To personalize your dashboard, content hub, and email digests.
• To attribute affiliate conversions and pay our partners accurately.
• To send transactional email (account, security, receipts) and, if you opt in, marketing or product email.
• To debug, monitor, secure, and improve the service, and to detect abuse.
• To comply with legal obligations and enforce our Terms of Service.

We do not sell your personal information, and we do not use it for targeted advertising or share it with third parties for their own marketing.

4. Affiliate disclosures

Savvy Roam earns commissions when you apply for a credit card, transfer points, or complete other actions through links we provide. These links are tagged with a unique click ID so the partner can report conversions back to us. We try to surface these offers only when they are genuinely the best fit for your situation based on the recommendation engine. Affiliate compensation does not influence rankings beyond what is disclosed in our editorial policy (forthcoming).

5. How we share information

We share data only with the categories below:

• Infrastructure and service providers. Supabase (database and authentication), Vercel (hosting), Resend (transactional email), PostHog (product analytics, if you consent), Sentry (error monitoring), and Cloudflare or similar CDN/storage providers. Each is contractually bound to process data only on our instructions.
• Affiliate networks and partners. When you click through to apply or book, we share the click ID and offer metadata with the network (e.g., FlexOffers, CardRatings) or directly with the issuer. The partner's own privacy policy governs what happens on their site.
• Public sharing you initiate. Brag Cards you choose to share are designed to be public. Anyone with a card's URL can view it and any referral landing page you generate.
• Legal and safety. We may disclose information to comply with valid legal process, protect our rights, or address security or fraud.
• Business transfers. If Aevi Labs is involved in a merger, acquisition, or asset sale, your information may transfer as part of that transaction; we will notify you and any new owner will be bound by this policy or a successor at least as protective.

6. Cookies, local storage, and tracking

We use a small number of browser storage mechanisms:

• Essential. Authentication session cookies, CSRF protection, and the analytics-consent preference itself (sr-analytics-consent in localStorage). These are required for the product to function and cannot be disabled.
• Analytics. PostHog product analytics, loaded only after you click Accept in the consent banner. You can change your choice at any time by clearing site data or via the controls in your account.

7. Your choices and rights

Regardless of where you live, you can:

• Access or update your profile and onboarding answers in account settings.
• Export a copy of your data (forthcoming self-serve export in account settings).
• Delete your account, which removes your personal data on the schedule described in § 8.
• Unsubscribe from marketing email via the link in every message.
• Withdraw analytics consent at any time.

EEA, UK, and Switzerland. Under the GDPR, you have rights to access, rectification, erasure, restriction, portability, and objection, and the right to lodge a complaint with your supervisory authority. Our legal bases are: performance of a contract (delivering the service), legitimate interests (security, fraud prevention, product improvement), consent (analytics and marketing email), and legal obligation.

California. Under the CCPA/CPRA, you have rights to know, delete, correct, and limit the use of sensitive personal information, and the right not to be discriminated against for exercising those rights. We do not sell or share personal information for cross-context behavioral advertising.

To exercise any right, email privacy@savvyroam.com. We will respond within the timeframes required by law.

8. Data retention

We keep your account data while your account is active. When you delete your account we remove personal data within 30 days, except where we are required to keep records longer (for example, for tax or anti-fraud purposes). Affiliate click and conversion records may be retained in aggregated or pseudonymized form for accounting and partner reconciliation. Server logs are retained for up to 90 days.

9. Security

We rely on row-level security in our database, encryption in transit (HTTPS), encryption at rest, OAuth-only authentication, and least-privilege access for our team. No system is perfectly secure; if we learn of a breach affecting your data, we will notify you and any relevant authority as required by law.

10. International data transfers

Savvy Roam is operated from the United States and our service providers process data in the U.S. and other countries. Where required, we rely on Standard Contractual Clauses or equivalent mechanisms for transfers out of the EEA, UK, or Switzerland.

11. Children

Savvy Roam is not directed to children. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Changes to this policy

We will update this page when our practices change. If the changes are material, we will notify you by email or in-product before they take effect. The "Effective" date at the top reflects the most recent revision.

13. Contact us

Aevi Labs — Savvy Roam
Privacy: privacy@savvyroam.com