Are point sites safe? 2026 — Reading operators, personal data, and cash-out troubles

Poikatsu basics Published:2026-05-29 Updated:2026-06-21 16 min read

The truth behind "point sites are shady"

The "shady / risky / scam-like" image that always comes up with point sites is largely a hangover from the late 2000s to early 2010s. As of 2026, with a mature industry, the major sites are an entirely different story.

That said, it's also true that scam services posing as point sites, and sloppily-run sites, still exist today. This article explains concretely "how to tell a safe site from a dangerous one", based on verifiable information — the operator, cash-out track record, industry-body membership, and user reputation.

📊

Bottom line first: Moppy (operator: Ceres Inc., TSE Prime-listed), Hapitas (operator: OZvision Inc., JIPC member), and Pointtown (operator: GMO Media, TSE Standard-listed) are all safe sites with objectively backed credibility. Conversely, the rule of thumb is to steer clear of sites with "under 1 million members", "not a JIPC member", or "opaque operator info".

How it makes money — why ad rewards sustain it

"A service that hands out free money can't be safe" is a natural gut reaction. That's exactly why understanding the revenue structure is the starting point of any "safety" discussion.

  1. The advertiser sets aside ad budget to acquire "one new customer" 10,000–20,000 yen per new card customer, or 20,000–30,000 yen per FX customer, is normal in the industry.
  2. It's distributed to point sites as offers via ASPs (ad agencies) Major ASPs like A8.net / ValueCommerce / JANet / Adways act as the relay.
  3. The point site returns 60–80% of the ad fee it receives to users as points The remaining 20–40% covers operations, staff, ad sales and profit.
  4. User applies → advertiser gains a customer → everyone comes out ahead A three-way win. Not shady at all — a pure ad business.

In other words, point-activity users are simply receiving part of the ad fee the advertiser paid, as a "handy routing bonus". It's not a pyramid scheme, not a Ponzi, not an investment scam. The moment you understand this structure, most of the "shadiness" should vanish.

7 conditions of a safe point site

As of 2026, a site that clears all 7 of the following can be judged to have objectively backed safety.

① A clear corporate entity, with address, representative and phone number listed

Check the "Specified Commercial Transactions Act" notice and whether the company-overview page fully lists trade name / corporate number / head-office address / representative director / phone number. If even one is missing, it's a caution flag.

② A listed company, or comparable scale and transparency

Moppy = Ceres Inc. (TSE Prime 3696), Pointtown = GMO Media (TSE Standard 6180), Hapitas = OZvision Inc. (private, but 5M members and 18+ years). Listed companies disclose financials quarterly, and any wrongdoing surfaces immediately in the stock price and audits, so credibility is high.

③ Member of JIPC (Japan Internet Point Council)

JIPC is the industry's self-regulatory body, founded in 2007, imposing codes of conduct on members for "personal-data protection / cash-out fulfilment / proper ad representation". JIPC membership is a mark of trust within the industry.

④ Holds the Privacy Mark (P-Mark)

JIPDEC's certification of a personal-data management system. Acquisition and renewal require ongoing audits — it's not a token badge.

⑤ SSL (HTTPS) + SMS / 2FA login authentication

This is the bare minimum for a modern point site. A non-HTTPS site is "retreat immediately" territory.

⑥ Continuity of cash-out history (5+ years of operation)

A site clearing "5M members + 5+ years" has an extremely low risk of "cash-outs stopping" or "vanishing one day". Conversely, "under 2 years, under 100k members" warrants caution.

⑦ User reviews posted continuously on social media / 5ch / Minkabu, etc.

"A search turns up plenty of both positive and negative voices" is a healthy sign. A site nobody talks about is either "used by very few people" or "near closure".

5 warning signs of a dangerous one

If even one of the following applies, hold off on registering or do a minimum risk check. If several apply, you should avoid it.

① An abnormally high "minimum cash-out" (over 5,000 yen)

The industry average is 100–300 yen. A site setting "5,000-yen" or "10,000-yen" minimums is likely betting that users drop off before reaching cash-out (which, to the operator, is monetization).

② Cash-out fees that are too high (over 10%)

For major sites, "free cash exchange" is the norm. A site charging over 10% is effectively shaving 10% off your real return rate.

③ Sloppy offer descriptions, conditions that change after the fact

A site with frequent social-media complaints like "the terms changed after I applied" or "the approval criteria are vague" is evidence of "sloppy contract management with advertisers".

④ Opaque operator financials

It says "○○ Inc.", but the company can't be found in the corporate registry, or it was founded under a year ago. You can confirm in one minute by searching the National Tax Agency's corporate-number lookup.

⑤ Overhyped claims like "guaranteed to earn" or "aim for a million yen"

A legitimate point site pitches "reward proportional to effort". A site overusing "guaranteed", "anyone can", "effortless" is veering toward an info-product trap.

How much personal data you hand over

When you register on a point site, the operator stores at least the following.

DataRequired at sign-upUse
EmailRequiredLogin / notices / campaign alerts
NicknameRequiredDisplay (no real name)
PasswordRequiredStored encrypted (not even the operator sees it)
DOB / gender / prefectureRequiredAd targeting / statistics
Phone numberRequiredSMS auth / fraud detection
Real name / addressNot normally neededID check / bank transfer only
Bank accountCash-out onlyTransfer destination
ID documentsLarge cash-outs onlyAnti-money-laundering / regulations

When you apply for an offer, data goes to the "advertiser"

This is the blind spot. "The data you registered" with the point site and "the data sent to the advertiser when you apply" are different things. If you enter your real name and address for a card-issue offer, that goes to the card company (advertiser). This happens even without going through a point site, so "going via a point site increases data-leak risk" is simply not true.

Recommended: separate your "phone number" and "email"

Separating a point-activity-only email and an SMS-receiving number is an effective spam defense. SMS from major carriers can't be forwarded, so some users keep a point-activity-only SIM or a free-SMS plan like IIJmio.

To understand "how far and how your information is handled," it helps to know the cookie mechanism used behind routing. Point-site routing tracking exists to record "which site you routed through to shop or apply," not to extract your real name or payment information itself. Knowing what cookies and routing tracking do and do not do turns vague anxiety into concrete understanding. The details of the mechanism are gathered in our cookies and routing-tracking guide.

Typical cash-out troubles & fixes

① "I applied but no points credited"

90% of the time the cause is a dropped cookie / private browsing / an ad-blocker. The other 10% is an overlooked offer condition (household duplication, minimum trade volume not met, etc.).

Fix: keep screenshots of the application and completion screens, recheck the offer notes → if you meet the conditions, file a "completion investigation request" with the operator. Most major sites re-investigate on request.

② "My points suddenly dropped"

Usually it's a "denial from the advertiser" (failed ID check on a card issue, FX minimum trade not met, etc.). If the site made no error, it won't be restored. Ask the operator for the denial reason.

③ "My cash-out is delayed"

Bank / PayPay direct exchange normally arrives in 1–3 business days. If nothing reflects in over a week, it's worth an inquiry. It's usually the site's processing queue, or a name mismatch on the receiving account.

④ "My account was suddenly suspended"

A case of tripping the fraud-detection logic. The typical triggers are "multiple accounts on the same phone / same IP / unnatural offer patterns". Even without intent, an inquiry sometimes restores it, but to avoid recurrence, legitimate everyday use is best.

Of these troubles, the most common — "points not credited" — is resolved at a very different rate once you know how to isolate the cause and the steps to handle it. Whether the routing broke due to cookies or browser settings, you did not meet the deal's conditions, or it is simply awaiting reflection — checking in order makes even a results-investigation request to the operator smoother. Cause-by-cause handling for when points are not credited is detailed in our points-not-credited handling guide, so checking it too gives you peace of mind.

JIPC membership & industry self-regulation

JIPC (Japan Internet Point Council) is the point-site industry's self-regulatory body, established in 2007. As of 2026, the vast majority of major sites are members.

The codes of conduct JIPC imposes

  • Proper management of personal data (the Privacy Mark is effectively required)
  • Reliability of point grants and cash-out fulfilment (no rule-breaking point confiscation)
  • Proper ad representation (no exaggerated ads or misleading superiority claims)
  • A proper member-complaint handling process
  • Compliance with anti-intrusion measures and security standards

Major JIPC member sites

  • Moppy (Ceres Inc.)
  • Hapitas (OZvision Inc.)
  • Pointtown (GMO Media Inc.)
  • PointIncome (Five Gate Inc.)
  • Gendama (Real World Inc.)
  • ECnavi (DIGITAL X Inc.)
  • Plus a dozen-odd other majors

Understand that when you use a non-JIPC site, it's outside the industry's self-regulation, so you have to vet the risk yourself.

As important as the industry's self-regulation is that users, too, follow the terms and use services legitimately. In particular, "one account per person" is a basic rule common to most sites, and for the same person to create multiple accounts on the same site is a terms violation subject to account suspension and forfeited points. Using services safely for the long term takes both wheels: discerning the operator's reliability and using them within the terms yourself. The detailed thinking on account rules is gathered in our multiple-accounts and terms guide.

Conclusion — genuinely safe point sites

Sites meeting all of this article's criteria number 6 as of 2026.

SiteOperatorListedJIPCMembers
MoppyCeres Inc.Prime 369612M
HapitasOZvision Inc.Private5M
PointtownGMO Media Inc.Standard 61808.5M
PointIncomeFive Gate Inc.Private4M
GendamaReal World Inc.Private10M
PowlTestee Inc.Private3.5M

Of these, the first 3 a beginner should register are Moppy, Hapitas and Pointtown. See Getting started with point activity 2026 for details.

"Safe" doesn't mean "zero trouble, ever". Trouble at the level of a cookie slip or an overlooked condition causing a non-credit can happen on any site. The 6 above satisfy safety in the sense of "no deliberate wrongdoing by the operator", "cash-outs don't stall", "personal data is properly managed". Understand it as 99%, not 100%.

Mini glossary — key terms for point-site safety

Knowing the vocabulary for "telling safe sites from dangerous ones" lets you judge calmly across the three axes of operator substance, cash-out fulfilment, and personal-data management. Check each site's latest membership status and conditions on official pages and ポイナビ.

TermMeaningWhat to check
JIPC (Japan Internet Point Council)Self-regulatory body of the points industryMembership = trust benchmark
Privacy Mark (P-Mark)Third-party certification of personal-data protectionProof that ongoing audits are required
ASP (ad agency)Intermediary linking advertisers and publishersAd fees are the source of cashback
Minimum cash-out / cash-out feeMinimum threshold needed / fee deductedToo high = warning sign
Approval / denialConfirmed when conditions are met / cancelledAlways check conditions and fine print
Specified Commercial Transactions Act noticeLegally required disclosure by the operatorAddress, representative, phone must all be listed

Terms and each site's latest status can change. For the specific vetting method, see the main text of this article; for how to use safe major sites, see Getting started 2026, Moppy in-depth guide, and Hapitas in-depth guide.

FAQ

Can you declare them "absolutely safe"?
The risk of deliberate wrongdoing by the operator is near zero, but "user-side mistakes (cookies / unmet conditions)" and "an advertiser going bankrupt" can't be fully prevented. The 6 majors are safe in the sense that "trouble outside the user's responsibility is extremely rare". Understand it as 99%, not 100%.
If the operator goes bankrupt, do my points vanish?
In principle, yes. That's exactly why setting "listed company OR 5M+ members + 5+ years" as a condition lowers bankruptcy risk. As a precaution, don't hoard a large balance — cash out at a once-a-month pace.
Will my personal data be sold via ad emails?
JIPC-member majors explicitly state in their terms that "third-party provision is opt-in". Unless you actively check "I agree", your email isn't passed to advertisers. That said, an "email newsletter" box is sometimes pre-checked when you apply for an offer, so build the habit of unchecking it if unwanted.
Handing over my phone number for SMS auth scares me
SMS auth's main purpose is "preventing multiple accounts on the same number", and sales calls or SMS spam are extremely rare at major sites. Still, keeping a separate "point-activity SIM / IIJmio eSIM, etc." is a reasonable setup.
Are "million-member-class" sites safe?
The precise answer is "it depends on operating period and JIPC membership". "1M members + 5 years + JIPC member" can be treated as quasi-major. "1M members + under 2 years" or "non-JIPC" — avoid it, or limit yourself to minimal small-value use.
Is using multiple point sites at once safe?
Yes, and in fact it's a rational strategy to use 2–3 trusted major sites side by side, since the best-rewarding site varies by offer. There are rules to follow, though. ① "One account per person" is the rule on each site — creating multiple accounts on the same site (self-referral, duplicate registration) is a terms violation and grounds for suspension. Using several sites is fine as long as you hold exactly one account on each. ② Applying for the same offer (e.g., the same credit card) through multiple sites at once usually results in only one being approved, and the duplicate attempts can lead to denial or hurt your credit file. ③ Don't leave earned points scattered across sites — consolidate them into your main loyalty currency and spend them before they expire (see Multi-point management). Think of multi-site use as multiplying your "no-miss system", not just the number of sites.
Is it safe to use a referral code or link from social media or a friend?
Generally fine, as long as you confirm the link leads to the actual site of a trusted major. Point-site friend-referral programmes are a legitimate feature and typically benefit both parties. Three tips for safe use: ① Check that the domain you land on after clicking is the official domain of that major site (watch out for phishing on lookalike domains); ② before registering, verify the operator, JIPC membership, and Specified Commercial Transactions Act notice against the criteria in this article; ③ be wary of posts that overhype earnings ("guaranteed to make X") or that push expensive products or unrelated services after sign-up. What you must never do is create multiple accounts to refer yourself — that is a terms violation. Using a legitimate referral link from a trustworthy person at a safe major site is actually an advantageous starting point.
Can children or students use point sites?
Age requirements vary by site, so checking each site's terms of service before registering is essential. Many point sites set a minimum age, require parental consent for minors, or restrict access to users above a certain age. Cash-out to a bank account also requires an account in the user's own name, which may limit options for those without one. Three guidelines for safe use: ① Always check the current age policy and whether parental consent is required; ② high-value offers like credit-card applications, bank account openings, or FX trading require the user to personally meet the contractual age and conditions — applying in a family member's name by proxy is a terms violation (and potentially illegal) under any circumstances; ③ the range students can safely engage in is surveys, shopping cashback, and free-membership sign-ups they can complete in their own right. For proper family teamwork on point activity, see Couples & family point activity.
As long as I use a safe site, can I leave my accumulated points alone with peace of mind?
Even if the operator is trustworthy, points themselves have expiry dates and can expire if left alone. Separate from safety, you need "management that does not let them expire." As a hedge against bankruptcy risk too, the safe approach is not to hoard a large amount but to redeem and use them regularly. Concrete techniques for consolidating into your main shared points and using them up within their validity are gathered in our expiry-prevention guide.
Are there tips for continuing point-earning safely and without strain?
On top of "narrowing to safe major sites," building a structure you can keep up is effective. A system that keeps you from forgetting to route, a monthly routine of redeeming and checking balances, and making it a habit to confirm deal conditions head off most troubles (missed routing, unmet conditions, expiry) before they happen. Concrete ways to run it semi-automatically without relying on willpower are gathered in our systematising guide.

This article was written from publicly available information on each point site as of 2026-06-21. Cashback rates, campaign terms, and redemption rules can change without notice — always check each site's official page for the latest. This site uses each point site's referral program, but going through a referral link never changes the rate you receive.