Privacy Policy
Effective Date: May 23, 2026 · Last Updated: May 23, 2026
1. Overview
Maeva is a mobile app that helps you decide which credit or debit card to use at the moment of purchase, surfaces eligible rewards offers from your card issuers, and (with your authorization) enrolls you in store rewards programs on your behalf. This Privacy Policy explains what data Maeva collects, how we use it, who we share it with, and what rights you have.
Maeva is operated by Maeva, a US-based fintech application currently in closed beta ("Maeva," "we," "us"). You can reach us at support@maevarewards.com.
2. Information we collect
2.1 Information you give us directly
- Account credentials. Email address (always), password (hashed and never stored in plaintext), display name and avatar (optional).
- Sign-in provider identifiers. If you sign in with Apple or Google, we store the provider's stable user identifier (a sub claim) so we can re-authenticate you, plus the email address the provider returns.
- Card metadata. When you link a card via Plaid, we receive and store the card network (Visa/Mastercard/Amex/Discover), product type (e.g., "Visa Signature"), and the last four digits. We do not receive, store, or process full card numbers, expiration dates, CVVs, or any data that would put us in PCI DSS scope.
- Optional profile data. Anything you choose to enter in your account screen, including referral codes you redeem at signup.
- Consents. Each time you grant or revoke a permission (such as master consent to auto-enroll in rewards programs), we record the timestamp, the version of the terms you accepted, and the IP address + user agent at the time, for audit and compliance purposes.
2.2 Information we receive from sub-processors
- Plaid (our card-linking partner) returns the card metadata described above, the financial institution name, and a Plaid account identifier we use to refresh card data over time.
- Visa Intelligent Commerce (VIC) returns the rewards offers you're eligible for at participating merchants, and signals when you make a qualifying transaction with a linked card.
- Apple and Google identity providers return your verified email and a stable user identifier when you use those sign-in methods.
2.3 Information we collect automatically when you use the app
- Device and OS data. Operating system version, model class (e.g., iPhone or Android phone), and the app version, collected via the platform's standard APIs.
- Push notification tokens. A token issued by Apple or Google's push services that lets us deliver notifications to your device.
- Location data. Only if you grant location permission. We use your device location to detect when you enter a fenced merchant area so we can fire a proximity notification. We do not store continuous location history; we receive enter/exit events from the operating system and the only persistent state is the list of merchant fences your device is monitoring.
- App usage events. Standard server-side logs (which screens loaded, which endpoints were called, error rates) used for service reliability and security. These logs are retained for 30 days and then automatically purged.
2.4 Information we do not collect
- Full card numbers (PAN), expiration dates, or CVVs.
- Bank account routing or account numbers.
- Credit reports or credit scores (we do not use FCRA-regulated data in any recommendation).
- Government-issued identification documents.
- Browsing history outside the Maeva app.
- Children's data — Maeva is not directed to children under 13 and we do not knowingly collect data from anyone under 13.
3. How we use your information
We use the data described above to:
- Authenticate you and keep your account secure.
- Identify which rewards offers you're eligible for at participating merchants, based on the cards you've linked.
- Send proximity notifications when you walk into a merchant where one of your cards earns cashback, subject to your notification preferences.
- Auto-enroll you in store rewards programs when you've granted master consent for that feature.
- Deliver weekly digest emails or push notifications summarizing your savings (you can opt out of these in Settings).
- Process referrals — if you sign up with someone's referral code, we record that connection so the referrer can be credited.
- Generate the AI-powered card recommendation explanations you see in the app, using Anthropic's Claude language model. Your prompts include only the merchant name, the offer details, and your linked-card metadata (network and product type); we do not send personally-identifying information such as your email or name to Anthropic.
- Investigate and prevent fraud, abuse, and security incidents.
- Comply with our legal obligations.
4. How we share your information
We share data with the following categories of sub-processors and partners:
| Sub-processor | Purpose |
|---|---|
| Plaid | Card linking and account verification. |
| Visa Intelligent Commerce | Card-linked offer eligibility and signals. |
| Anthropic | Generating card-recommendation explanations. |
| Amazon Web Services | Hosting, database, email delivery (SES). |
| Google (Firebase) | Android push notifications via FCM. |
| Apple Push Notification Service | iOS push notifications. |
| Google Identity | "Sign in with Google" authentication. |
| Apple Identity | "Sign in with Apple" authentication. |
We do not sell your personal data. We do not share your personal data with merchants beyond what's required to enroll you in their rewards programs at your direction.
We may disclose your information if required by law (a valid subpoena, warrant, or court order) or if we believe in good faith that disclosure is necessary to investigate fraud or protect the safety of our users.
5. Data retention
| Category | Retention |
|---|---|
| Account profile | Until you delete your account. |
| Card metadata + memberships | Until you delete your account or unlink. |
| Transaction history | 24 months rolling, then aggregated. |
| Consent audit log | 7 years for compliance purposes. |
| Push notification tokens | Until rotated or your account is deleted. |
| Application server logs | 30 days. |
| Anonymized aggregate analytics | Retained indefinitely; no longer linked to your identity. |
When you delete your account, we remove or anonymize all of the above categories (other than aggregate analytics) within 30 days.
6. Your privacy rights
Under various US state privacy laws (including California's CCPA/CPRA, Virginia's VCDPA, Colorado's CPA, Connecticut's CTDPA, and Utah's UCPA), and equivalent rights for users outside the US, you have:
- Right to know. Request a copy of the data we hold on you. Available in-app at My Account → Download my data, or by emailing us.
- Right to delete. Permanently delete your account and the associated data. Available in-app at My Account → Delete account, or by emailing us. Deletion is immediate and irreversible.
- Right to correct. Update inaccurate information in your account via the app's Settings and My Account screens, or by emailing us.
- Right to opt out of "sale" or "sharing." Maeva does not sell or share your personal information for cross-context behavioral advertising. There is no opt-out toggle because there is no sale or sharing to opt out of.
- Right to non-discrimination. We will not retaliate or discriminate against you for exercising any of these rights.
To exercise any of these rights, use the in-app affordances above or email privacy@maevarewards.com. We will respond within 45 days of receiving a verifiable request.
7. Security
Maeva takes the security of your data seriously. We use industry-standard practices including:
- HTTPS encryption for all data in transit.
- Encryption at rest for our database and backups.
- Argon2id password hashing.
- Short-lived access tokens with rotating refresh tokens.
- Webhook signature verification for all third-party integrations.
- Rate limiting and abuse detection on authentication endpoints.
No security system is perfect, however. If you believe your account has been compromised, contact us at security@maevarewards.com.
8. International users
Maeva is operated from the United States and stores data on US-based servers. If you use Maeva from outside the US, you consent to your data being transferred to and processed in the United States, where data protection laws may differ from those in your country.
We do not currently offer Maeva to residents of the European Economic Area, the United Kingdom, or other jurisdictions whose data protection laws would impose additional obligations we are not yet prepared to meet.
9. Children's privacy
Maeva is not directed to children under the age of 13. We do not knowingly collect personal information from anyone under 13. If you believe we have collected data from a child under 13, contact us at privacy@maevarewards.com and we will delete it promptly.
10. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you via in-app notice or email before the changes take effect. The "Last Updated" date at the top of this document reflects the most recent revision.
11. Contact us
For privacy questions, requests, or complaints:
Email: privacy@maevarewards.com
You may also lodge a complaint with your state's attorney general's office if you believe we have violated this policy or applicable privacy law.