Privacy Policy

Effective Date: March 7, 2026 (v1.0)

Trading Diary (hereinafter "Service") establishes and discloses the following privacy policy to protect users' personal information and to promptly handle related complaints in accordance with applicable privacy laws, including the Korean Personal Information Protection Act (PIPA).

1. Purpose of Collection and Use of Personal Information

The Service collects and uses personal information for the following purposes:

• Member registration and management: Identity verification, personal identification, fraud prevention
• Service provision: Trading journal storage, trade history management, performance analysis, personalized features
• Service improvement: Usage statistics analysis, quality enhancement, new feature development
• Customer support: Responding to inquiries, delivering notices

2. Personal Information Collected

a. Information Collected via Social Login (Google)

Required: Email address, Google account identifier (sub), name
Optional: Profile image URL

b. Information Directly Entered by Users

Trading records (symbol name, trade price, quantity, trade date), trading notes, trading principles, goals, checklists, self-evaluations, emotion records, watchlist information, feedback content

c. Information Automatically Collected During Service Use

IP address, access time, browser type and version, operating system information, service usage records (page visits, feature usage), error information (error messages, stack traces, page URL where the error occurred)

d. Information Collected During Payment

The following information is collected through Toss Payments when subscribing to Pro:
Collected: Card issuer name, partial card number (masked), payment approval number, payment amount, payment date/time
Retention: Payment records retained for 5 years per the Consumer Protection Act

e. Information Collected via Advertising (Google AdSense)

Google AdSense may use cookies and web beacons to collect browsing activity for personalized advertising. This data is processed in accordance with Google's Privacy Policy.

3. Retention and Use Period

1. Personal information is retained until account deletion and destroyed without undue delay (within 30 days) upon deletion. Data included in system backups may be removed progressively according to the backup cycle.
2. When preservation is required by applicable laws, information is retained for the period specified by such laws:

• Consumer Protection Act: Contract/withdrawal records for 5 years, payment records for 5 years
• Telecommunications Privacy Act: Access logs (login records, IP addresses) for 3 months

3. For inactive accounts (no use for 1 year), personal information may be separately stored or destroyed after 30 days' notice via email.

4. Disclosure to Third Parties

The Service does not provide personal information to third parties without user consent, except in the following cases:

• When the user has given prior consent
• When required by law or requested by authorities in accordance with legal procedures

5. Outsourcing of Personal Information Processing

The Service outsources personal information processing as follows:

6. Destruction of Personal Information

1. When the retention period expires or the purpose of processing is achieved, information is destroyed without delay.
2. Electronic files are permanently deleted using methods that prevent recovery.
3. All data is managed electronically; no paper documents containing personal information are maintained.

7. User Rights

Users (or their legal representatives) may exercise the following rights:

• Right to access personal information
• Right to rectification or deletion of personal information
• Right to suspend processing of personal information
• Right to data portability (data export) — available through the data export feature in Settings (JSON and CSV formats), or by requesting the Privacy Officer via email
• Right to withdraw consent (account deletion)

These rights may be exercised through the settings menu within the Service or by contacting the Privacy Officer via email (woody6049@daum.net). The Service will take action without delay.

8. Security Measures

The Service implements the following measures for secure processing of personal information:

• All data transmission encrypted via SSL/TLS
• Social login (OAuth 2.0) authentication with no password storage
• Minimized access control (only the operator has direct access)
• HTTP-only cookies and JWT-based session protection
• Database access restricted to application server only (no direct access)
• Authentication verification and per-user data isolation on all API requests
• Input validation to prevent security threats

9. Use of Cookies

The Service uses the following types of cookies:

• Essential cookies: Login authentication, session management, language settings (service unavailable if refused)
• Functional cookies: Theme settings, user preference storage
• Advertising cookies: Personalized advertising via Google AdSense (set with user consent)

Users may refuse or delete cookies through browser settings, but refusing essential cookies may limit service functionality.

10. Children's Privacy

The Service does not accept registration from children under the age of 14 (or the minimum age of digital consent in the applicable jurisdiction) and does not knowingly collect their personal information. If registration by a child under 14 is discovered, the account and personal information will be immediately deleted.

11. International Data Transfer

The Service may transfer personal information to the following overseas entities for service provision:

• Recipient: Google LLC (USA), Vercel Inc. (USA), Supabase Inc. (Sydney, Australia), Functional Software Inc. (USA, Sentry)
• Purpose: Social login authentication, advertising, AI trading analysis, web hosting, database management, error monitoring
• Data transferred: Email, name, trading records, service usage records, error information (error messages, IP address, browser information)
• Retention period: Until termination of service agreement or outsourcing contract

12. AI-Based Data Processing

1. The AI trading analysis coach feature uses Google Gemini API. When analysis is requested, users' trading records (symbol names, prices, quantities, trading notes, etc.) are transmitted to Google servers.
2. Transmitted data is processed in accordance with Google's paid API Terms of Service. Please refer to Google's API Terms of Service and Privacy Policy for details.
3. Analysis results are cached in the Service's database and served without re-transmission for identical requests.
4. Users may opt out of this data transmission by not using the AI analysis feature.

13. Cookie Management

Users can manage cookie settings through their web browser options:

• Chrome: Settings → Privacy and Security → Cookies and Other Site Data
• Safari: Preferences → Privacy
• Firefox: Settings → Privacy & Security → Cookies and Site Data

14. Privacy Officer

The following privacy officer is designated to oversee personal information processing and handle user complaints and remedies:

For reports or consultations regarding privacy violations, you may contact the following organizations:

• Korea Internet & Security Agency (KISA): privacy.kisa.or.kr / 118
• Personal Information Dispute Mediation Committee: www.kopico.go.kr / 1833-6972

15. Data Breach Notification

1. In the event of a personal information breach, the Service will notify affected users without delay (within 72 hours of discovery) of the breached data items, timing, and response measures via email or in-service announcements, in accordance with Article 34 of the Korean Personal Information Protection Act.
2. If 1,000 or more individuals are affected, the breach will also be reported to the Personal Information Protection Commission and KISA (Korea Internet & Security Agency).

16. Additional Information for International Users

The Service is operated from the Republic of Korea and is primarily governed by the Korean Personal Information Protection Act (PIPA). If you access the Service from outside Korea, the following additional provisions apply.

a. Legal Basis for Processing

The Service processes personal information based on the following legal grounds:

• User consent (agreement to Terms upon registration)
• Performance of a contract (provision of trading journal services)
• Legitimate interests of the service provider (service improvement, fraud prevention)

b. EU/EEA Residents (GDPR)

If you are a resident of the EU/EEA, you have the following additional rights under the General Data Protection Regulation (GDPR):

• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability (in a machine-readable format)
• Right to object to automated decision-making
• Right to lodge a complaint with a supervisory authority

International data transfers are based on your explicit consent (Article 49(1)(a) GDPR). To exercise these rights, contact the Privacy Officer at woody6049@daum.net.

c. Other International Users

By using the Service, your personal information may be transferred to Korea and the countries specified in Section 11. Data protection standards in these countries may differ from those in your country of residence. The Service protects your information through the security measures described in Section 8.

17. Changes to This Policy

This policy is effective from the enforcement date. Any additions, deletions, or corrections will be announced through notices within the Service at least 7 days before implementation. For changes that are materially disadvantageous to users, 30 days' notice will be provided.

This privacy policy is effective from March 7, 2026.