Are point sites safe? 2026 — Reading operators, personal data, and cash-out troubles

Poikatsu basics Published：2026-05-29 12 min read

The truth behind "point sites are shady"

The "shady / risky / scam-like" image that always comes up with point sites is largely a hangover from the late 2000s to early 2010s. As of 2026, with a mature industry, the major sites are an entirely different story.

That said, it's also true that scam services posing as point sites, and sloppily-run sites, still exist today. This article explains concretely "how to tell a safe site from a dangerous one", based on verifiable information — the operator, cash-out track record, industry-body membership, and user reputation.

📊

Bottom line first: Moppy (operator: Ceres Inc., TSE Prime-listed), Hapitas (operator: OZvision Inc., JIPC member), and Pointtown (operator: GMO Media, TSE Standard-listed) are all safe sites with objectively backed credibility. Conversely, the rule of thumb is to steer clear of sites with "under 1 million members", "not a JIPC member", or "opaque operator info".

How it makes money — why ad rewards sustain it

"A service that hands out free money can't be safe" is a natural gut reaction. That's exactly why understanding the revenue structure is the starting point of any "safety" discussion.

The advertiser sets aside ad budget to acquire "one new customer" 10,000–20,000 yen per new card customer, or 20,000–30,000 yen per FX customer, is normal in the industry.
It's distributed to point sites as offers via ASPs (ad agencies) Major ASPs like A8.net / ValueCommerce / JANet / Adways act as the relay.
The point site returns 60–80% of the ad fee it receives to users as points The remaining 20–40% covers operations, staff, ad sales and profit.
User applies → advertiser gains a customer → everyone comes out ahead A three-way win. Not shady at all — a pure ad business.

In other words, point-activity users are simply receiving part of the ad fee the advertiser paid, as a "handy routing bonus". It's not a pyramid scheme, not a Ponzi, not an investment scam. The moment you understand this structure, most of the "shadiness" should vanish.

7 conditions of a safe point site

As of 2026, a site that clears all 7 of the following can be judged to have objectively backed safety.

① A clear corporate entity, with address, representative and phone number listed

Check the "Specified Commercial Transactions Act" notice and whether the company-overview page fully lists trade name / corporate number / head-office address / representative director / phone number. If even one is missing, it's a caution flag.

② A listed company, or comparable scale and transparency

Moppy = Ceres Inc. (TSE Prime 3696), Pointtown = GMO Media (TSE Standard 6180), Hapitas = OZvision Inc. (private, but 5M members and 18+ years). Listed companies disclose financials quarterly, and any wrongdoing surfaces immediately in the stock price and audits, so credibility is high.

③ Member of JIPC (Japan Internet Point Council)

JIPC is the industry's self-regulatory body, founded in 2007, imposing codes of conduct on members for "personal-data protection / cash-out fulfilment / proper ad representation". JIPC membership is a mark of trust within the industry.

④ Holds the Privacy Mark (P-Mark)

JIPDEC's certification of a personal-data management system. Acquisition and renewal require ongoing audits — it's not a token badge.

⑤ SSL (HTTPS) + SMS / 2FA login authentication

This is the bare minimum for a modern point site. A non-HTTPS site is "retreat immediately" territory.

⑥ Continuity of cash-out history (5+ years of operation)

A site clearing "5M members + 5+ years" has an extremely low risk of "cash-outs stopping" or "vanishing one day". Conversely, "under 2 years, under 100k members" warrants caution.

⑦ User reviews posted continuously on social media / 5ch / Minkabu, etc.

"A search turns up plenty of both positive and negative voices" is a healthy sign. A site nobody talks about is either "used by very few people" or "near closure".

5 warning signs of a dangerous one

⚠

If even one of the following applies, hold off on registering or do a minimum risk check. If several apply, you should avoid it.

① An abnormally high "minimum cash-out" (over 5,000 yen)

The industry average is 100–300 yen. A site setting "5,000-yen" or "10,000-yen" minimums is likely betting that users drop off before reaching cash-out (which, to the operator, is monetization).

② Cash-out fees that are too high (over 10%)

For major sites, "free cash exchange" is the norm. A site charging over 10% is effectively shaving 10% off your real return rate.

③ Sloppy offer descriptions, conditions that change after the fact

A site with frequent social-media complaints like "the terms changed after I applied" or "the approval criteria are vague" is evidence of "sloppy contract management with advertisers".

④ Opaque operator financials

It says "○○ Inc.", but the company can't be found in the corporate registry, or it was founded under a year ago. You can confirm in one minute by searching the National Tax Agency's corporate-number lookup.

⑤ Overhyped claims like "guaranteed to earn" or "aim for a million yen"

A legitimate point site pitches "reward proportional to effort". A site overusing "guaranteed", "anyone can", "effortless" is veering toward an info-product trap.

How much personal data you hand over

When you register on a point site, the operator stores at least the following.

Data	Required at sign-up	Use
Email	Required	Login / notices / campaign alerts
Nickname	Required	Display (no real name)
Password	Required	Stored encrypted (not even the operator sees it)
DOB / gender / prefecture	Required	Ad targeting / statistics
Phone number	Required	SMS auth / fraud detection
Real name / address	Not normally needed	ID check / bank transfer only
Bank account	Cash-out only	Transfer destination
ID documents	Large cash-outs only	Anti-money-laundering / regulations

When you apply for an offer, data goes to the "advertiser"

This is the blind spot. "The data you registered" with the point site and "the data sent to the advertiser when you apply" are different things. If you enter your real name and address for a card-issue offer, that goes to the card company (advertiser). This happens even without going through a point site, so "going via a point site increases data-leak risk" is simply not true.

Recommended: separate your "phone number" and "email"

Separating a point-activity-only email and an SMS-receiving number is an effective spam defense. SMS from major carriers can't be forwarded, so some users keep a point-activity-only SIM or a free-SMS plan like IIJmio.

Typical cash-out troubles & fixes

① "I applied but no points credited"

90% of the time the cause is a dropped cookie / private browsing / an ad-blocker. The other 10% is an overlooked offer condition (household duplication, minimum trade volume not met, etc.).

Fix: keep screenshots of the application and completion screens, recheck the offer notes → if you meet the conditions, file a "completion investigation request" with the operator. Most major sites re-investigate on request.

② "My points suddenly dropped"

Usually it's a "denial from the advertiser" (failed ID check on a card issue, FX minimum trade not met, etc.). If the site made no error, it won't be restored. Ask the operator for the denial reason.

③ "My cash-out is delayed"

Bank / PayPay direct exchange normally arrives in 1–3 business days. If nothing reflects in over a week, it's worth an inquiry. It's usually the site's processing queue, or a name mismatch on the receiving account.

④ "My account was suddenly suspended"

A case of tripping the fraud-detection logic. The typical triggers are "multiple accounts on the same phone / same IP / unnatural offer patterns". Even without intent, an inquiry sometimes restores it, but to avoid recurrence, legitimate everyday use is best.

JIPC membership & industry self-regulation

JIPC (Japan Internet Point Council) is the point-site industry's self-regulatory body, established in 2007. As of 2026, the vast majority of major sites are members.

The codes of conduct JIPC imposes

Proper management of personal data (the Privacy Mark is effectively required)
Reliability of point grants and cash-out fulfilment (no rule-breaking point confiscation)
Proper ad representation (no exaggerated ads or misleading superiority claims)
A proper member-complaint handling process
Compliance with anti-intrusion measures and security standards

Major JIPC member sites

Moppy (Ceres Inc.)
Hapitas (OZvision Inc.)
Pointtown (GMO Media Inc.)
PointIncome (Five Gate Inc.)
Gendama (Real World Inc.)
ECnavi (DIGITAL X Inc.)
Plus a dozen-odd other majors

Understand that when you use a non-JIPC site, it's outside the industry's self-regulation, so you have to vet the risk yourself.

Conclusion — genuinely safe point sites

Sites meeting all of this article's criteria number 6 as of 2026.

Site	Operator	Listed	JIPC	Members
Moppy	Ceres Inc.	Prime 3696	○	12M
Hapitas	OZvision Inc.	Private	○	5M
Pointtown	GMO Media Inc.	Standard 6180	○	8.5M
PointIncome	Five Gate Inc.	Private	○	4M
Gendama	Real World Inc.	Private	○	10M
Powl	Testee Inc.	Private	○	3.5M

Of these, the first 3 a beginner should register are Moppy, Hapitas and Pointtown. See Getting started with point activity 2026 for details.

✅

"Safe" doesn't mean "zero trouble, ever". Trouble at the level of a cookie slip or an overlooked condition causing a non-credit can happen on any site. The 6 above satisfy safety in the sense of "no deliberate wrongdoing by the operator", "cash-outs don't stall", "personal data is properly managed". Understand it as 99%, not 100%.

FAQ

Can you declare them "absolutely safe"?

The risk of deliberate wrongdoing by the operator is near zero, but "user-side mistakes (cookies / unmet conditions)" and "an advertiser going bankrupt" can't be fully prevented. The 6 majors are safe in the sense that "trouble outside the user's responsibility is extremely rare". Understand it as 99%, not 100%.

If the operator goes bankrupt, do my points vanish?

In principle, yes. That's exactly why setting "listed company OR 5M+ members + 5+ years" as a condition lowers bankruptcy risk. As a precaution, don't hoard a large balance — cash out at a once-a-month pace.

Will my personal data be sold via ad emails?

JIPC-member majors explicitly state in their terms that "third-party provision is opt-in". Unless you actively check "I agree", your email isn't passed to advertisers. That said, an "email newsletter" box is sometimes pre-checked when you apply for an offer, so build the habit of unchecking it if unwanted.

Handing over my phone number for SMS auth scares me

SMS auth's main purpose is "preventing multiple accounts on the same number", and sales calls or SMS spam are extremely rare at major sites. Still, keeping a separate "point-activity SIM / IIJmio eSIM, etc." is a reasonable setup.

Are "million-member-class" sites safe?

The precise answer is "it depends on operating period and JIPC membership". "1M members + 5 years + JIPC member" can be treated as quasi-major. "1M members + under 2 years" or "non-JIPC" — avoid it, or limit yourself to minimal small-value use.

This article was written from publicly available information on each point site as of May 2026. Cashback rates, campaign terms, and redemption rules can change without notice — always check each site's official page for the latest. This site uses each point site's referral program, but going through a referral link never changes the rate you receive.