perqa
← Home

Privacy Policy

What data we collect, how we use it, and the choices you have.

Last updated: June 2026 (updated for in-app AI-data consent disclosure)

Finly Labs Pte. Ltd. (“Finly Labs”, “we”, “us”) builds and operates Perqa (the “Service”). This Privacy Policy explains what personal data we collect when you use Perqa, how we use and protect it, and the choices you have over your data. We aim to be aligned with Singapore’s Personal Data Protection Act (PDPA).

1. What we collect

1.1 Account information

When you create an account we collect your email address and an encrypted password hash (handled by our authentication provider, Supabase). We do not store your plain-text password.

1.2 Card and preference data

The cards you add to your wallet, your selected reward preferences (any combination of Miles, Cashback, and Store Points), your statement dates, and your paid/unpaid status for each card.

1.3 Spend data you enter or import

Transactions you log manually (merchant, category, amount, date, card used) and transactions extracted from card statement PDFs you upload (same fields plus the raw description line from your statement). The original PDF is processed once by our parser and not retained.

1.4 Usage information

Anonymous analytics collected via Vercel Analytics and Vercel Speed Insights — page views, basic device type, and performance metrics. We do not use third-party advertising cookies and do not track you across other sites.

1.5 Ask Perqa chat data (third-party AI)

Ask Perqa is powered by a third-party AI service: Anthropic, the company behind the Claude AI models. Before your first message is ever sent, Perqa shows an in-app notice explaining what is shared and asks for your permission — nothing is sent to Anthropic until you agree. Each turn is then sent to Anthropic along with a snapshot of your wallet and recent spend (the cards you own, this cycle’s totals, your last 30 days of transactions, and your reward preferences) so the assistant can answer with context. Anthropic receives this for the duration of the call only and does not retain it to train AI models (see Section 5). We store the messages of the conversation against your account so you can scroll back to past chats. On the Landing-page demo (no sign-in), no wallet snapshot is sent and no chat history is stored against any account; only the message you type is sent to Anthropic to answer, and an anonymised IP-derived hash is logged for daily rate limiting (5 messages per IP per day) and rotates daily so it cannot be linked across days.

1.6 Approximate location (optional)

If you enable Travel mode or grant the location permission, we use your device’s approximate location and timezone to detect which country you’re in, so recommendations reflect local versus overseas spend. For the “near me” merchant feature, an approximate location is sent to Google Maps Platform at the moment of the request to find nearby places. We do not keep a history of your location, and we never track it in the background. You can decline or revoke the permission at any time — Perqa falls back to timezone-based country detection.

1.7 Email subscriptions

If you opt in — in Settings → Email updates, or via the subscribe form on our homepage — we store your email address and which updates you’ve chosen (for example, the monthly card-changes digest). These are marketing communications under the PDPA: they are strictly opt-in, never pre-selected, and every email carries a one-click unsubscribe link. You can also turn them off anytime in Settings. The homepage subscribe form stores only your email and a rotating IP-derived hash used purely for spam rate-limiting.

1.8 Apply-link clicks

When a signed-in user taps an “Apply” link for a card, we log that tap (which card, when) to measure referrals — see Section 5a. We do not log this to advertise to you, and it never affects which cards we recommend.

2. What we do NOT collect

  • Your credit card number, CVV, or expiry date.
  • Your bank login credentials.
  • Your contact list or address book.
  • Your continuous or background location (approximate location is used only at the moment you ask, and only with permission — see 1.6).
  • Data from other apps or websites.

Card statement PDFs you upload are processed by a third-party AI service — Anthropic (the Claude AI models, see Section 5) — to extract the transaction lines. Before your first upload, Perqa shows an in-app notice explaining this and asks for your permission; nothing is sent until you agree. The PDF is sent over HTTPS, processed once, and discarded — we do not retain the file, and Anthropic does not retain it to train AI models. Only the extracted fields (date, merchant, amount, category) are stored against your account.

3. How we use your data

  • To generate card recommendations and insights personalised to you.
  • To track your progress toward bonus-tier unlocks and cap limits.
  • To authenticate you and secure your account.
  • To respond to your support requests.
  • To improve the Service — identify bugs, analyse aggregate usage patterns.
  • To communicate important Service updates (e.g. policy changes, security alerts).
  • To send the email updates you have opted into, until you unsubscribe.

We do not sell your personal data. We do not share your personal data with advertisers, data brokers, or banks.

5a. Affiliate links

Perqa is free. Some “Apply” links are referral/affiliate links: if you apply through one and are approved, we may earn a commission from the bank or a partner. This is how we keep the app free, and it never changes which card we recommend — rankings are based only on your spend and the published reward rates. For signed-in users we record the Apply tap (card and time) to reconcile referrals; we don’t use it to profile or advertise to you. Full detail on our How we make money page.

4. Where your data is stored

Your data is stored in a Supabase-managed PostgreSQL database hosted on cloud infrastructure. Access is protected by row-level security rules, which ensure that one user’s data is not visible to another user. Data in transit is encrypted using HTTPS/TLS.

5. Third-party processors

We rely on a small number of trusted third-party services to operate Perqa:

  • Supabase — database, authentication, and row-level security.
  • Vercel — hosting, CDN, and anonymous usage analytics.
  • Anthropic (the Claude AI models) — the third-party AI service behind two features: extracting transaction lines from card statement PDFs you upload, and powering Ask Perqa chat. Perqa asks for your permission in-app before either feature sends anything, and you can decline. For PDF parsing, Anthropic receives the contents of the PDF for the duration of the parse call. For chat, Anthropic receives each message you send plus a snapshot of your wallet and recent spend (cards owned, this cycle’s totals, last 30 days of transactions, your reward preferences) for the duration of the call. In neither case is the PDF, message, or snapshot retained to train AI models, per Anthropic’s commercial API terms. We pass no other personal data (your name, email, card numbers, balances) to Anthropic.
  • Resend — email delivery: for feedback/contact messages you send us, and to send the email updates you have opted into.
  • Google Maps Platform — only when you use the “near me” merchant feature; an approximate location is sent to find nearby places (see 1.6). Not used for advertising.
  • Google Cloud (OAuth) — only if you choose “Sign in with Google”; we receive only your email and Google account ID.

Each of these providers has its own security practices and privacy policies. We only share the data strictly necessary for them to perform their role.

6. How long we keep your data

We retain your data for as long as your account is active. You can delete your account and all associated data at any time from Settings → Account → Delete account in the app, or see how to delete your account for all the options. In-app deletion is immediate; emailed requests are completed within 30 days, except where we are required to retain certain records to comply with legal obligations. If you unsubscribe from email updates, we stop sending them and remove your address from that list (a homepage-only subscriber who never created an account is removed entirely on unsubscribe).

7. Your rights under PDPA

As a Perqa user you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Correction — ask us to fix inaccurate data.
  • Deletion — ask us to delete your account and associated data.
  • Withdraw consent — opt out of any non-essential processing.
  • Portability — request your data in a machine-readable format.

To exercise any of these rights, email support@perqa.app. We will respond within 30 days.

8. Cookies and local storage

Perqa uses your browser’s local storage to remember your session and a small number of UI preferences. We do not use third-party tracking cookies. You can clear this storage at any time from your browser settings, though doing so will sign you out.

9. Security

We take security seriously, but no system is perfectly secure. We protect your data with HTTPS/TLS in transit, row-level security on stored data, and secure authentication practices. If we become aware of a breach affecting your data, we will notify you without undue delay as required by the PDPA.

10. Children

Perqa is not intended for users under 18 and we do not knowingly collect personal data from children. If you believe a child has created an account, contact us and we will delete the account promptly.

11. Changes to this Policy

We may update this Privacy Policy from time to time. When we make material changes we will notify you via email or an in-app message before the changes take effect. The “Last updated” date at the top of this page indicates the most recent revision.

12. Contact

Questions, requests, or complaints about this policy? Our data protection contact is reachable at support@perqa.app. You also have the right to lodge a complaint with the Personal Data Protection Commission of Singapore (PDPC).