# MaxMile — Privacy Policy

**Last updated: 21 May 2026**

MaxMile ("we", "the extension") is a Chrome browser extension that recommends
the best credit card to use at checkout based on the cards you own and your
optimization goals.

This policy explains exactly what we do — and more importantly, what we don't —
with the data the extension touches. It is intentionally short because we are
privacy-positive by design.

## 1. What MaxMile does not collect

We do not collect:

- Your name, email address, phone number, or physical address.
- Your full credit card number (Primary Account Number / PAN).
- Card CVV, expiry date, or any other authentication detail.
- Your transaction history.
- Your browsing history.
- Your account credentials for any website.

We do not have user accounts. There is no sign-up.

## 2. What MaxMile processes on your device

The extension processes the following data **entirely on your device** in your
Chrome browser. Nothing in this section is transmitted off-device.

### Card metadata you provide

When you add cards to MaxMile during onboarding or via Settings, we store:

- The card name (e.g. "HDFC Infinia")
- The issuer (e.g. "HDFC Bank")
- The network (e.g. "Visa")
- Your card's tracked state: estimated cycle spend, milestone progress, points
  balance (only if you choose to enter these)

Stored in Chrome's `chrome.storage.local` API. Never transmitted.

### Card identifiers detected automatically

When you type or autofill a credit card number on a supported checkout page,
the extension captures:

- The **first 6 digits** of the card number (the BIN — Bank Identification
  Number).
- The **last 4 digits** of the card number (for display: "•••• 1234").

We **never** read the full card number, CVV, expiry, or cardholder name.

The BIN is matched against a local catalog to identify the card type.
You are prompted to confirm if you want to add the detected card to your
MaxMile wallet. If you decline, the BIN is added to a "dismissed" list
locally so we don't prompt again.

Both the BIN and last 4 digits are stored in `chrome.storage.local` only.
Never transmitted off-device.

### Cart amount at checkout

On supported merchant pages (Amazon, Flipkart, MakeMyTrip, Tata CLiQ,
Cleartrip, BookMyShow, Swiggy, BigBasket), the extension reads the visible
cart total amount from the page DOM to compute which card earns the most
rewards.

The amount is used in-memory only and is not stored or transmitted.

### Your optimization preference

Your selected goal (Travel / Cashback / Hotel / Balanced) is stored locally.

## 3. What is transmitted off-device

### Error and crash reports

When the extension encounters an error, an anonymous error report is sent to
**Sentry** (sentry.io), our error-tracking provider.

Reports include:

- The error message and stack trace.
- The page URL on which the error occurred.
- Your browser type and OS version.
- A "release tag" identifying which version of MaxMile produced the error.
- Recent in-extension actions (e.g., "popup opened", "nudge shown") as
  breadcrumbs for debug context.

Before transmission, every payload is passed through an automated PII
scrubber that redacts any sequence of 13 to 19 digits with `[REDACTED_CARDNUM]`.
This is defense in depth — we already never deliberately log card numbers,
but the scrubber ensures none can ever leave the device by accident.

If you click "Report a problem" in the Settings panel, the message you type
is sent to Sentry as an info-level event along with the same metadata. The
content of your message is your responsibility — please do not paste card
numbers or other sensitive information.

### Card data updates (planned)

In a future version, MaxMile will fetch the latest card-rules data from a
read-only public CDN. This fetch contains no user-identifying information —
it is the same fetch every user makes. No data is sent from your device
to the CDN; the CDN does not log requests for analytics purposes.

## 4. What we never do

- We never sell, share, or rent any data to any party.
- We never display ads.
- We never read pages that aren't on our supported merchant list.
- We never read passwords, autofill credentials, cookies, or local storage
  from other websites.
- We never modify the content of any website beyond rendering MaxMile's
  own UI (the Nudge, detection prompts) as separate floating elements.
- We never share data with credit card issuers or merchants.

## 5. Where data lives

| Data | Storage |
|---|---|
| Card list, goal, preferences | Your browser's `chrome.storage.local`, never leaves your device. |
| Detected card BIN + last 4 (pending confirmation) | Your browser's `chrome.storage.local`. |
| Dismissed BIN list | Your browser's `chrome.storage.local`. |
| Error/crash reports | Sentry servers (US region) for our review only. PII-scrubbed before transmission. |

If you uninstall MaxMile, all locally stored data is removed by Chrome.

## 6. Your controls

- **Reset:** Settings → "Reset everything" wipes all local data and returns
  you to onboarding.
- **Remove individual cards:** Settings → tap "Remove" next to any card.
- **Dismiss detections:** when a detection prompt appears, "Not now" adds
  that BIN+last4 to a local dismissed list — it will not appear again.
- **Stop using MaxMile:** uninstall the extension from `chrome://extensions`.
  All local data is wiped.

## 7. Third parties

| Service | Purpose | Data shared |
|---|---|---|
| **Sentry** (sentry.io) | Error and crash reporting | Error messages, stack traces, URLs, user agent, version tag — all PII-scrubbed before transmission. No card numbers, no full identifiers. |

No other third parties have access to any data the extension processes.

## 8. Children

MaxMile is not directed at children under 13 and we do not knowingly collect
data from anyone, including children.

## 9. Jurisdiction and contact

MaxMile is offered "as is" during closed beta. The extension is operated from
India. By using MaxMile you agree to processing under Indian law, specifically
the Digital Personal Data Protection Act, 2023 (DPDP Act).

For questions about this policy, write to: **[email protected]**

## 10. Changes

We may update this policy. Material changes will be announced in-extension
and dated above. Continued use after a change means you accept the new policy.