Prfct Privacy Policy
Effective Date: June 1, 2026
Last Updated: June 1, 2026
1. Introduction
This Privacy Policy explains how S2 Capital Inc ("Prfct," "we," "us," or "our") collects, uses, stores, shares, and protects information about you when you use the Prfct browser extension, our website at theprfct.app, and the related backend services (collectively, the "Service"). It also explains the choices you have about your information and how you can exercise the privacy rights available to you under U.S. federal and state law.
Prfct is a Chrome browser extension that helps you decide which credit card from your own wallet is most likely to maximize the rewards, cash back, or other benefits available to you at online checkout. To do this, we rely on a limited set of personal information that you provide directly, that we receive from your connected financial institutions through Plaid, and that the extension generates automatically while you use it.
This Privacy Policy is incorporated by reference into the Prfct Terms of Service. By using the Service, you agree to the practices described here. If you do not agree, do not install the extension, do not create an account, and do not use the Service.
2. Scope
This Privacy Policy covers:
- The Prfct Chrome browser extension distributed through the Chrome Web Store;
- The Prfct website at theprfct.app and any subdomains;
- The Prfct backend service, hosted in the United States; and
- Communications we send you in connection with your account (for example, the one-time passcode sent during sign-up).
This Privacy Policy does not cover:
- Plaid. When you click "Connect a bank" in Prfct, you are routed to Plaid Link, a service provided by Plaid Inc. Your bank login credentials are entered into Plaid's interface and are not seen, transmitted to, or stored by Prfct. Plaid's collection and use of your credentials, your authentication with your bank, and Plaid's relationship with you as an end user are governed by Plaid's own end-user privacy policy, available at https://plaid.com/legal/#end-user-privacy-policy. We encourage you to read it before connecting an account.
- Your bank or card issuer. Your bank, your card issuer, and any merchant you transact with have their own privacy practices, which are governed by their own notices.
- Third-party links. The Service may surface affiliate links to card issuer application pages. Once you click through, you are on the issuer's website and subject to the issuer's privacy practices.
- The Chrome Web Store distribution channel is operated by Google and governed by Google's policies.
For the data we receive from Plaid and store on our servers, Prfct is the controller of that data and this Privacy Policy applies. For the data you enter into Plaid Link itself, Plaid is the controller and Plaid's policy applies.
3. Information We Collect
We collect only what we need to operate Prfct. The categories are described below.
3.1 Information You Provide Directly
- Email address. When you sign up, you provide an email address. We use it to send a six-digit one-time passcode ("OTP") to verify the address, to authenticate you on subsequent logins, to send transactional notices (security alerts, account changes, deletion confirmations, material updates to these policies), and — only if you have separately opted in — to send product updates or marketing communications.
- Support correspondence. If you email support@theprfct.app or otherwise contact us, we keep a record of that correspondence and any information you choose to include in it.
3.2 Information Collected Automatically
When you use the Service, we automatically collect a limited set of diagnostic and operational information, including:
- Extension usage diagnostics. Anonymous or pseudonymous signals about how the extension is performing on your device — for example, which UI surfaces opened, whether a recommendation was shown, and whether an error occurred. We use these signals to debug the extension and improve the recommendation experience. Where reasonably possible, we collect these diagnostics in a form that is not tied to your identified account.
- Device and connection information. Limited technical information such as your IP address, browser type and version, operating system, extension version, time zone, and the timestamps of requests to our backend.
- Error reports. If the extension or backend encounters an error, we may collect a stack trace, the URL where the error occurred (with sensitive query strings stripped where feasible), and a session identifier so we can reproduce and fix the problem.
- Cookies and similar technologies. Our website at theprfct.app may use a small number of strictly necessary cookies for session management. We do not currently use third-party advertising cookies or cross-site tracking pixels.
3.3 Information We Receive from Connected Financial Accounts (via Plaid)
When you connect a financial institution through Plaid, Plaid returns a limited set of data to us so we can generate recommendations. Specifically, we receive:
- Plaid access token. A long-lived token that allows us to call Plaid on your behalf to refresh the data below. We store this token on our servers encrypted at rest using AES-256-GCM. We do not have the ability to use this token to access your bank credentials, and the token itself is not the same as your bank password.
- Plaid Item metadata. Information identifying the financial institution you connected and the date the connection was created.
- Account metadata. For each connected account, a non-sensitive identifier, the account type (for example, "credit card"), a masked account number (typically the last four digits), the account nickname returned by your bank, and — if your bank returns them — current and available balances. We do not receive or store the full account number, the routing number, or the cardholder verification value (CVV).
- Transaction metadata (fetched on demand, not stored). When the recommendation engine needs context — for example, to learn which categories and merchants each of your cards is best used for — we fetch transactions from Plaid on demand using the access token. For each transaction we typically receive the merchant name, the merchant category code (MCC) or Plaid-assigned category, the amount, the currency, the transaction date, and a Plaid transaction identifier. We do not receive the full card number (PAN) or the CVV used to make the transaction. Transaction data lives in memory only for the duration of the request and is not persisted to our database.
We only request the Plaid product scopes needed for the recommendation feature (such as Transactions and Auth-adjacent identifiers). If we add a feature that requires additional Plaid scopes in the future, we will update this Privacy Policy and, where required, re-consent you.
3.4 Information We Do NOT Collect
We have designed Prfct to minimize the sensitive data we touch. We do not collect or store any of the following:
- Full primary account numbers (PAN) for credit, debit, or any other payment cards;
- Card verification values (CVV / CVC / CID);
- Bank account passwords, PINs, security questions, or other login credentials (these are entered into Plaid Link, not into Prfct);
- Full bank account numbers or routing numbers;
- Social Security numbers (SSNs) or other government-issued identification numbers;
- Driver's license, passport, or other government ID images;
- Biometric identifiers (fingerprints, facial geometry, voiceprints);
- Precise geolocation (GPS-level latitude/longitude) from your device;
- Categories of "sensitive personal information" under CPRA other than as incidental to the account-management data above (we do not collect race, religion, sexual orientation, union membership, health information, or contents of mail, email, or text messages);
- Information from children under the age of 13 (see Section 12).
4. How We Use Information
We use the information described in Section 3 only for the following purposes:
- Provide the Service. Generate and display card recommendations at checkout, refresh transaction data on a periodic basis, and present your connected wallet to you in the extension UI.
- Account management. Create and authenticate your account; send the OTP; manage sessions; respond to support requests; process deletion requests.
- Security and fraud prevention. Detect, investigate, and prevent abuse, fraud, unauthorized access, and other harmful activity; protect the rights, property, and safety of Prfct, our users, and the public.
- Service operations and improvement. Debug, monitor performance, fix issues, and improve the recommendation engine and the user experience. Where feasible we use de-identified or aggregated data for this purpose.
- Legal and compliance. Comply with applicable laws and regulations, respond to lawful requests from government authorities, enforce our Terms of Service, and protect against legal liability.
- Communications. Send transactional emails (sign-up OTP, security notices, account notices, material updates to these policies). With your separate opt-in consent, send product updates or marketing communications. You can opt out of marketing communications at any time.
We do not:
- Sell your personal information to anyone, for money or other valuable consideration;
- "Share" your personal information for cross-context behavioral advertising as that term is used in CPRA;
- Use your data to train advertising or behavioral profiling models for third parties;
- Use your data for any "secondary use" that is materially different from the purposes described in this Privacy Policy without giving you notice and, where required, obtaining your consent.
5. Legal Bases for Processing
Although U.S. law does not require a "legal basis" framework, we identify below the bases we rely on, in case state regulators or users find it useful:
- Performance of a contract. Processing your email, Plaid access token, Plaid metadata, and transaction metadata is necessary to provide the Service.
- Consent. Where you have opted in — for example, by submitting your email for OTP verification, completing Plaid Link, and any opt-in marketing emails.
- Legitimate interests. Limited diagnostic and security processing to keep the Service operational, secure, and free from abuse.
- Compliance with law. Processing and retention required by tax, accounting, audit, fraud-prevention, or other legal obligations.
6. Sub-Processors and Service Providers
We use a small set of vendors to operate the Service. Each vendor is bound by a contract that limits their use of your information to the services they provide to us. We do not authorize any of these vendors to sell your data or to use it for their own marketing.
- Plaid Inc. — Bank data connectivity. Receives your bank login credentials directly from you in Plaid Link, authenticates you with your bank, and returns the metadata described in Section 3.3 to Prfct. End-user privacy policy: https://plaid.com/legal/#end-user-privacy-policy.
- Render Services, Inc. — U.S.-based application hosting and database hosting (U.S. region: Oregon). Stores our application servers and our PostgreSQL 16 database. Privacy notice: https://render.com/privacy.
- Resend (Resend.com) — Transactional email delivery. Sends the sign-up OTP, security notices, and other transactional emails. Privacy notice: https://resend.com/legal/privacy-policy.
- Sentry (Functional Software, Inc. d/b/a Sentry) — Planned sub-processor for application error monitoring. Sentry will receive limited diagnostic information (stack traces, error messages, request metadata) when we instrument the extension and backend with Sentry. We will update this Privacy Policy to reflect the activation date when Sentry instrumentation ships. Privacy notice: https://sentry.io/privacy/.
7. Affiliate Tracking Disclosure
Prfct is free for users. To support the Service, we participate in affiliate marketing arrangements with credit card issuers and third-party marketing partners. When the extension surfaces a link inviting you to apply for a new credit card, that link may be an affiliate link.
- A click identifier may be transmitted. When you click an affiliate application link, your browser navigates to the issuer (or an intermediate affiliate network) carrying a click identifier — typically a URL parameter or a redirect through a partner domain — that lets the issuer or network attribute the resulting application back to Prfct. Like any website visit, this carries the IP address, browser, and referring URL your browser sends automatically.
- The issuer or network sets its own cookies. Once you are on the issuer's site, the issuer or its affiliate network may set cookies, including to track the application through completion. Those cookies are governed by their privacy policy, not ours.
- We may receive per-event commission data. If you are approved for a card, Prfct may receive a notification from the issuer or network confirming the qualifying event and the commission earned. We do not request or receive your application details, the card number issued, your credit score, or other underwriting information.
- Recommendations are not paid placements. Affiliate economics do not determine which card we recommend at checkout. See TOS Section 8.
- You can always ignore an affiliate link and apply directly through the issuer.
8. Data Retention
We retain personal information for as long as necessary to provide the Service and for the additional periods described below.
- Account information (email, account record). Retained while your account is active and for a reasonable period after deletion to confirm deletion, prevent account re-creation abuse, and comply with legal obligations.
- Plaid access tokens. Retained while the corresponding bank connection is active. When you delete a connection, request account deletion, or revoke access through Plaid, we revoke the token with Plaid and delete it from our systems.
- Plaid item and account metadata. Retained while your account is active so the recommendation engine can identify your connected cards.
- Transaction data. We do not persist transaction history on our servers. Each recommendation triggers a fresh fetch from Plaid; transaction data lives in memory only for the duration of the request and is not stored.
- One-time passcodes (OTPs). Deleted at the moment you use them, or 24 hours after creation if unused — whichever is sooner.
- Diagnostic, error, and webhook events. Retained for 60 days and then deleted.
- Support correspondence. Retained for a reasonable period after the matter is resolved.
- Legal and compliance records. Retained as required by applicable tax, accounting, audit, fraud-prevention, or other legal obligations, even after your account is deleted.
When we no longer have a business or legal reason to keep personal information, we delete or de-identify it.
9. Data Security
We use administrative, technical, and physical safeguards designed to protect your information:
- Encryption at rest. Plaid access tokens and other sensitive fields in our PostgreSQL database are encrypted using AES-256-GCM. Backups are encrypted at rest by our hosting provider.
- Encryption in transit. All communication between the extension, website, backend, and sub-processors uses industry-standard TLS.
- Access controls. Production access is limited to personnel who need it and is protected by strong authentication.
- Hosting. The backend runs on Render in a U.S. region (Oregon) behind managed network controls.
- Minimization. We deliberately avoid collecting data we do not need (see Section 3.4).
- Vendor diligence. Sub-processors are required to maintain reasonable security practices.
No system is perfectly secure. We cannot guarantee that unauthorized parties will never defeat our safeguards. Help us protect you by using a strong, unique password on your email, enabling two-factor authentication on it, keeping your devices and browser up to date, and reporting suspected unauthorized access to support@theprfct.app.
If we become aware of a security incident that affects your personal information, we will notify you in accordance with applicable law.
10. Your Privacy Rights
State laws including the CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah), and the Texas Data Privacy and Security Act give residents specific privacy rights. Prfct extends each of the rights below to all U.S. users regardless of state, to keep the experience simple.
- Right to know / access. Ask us to confirm whether we process personal information about you and to provide a copy.
- Right to deletion. Ask us to delete personal information we hold about you (see Section 11).
- Right to correct. Ask us to correct inaccurate information.
- Right to data portability. Receive a copy in a portable, machine-readable format.
- Right to opt out of sale. We do not sell your personal information.
- Right to opt out of sharing for cross-context behavioral advertising / targeted advertising. We do not share for cross-context behavioral advertising and we do not engage in targeted advertising.
- Right to limit use of sensitive personal information. We minimize collection of sensitive personal information by design (see Section 3.4).
- Right to opt out of profiling. Where state law gives you the right to opt out of profiling that produces legal or similarly significant effects, you may exercise it. The Prfct recommendation engine does not produce legal or similarly significant effects — a card recommendation is informational only and does not approve, deny, or price any product.
- Right to non-discrimination. We will not deny service or change pricing or quality because you exercised a privacy right.
- Right to appeal. If we deny a request, you may appeal by replying to our response or emailing support@theprfct.app with "Appeal" in the subject line.
10.1 How to Exercise Your Rights
Email support@theprfct.app from the email associated with your account and tell us in plain language which right you want to exercise. We may need to verify your identity (typically by sending a code to the email on file). You do not need to create another account to make a request.
You may designate an authorized agent to make a request on your behalf; we may require verification of both you and the agent.
We respond within the timeframes required by applicable law (generally within 45 days for state-law requests, extendable as permitted). If we cannot fulfill a request, we will explain why.
11. Right to Deletion
You have the right to ask us to delete your personal information. To make a request:
- Email support@theprfct.app from the email address associated with your Prfct account, or use the in-product "Delete my account" flow in the Prfct extension Settings.
- Tell us you would like to delete your account and the personal information we hold about you.
Upon receipt of a verifiable deletion request, we will:
- Disable your account;
- Revoke and delete your encrypted Plaid access tokens from our systems, which terminates Prfct's ability to call Plaid on your behalf;
- Delete or de-identify personal information we maintain about you in our backend (email, Plaid Item metadata, account metadata, transaction metadata, diagnostic data tied to your account); and
- Use commercially reasonable efforts to complete deletion within thirty (30) days of confirming your request.
We may retain limited information after deletion where the law permits or requires us to do so — for example, to comply with tax, accounting, audit, or fraud-prevention obligations; to enforce our Terms of Service; or to defend against legal claims. Where we retain information after deletion, we retain only what is necessary and we protect it on the same terms described in this Privacy Policy.
Disconnecting a financial institution through Plaid is separate from deleting your Prfct account. Disconnecting through Plaid stops further data refresh from that institution but does not delete the data already received by Prfct. To delete that data, submit a deletion request as described above.
12. Children's Privacy
Prfct is not directed at children and is not intended for use by anyone under the age of eighteen (18). We do not knowingly collect personal information from anyone under 18, and we do not knowingly collect personal information from anyone under 13 within the meaning of the Children's Online Privacy Protection Act ("COPPA"). The eligibility requirements in the Terms of Service expressly require users to be at least 18 years old and U.S. residents.
If you believe we have inadvertently collected personal information from a child under 18, please contact us at support@theprfct.app and we will delete the information promptly.
13. International Users
Prfct is designed for residents of the United States. Our servers, sub-processors, and operations are located in the United States. If you access the Service from outside the United States, you do so at your own initiative and at your own risk, and your information will be transferred to and processed in the United States. The protections described in this Privacy Policy are designed around U.S. federal and state law, not the European Union General Data Protection Regulation, the United Kingdom GDPR, or other non-U.S. privacy frameworks. Non-U.S. residents should be aware that the protections offered by this Privacy Policy may differ materially from those they are accustomed to under their home jurisdiction's privacy laws.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last Updated" date at the top of this document. If a change is material — for example, a change in the categories of information we collect, the purposes for which we use it, the sub-processors who handle it, or the rights you have over it — we will provide reasonable advance notice (typically by email to the address associated with your account, by an in-product notice, or by a notice on theprfct.app) before the change takes effect.
Your continued use of the Service after the effective date of an updated Privacy Policy constitutes your acceptance of the update. If you do not agree to an updated Privacy Policy, your sole remedy is to stop using the Service and request deletion of your account under Section 11.
15. Contact Us
If you have questions about this Privacy Policy or want to exercise a privacy right, you can reach us at:
Email (privacy requests and general contact): support@theprfct.app
Mailing Address: S2 Capital Inc 5 Union Square West, FRNT 1, #1038 New York, NY 10003
16. Specific Disclosures for California Residents
This Section 16 supplements the rest of this Privacy Policy with disclosures required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA/CPRA"), for residents of California.
16.1 Categories of Personal Information Collected in the Past 12 Months
In the past twelve (12) months, Prfct has collected the following categories of personal information, as those categories are defined in the CCPA/CPRA:
| CCPA/CPRA Category | Examples in Prfct | Source | Purpose | Disclosed to Whom |
|---|---|---|---|---|
| Identifiers | Email address, account identifier, IP address, device identifiers | Directly from you; automatically from your device | Account creation, authentication, security, communications | Sub-processors (Plaid, Render, Resend; planned Sentry) |
| Customer records (Cal. Civ. Code § 1798.80(e)) | Email address tied to an account record | Directly from you | Account creation, support | Sub-processors |
| Commercial information | Plaid Item metadata, account metadata (masked numbers, types, balances if returned), transaction metadata (merchant, MCC, amount, date) | From your financial institutions via Plaid | Generate card recommendations, debug and improve the service | Sub-processors |
| Internet or other electronic network activity | Extension usage diagnostics, error reports, request timestamps | Automatically from your use of the extension and website | Service operations, security, debugging | Sub-processors |
| Geolocation data (general, not precise) | IP-derived approximate location only | Automatically from your device | Security, fraud prevention | Sub-processors |
| Inferences drawn from other personal information | Inferred spending categories and card-category fit used to rank recommendations | Generated by Prfct from transaction metadata | Generate card recommendations | None — used internally |
| Sensitive personal information | None collected, with the limited exception of account credentials (your Prfct email address used to log in), which CPRA treats as sensitive personal information when combined with a password or access code | Directly from you | Account authentication only | Sub-processors as needed for delivery of the OTP |
We do not collect the following CCPA/CPRA categories: characteristics of protected classifications; biometric information; audio, electronic, visual, thermal, olfactory, or similar information (other than the visual elements of error screenshots if a user chooses to attach one to a support email); professional or employment-related information; education information; or genetic data.
16.2 Sale or Sharing of Personal Information
Prfct does not sell or share personal information as those terms are defined in CCPA/CPRA. We have not sold or shared personal information in the past twelve (12) months. We do not have actual knowledge of selling or sharing the personal information of consumers under sixteen (16) years of age (we do not knowingly collect data from anyone under 18).
16.3 Sources of Personal Information
We collect personal information from the following sources:
- Directly from you (when you sign up, complete OTP verification, or contact us);
- Automatically from your device or browser (extension diagnostics, IP address, device information, error reports);
- From your connected financial institutions through Plaid (Item metadata, account metadata, transaction metadata); and
- From affiliate networks (notifications of qualifying click and application events).
16.4 Disclosure of Personal Information for a Business Purpose
In the past twelve (12) months, we have disclosed each of the categories listed in Section 16.1 to the sub-processors named in Section 6, for the business purposes of providing, securing, and improving the Service.
16.5 California Privacy Rights
If you are a California resident, you may exercise the rights described in Section 10 of this Privacy Policy, including the right to know, the right to delete, the right to correct, the right to data portability, the right to opt out of sale or sharing (which Prfct does not do), the right to limit use of sensitive personal information (which Prfct minimizes by design), and the right to non-discrimination. You may also designate an authorized agent and may appeal a denial of your request as described in Section 10.
16.6 "Shine the Light" — California Civil Code § 1798.83
California Civil Code Section 1798.83 ("Shine the Light") permits California residents to ask businesses for an annual notice listing the categories of personal information shared with third parties for direct marketing purposes. Prfct does not share personal information with third parties for their direct marketing purposes.