Privacy Policy
What EliteForCheap collects, what we don't, who handles it, and how to delete it.
We collect the bare minimum we need to run a subscription service: your email, your account preferences (card type, status, target LP), and basic usage logs. We don't see your credit card number — Stripe handles payments. We don't sell your data to anyone. You can delete your account and all associated data anytime from the account page or by emailing us.
1. Who we are
EliteForCheap ("we," "us," or "our") is a hotel-deal comparison service provided through the website at eliteforcheap.com. For privacy questions or data requests, email hello@eliteforcheap.com.
2. What we collect
We collect three categories of information.
Information you give us
| What | Why |
|---|---|
| Email address | Account creation, sign-in via magic link, transactional and digest emails. |
| Card type and AAdvantage status | Optional — used to personalize Loyalty-Points-per-dollar calculations to your specific earn rate. |
| Current LP balance and goal status tier | Optional — used by the Status Strategy Optimizer to recommend stays. |
| Saved hotels (watchlist) | So we can alert you when watched hotels hit price thresholds. |
| Email preferences | Daily/weekly digest, alert frequency, opt-out flags. |
Information collected automatically
| What | Why |
|---|---|
| Sign-in tokens and session cookies | To keep you signed in across visits. |
| Basic request logs (IP address, user agent, timestamp, page requested) | Standard web server logs. Used for security monitoring, abuse detection, and rate limiting. Retained for 30 days. |
| Usage events (which deals you click, which features you use) | To understand which features are useful and prioritize improvements. |
Information we don't collect
- Credit card numbers. Stripe handles all payment information directly. We only see metadata (the last 4 digits of your card, your subscription status, your billing email) so we can run your account.
- Your AA login or AAdvantage account credentials. EliteForCheap does not connect to your AA account. We don't see your real LP balance — only what you choose to enter.
- Your phone number, unless you explicitly opt into SMS alerts in a future release.
- Government IDs, SSN, or financial information beyond what Stripe needs for billing.
- Cross-site tracking data. We don't run third-party advertising trackers, Facebook Pixel, or anything similar.
3. How we use your information
We use the information we collect to:
- Operate the service — sign you in, deliver emails, process payments, personalize calculations.
- Communicate with you — billing receipts, account notifications, digest emails (per your preferences), and the occasional product update. You can opt out of non-essential email at any time.
- Improve the product — understand which features get used, identify bugs, prioritize new builds.
- Protect the service — detect abuse, enforce rate limits, investigate suspicious activity.
- Comply with legal obligations — respond to valid subpoenas, court orders, or regulatory requests.
We do not use your information to build a profile to sell to advertisers. We do not train AI models on your data.
4. Who we share it with
We share information only with the third parties we need to actually run the service:
| Service | What they get | Why |
|---|---|---|
| Stripe | Email, name (if you provide it), payment information you enter on Stripe's checkout | Payment processing, subscription billing, refunds |
| Supabase | All account data (email, preferences, watchlist, saved settings) | Authentication and primary database hosting |
| Cloudflare | IP address, request metadata | Website hosting, content delivery, DDoS protection |
| Resend | Email address, message content | Sending transactional and digest emails |
Each of these services is bound by their own privacy policy. They process data on our behalf to provide their service to us — they don't get to use your data for their own marketing purposes.
We don't sell your personal information to advertisers, data brokers, or anyone else. We've never sold customer data and don't plan to.
Affiliate clicks. When you click an affiliate link (for example, a Citi credit card application), the destination service may receive standard referral metadata (typically a referral code identifying EliteForCheap as the source). We don't transmit your email or account data to affiliate partners.
5. Cookies and similar technologies
We use a small number of first-party cookies, all functional:
- An authentication cookie to keep you signed in.
- A preference cookie that remembers your card and status selections so you don't have to re-enter them on every visit.
- A consent cookie for users who set their preferences.
We do not use third-party advertising cookies, Facebook Pixel, Google Ads remarketing, or similar cross-site tracking. We use Plausible Analytics, a privacy-respecting analytics service that sets no cookies and stores no personal data — it gives us aggregate counts (pages viewed, referral source, country) and cannot identify individual visitors.
6. How long we keep it
- Account data: as long as your account is active. If you delete your account, we delete your account data within 30 days, except as noted below.
- Server logs and usage events: 30 days for raw logs, longer in aggregated/anonymized form.
- Billing records: 7 years, as required by US tax law. We retain the minimum information needed for tax and accounting compliance even after account deletion.
- Email suppression list: indefinite. If you unsubscribe, we remember not to email you again.
7. Your rights
Regardless of where you live, you can:
- Access the data we have about you — email us and we'll send you a copy.
- Correct any inaccurate information — most fields are editable from the account page.
- Delete your account and associated data — use the delete-account option on the account page or email us.
- Export your account data as a standard machine-readable file (JSON — a common format that other apps and spreadsheets can open) — email us and we'll send it over.
- Opt out of non-essential email — every digest and marketing email has an unsubscribe link.
If you live in California: you have additional rights under the California Consumer Privacy Act, as amended by the CPRA, including the right to know what categories of personal information we collect and the purposes for which we use them, the right to access the specific pieces of personal information we hold about you, the right to correct inaccurate information, the right to request deletion, the right to opt out of the "sale" or "sharing" of personal information, the right to limit the use of sensitive personal information, and the right not to be discriminated against (including no different pricing or service) for exercising any of these rights. We do not sell or share personal information for cross-context behavioral advertising, and we do not use or disclose sensitive personal information for purposes that would trigger the right to limit. To exercise these rights, email us with the subject "Privacy request" and we'll respond within 45 days (extendable once by another 45 days where permitted). You may use an authorized agent to submit a request on your behalf; we may ask the agent for proof of authorization and ask you to verify your own identity.
If you live in another U.S. state with a comprehensive privacy law — including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Florida, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Minnesota, Maryland, Tennessee, Indiana, Kentucky, Rhode Island, and others as they take effect — you have substantially similar rights: to confirm whether we process your personal data and to access it, to correct it, to delete it, to obtain a portable copy, and to opt out of targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects. We do not engage in targeted advertising, sell personal data, or conduct such profiling. To exercise any of these rights, email us with the subject "Privacy request."
Right to appeal. If we deny your privacy request, you may appeal that decision by replying to our response or emailing us with the subject "Privacy appeal." We will respond to your appeal within 45 days (or as your state's law requires) and explain the reasons for our decision. If your appeal is denied, several states allow you to contact your state Attorney General to submit a complaint; we will provide a link or instructions on request.
Global Privacy Control and opt-out preference signals. Some browsers and extensions can send an opt-out preference signal, such as the Global Privacy Control (GPC), that automatically communicates your choice to opt out of the sale or sharing of personal data and targeted advertising. Where required by law, we treat a valid GPC signal as a request to opt out for that browser or device. Because we do not sell or share personal data or run targeted advertising, there is nothing for the signal to turn off — but we honor it as a matter of practice and will continue to as our features evolve.
Notice at collection. We collect the categories of personal information described in Section 2 (identifiers such as your email and IP address, your account preferences, and internet/usage activity) for the purposes described in Section 3 (operating the service, communicating with you, improving the product, security, and legal compliance). We do not sell or share these categories, and our retention periods are described in Section 6. This Privacy Policy serves as our notice at or before the point of collection.
If you live in the European Economic Area or the UK: EliteForCheap is a US-based service and our primary audience is US-based. If you choose to use the service from the EEA or UK, you have rights under GDPR including access, rectification, erasure, restriction, portability, and the right to lodge a complaint with your local data protection authority. We process personal data on the legal basis of contract performance (for account features) and legitimate interest (for security, abuse prevention, and product improvement). Email us to exercise any GDPR right.
8. Children's privacy
EliteForCheap is not directed to children under 18 and we do not knowingly collect personal information from anyone under 18. If you believe a child has provided us information, email us and we'll delete it.
9. Security
We use industry-standard practices to protect your data: TLS encryption in transit, encryption at rest via Supabase, magic-link authentication (no passwords stored), Stripe-managed payment data (we never see your card number), and minimal data retention. No system is perfectly secure — if we ever experience a data breach affecting your information, we'll notify affected users without unreasonable delay and as required by applicable law.
10. International data transfers
EliteForCheap is operated from the United States. Our service providers (Stripe, Supabase, Cloudflare, Resend) primarily process data in the United States, with some routing through other regions for content delivery. By using EliteForCheap, you consent to your data being processed in the United States.
11. Changes to this policy
If we update this Privacy Policy, we'll change the "last updated" date below. For material changes (a new category of data we're collecting, a new third party we're sharing with), we'll notify subscribers by email before the change takes effect.
12. Contact
Privacy questions, data requests, deletion requests, complaints — email hello@eliteforcheap.com. We respond to privacy requests within 5 business days and complete them within 30 days.