Privacy Policy
What EliteForCheap collects, what we don't, who handles it, and how to delete it.
We collect the bare minimum we need to run a subscription service: your email, your account preferences (card type, status, target LP), and basic usage logs. We don't see your credit card number — Stripe handles payments. We don't sell your data to anyone. You can delete your account and all associated data anytime from the account page or by emailing us.
1. Who we are
EliteForCheap ("we," "us," or "our") is a hotel-deal comparison service provided through the website at eliteforcheap.com. For privacy questions or data requests, email [email protected].
2. What we collect
We collect three categories of information.
Information you give us
| What | Why |
|---|---|
| Email address | Account creation, sign-in via magic link, transactional and digest emails. |
| Card type and AAdvantage status | Optional — used to personalize Loyalty-Points-per-dollar calculations to your specific earn rate. |
| Current LP balance and goal status tier | Optional — used by the Status Strategy Optimizer to recommend stays. |
| Saved hotels (watchlist) | So we can alert you when watched hotels hit price thresholds. |
| Email preferences | Daily/weekly digest, alert frequency, opt-out flags. |
Information collected automatically
| What | Why |
|---|---|
| Sign-in tokens and session cookies | To keep you signed in across visits. |
| Basic request logs (IP address, user agent, timestamp, page requested) | Standard web server logs. Used for security monitoring, abuse detection, and rate limiting. Retained for 30 days. |
| Usage events (which deals you click, which features you use) | To understand which features are useful and prioritize improvements. |
Information we don't collect
- Credit card numbers. Stripe handles all payment information directly. We only see metadata (the last 4 digits of your card, your subscription status, your billing email) so we can run your account.
- Your AA login or AAdvantage account credentials. EliteForCheap does not connect to your AA account. We don't see your real LP balance — only what you choose to enter.
- Your phone number, unless you explicitly opt into SMS alerts in a future release.
- Government IDs, SSN, or financial information beyond what Stripe needs for billing.
- Cross-site tracking data. We don't run third-party advertising trackers, Facebook Pixel, or anything similar.
3. How we use your information
We use the information we collect to:
- Operate the service — sign you in, deliver emails, process payments, personalize calculations.
- Communicate with you — billing receipts, account notifications, digest emails (per your preferences), and the occasional product update. You can opt out of non-essential email at any time.
- Improve the product — understand which features get used, identify bugs, prioritize new builds.
- Protect the service — detect abuse, enforce rate limits, investigate suspicious activity.
- Comply with legal obligations — respond to valid subpoenas, court orders, or regulatory requests.
We do not use your information to build a profile to sell to advertisers. We do not train AI models on your data.
4. Who we share it with
We share information only with the third parties we need to actually run the service:
| Service | What they get | Why |
|---|---|---|
| Stripe | Email, name (if you provide it), payment information you enter on Stripe's checkout | Payment processing, subscription billing, refunds |
| Supabase | All account data (email, preferences, watchlist, saved settings) | Authentication and primary database hosting |
| Cloudflare | IP address, request metadata | Website hosting, content delivery, DDoS protection |
| Resend | Email address, message content | Sending transactional and digest emails |
Each of these services is bound by their own privacy policy. They process data on our behalf to provide their service to us — they don't get to use your data for their own marketing purposes.
We don't sell your personal information to advertisers, data brokers, or anyone else. We've never sold customer data and don't plan to.
Affiliate clicks. When you click an affiliate link (for example, a Citi credit card application), the destination service may receive standard referral metadata (typically a referral code identifying EliteForCheap as the source). We don't transmit your email or account data to affiliate partners.
5. Cookies and similar technologies
We use a small number of first-party cookies, all functional:
- An authentication cookie to keep you signed in.
- A preference cookie that remembers your card and status selections so you don't have to re-enter them on every visit.
- A consent cookie for users who set their preferences.
We do not use third-party advertising cookies, Facebook Pixel, Google Ads remarketing, or similar cross-site tracking. We do not currently use third-party analytics; if we add a privacy-respecting analytics service later (such as Plausible or Fathom), we'll update this page.
6. How long we keep it
- Account data: as long as your account is active. If you delete your account, we delete your account data within 30 days, except as noted below.
- Server logs and usage events: 30 days for raw logs, longer in aggregated/anonymized form.
- Billing records: 7 years, as required by US tax law. We retain the minimum information needed for tax and accounting compliance even after account deletion.
- Email suppression list: indefinite. If you unsubscribe, we remember not to email you again.
7. Your rights
Regardless of where you live, you can:
- Access the data we have about you — email us and we'll send you a copy.
- Correct any inaccurate information — most fields are editable from the account page.
- Delete your account and associated data — use the delete-account option on the account page or email us.
- Export your account data in a machine-readable format — email us and we'll send you JSON.
- Opt out of non-essential email — every digest and marketing email has an unsubscribe link.
If you live in California: you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what categories of personal information we collect, the right to request deletion, and the right not to be discriminated against for exercising these rights. To exercise CCPA rights, email us with the subject "CCPA request" and we'll process your request within 45 days. We don't sell personal information, so the CCPA "do not sell" right is automatic.
If you live in the European Economic Area or the UK: EliteForCheap is a US-based service and our primary audience is US-based. If you choose to use the service from the EEA or UK, you have rights under GDPR including access, rectification, erasure, restriction, portability, and the right to lodge a complaint with your local data protection authority. We process personal data on the legal basis of contract performance (for account features) and legitimate interest (for security, abuse prevention, and product improvement). Email us to exercise any GDPR right.
8. Children's privacy
EliteForCheap is not directed to children under 18 and we do not knowingly collect personal information from anyone under 18. If you believe a child has provided us information, email us and we'll delete it.
9. Security
We use industry-standard practices to protect your data: TLS encryption in transit, encryption at rest via Supabase, magic-link authentication (no passwords stored), Stripe-managed payment data (we never see your card number), and minimal data retention. No system is perfectly secure — if we ever experience a data breach affecting your information, we'll notify affected users without unreasonable delay and as required by applicable law.
10. International data transfers
EliteForCheap is operated from the United States. Our service providers (Stripe, Supabase, Cloudflare, Resend) primarily process data in the United States, with some routing through other regions for content delivery. By using EliteForCheap, you consent to your data being processed in the United States.
11. Changes to this policy
If we update this Privacy Policy, we'll change the "last updated" date below. For material changes (a new category of data we're collecting, a new third party we're sharing with), we'll notify subscribers by email before the change takes effect.
12. Contact
Privacy questions, data requests, deletion requests, complaints — email [email protected]. We respond to privacy requests within 5 business days and complete them within 30 days.