COREROUNDER
Home

Privacy Policy

Last Updated: 2026-03-12

1. Introduction

CoreRounder (“Company,” “we,” “us,” or “our”) is committed to protecting your personal information in accordance with the Korean Personal Information Protection Act (PIPA), the EU General Data Protection Regulation (GDPR), and other applicable privacy laws.

This Privacy Policy describes how we collect, use, store, and protect your personal information when you use the CoreRounder platform.

2. Information We Collect

2.1 Account Registration

  • Required: Email address, username, password (hashed)
  • Google Sign-In: Google account ID (unique identifier), email address, profile picture URL
  • Automatically collected: Account creation date, last login timestamp

2.2 Service Usage

  • Exchange API Keys: User-provided exchange API keys and secrets (stored with AES-128 encryption)
  • Portfolio Data: Asset holdings, trade history, position information
  • Strategy/Simulation Data: User-created investment strategies, backtesting results, Paper Trading simulation records
  • Planner Data: Calendar notes, to-do lists, routine records, Checklist items
  • AI Conversations: Queries and responses with AI agents, AI Insights analysis requests
  • Manual Accounts: User-created manual account information (name, icon)
  • AI Credits Usage: AI Insights analysis usage count and credit consumption history
  • Telegram Subscription: Market Report auto-report subscription status and settings

2.3 Automatically Generated Information

  • IP address, browser type, access timestamps, service usage logs
  • Authentication tokens (JWT) stored in browser local storage

3. How We Use Your Information

  • Account Management: Registration, authentication, account security
  • Service Delivery: Portfolio management, market analysis, AI-powered investment analysis, Paper Trading simulation
  • Exchange Integration: Read-only data retrieval via user-provided API keys
  • AI Insights Analysis: AI-powered portfolio analysis, risk assessment, performance analysis (credit-based)
  • Automated Alerts: Market Report (daily auto-reports), Black Swan Index (risk detection alerts) sent via Telegram
  • Checklist and Planner: User-created Checklist items, investment schedule, memo management
  • Service Improvement: Usage analytics, service stability, personalization learning
  • Customer Support: Responding to inquiries, sending notifications
  • Legal Compliance: Fulfilling obligations under applicable law

4. Data Retention and Deletion

4.1 Retention Periods

Data TypeRetention Period
Account informationUntil account deletion (30-day grace period after request)
Exchange API keysImmediately destroyed upon user request
Trade history30 days after account deletion
AI conversation logs90 days after creation or upon user request
Paper Trading records90 days after creation or upon user request
ChecklistsUntil account deletion (deleted 30 days after)
AI Insights credit history12 months
Market Report subscriptionImmediately deleted upon unsubscription
Manual accountsUntil account deletion
Access logs3 months (as required by Korean law)

4.2 Deletion Procedures

  • Electronic files are deleted using irrecoverable methods
  • Encrypted data (API keys): Encryption keys are destroyed, rendering decryption impossible
  • Account deletion requests are processed permanently after a 30-day grace period

5. Third-Party Disclosure

We do not sell or share your personal information with third parties, except in the following cases:

  • With your explicit prior consent
  • When required by law or lawful governmental request

5.1 Third-Party Services

We use the following external services to operate the platform:

ServicePurposeData Shared
Google OAuthSocial loginEmail, profile info
Anthropic (Claude AI)AI analysis and InsightsAnalysis query text (anonymized)
OpenAIEmbedding generationConversation text (future pgvector storage)
Exchange APIs (Binance, Bybit, OKX, Upbit)Data retrievalUser-provided API keys
TelegramMarket Reports and alertsUser Telegram ID, alert messages

6. Security Measures

  • Passwords: bcrypt hashing (irreversible)
  • Exchange API Keys: Fernet (AES-128-CBC) symmetric encryption
  • Authentication: JWT tokens with HS256 signatures
  • Transport Security: HTTPS (TLS 1.2+) enforced
  • Database: Principle of least privilege, regular backups
  • Server: Firewall (UFW), rate limiting, IP blocking

Important: CoreRounder only performs read-only operations through your exchange API keys. We do not execute withdrawals, transfers, or trades. We recommend creating read-only API keys.

7. Your Rights

You have the following rights regarding your personal information:

  • Right of Access: Request access to your personal data
  • Right to Rectification: Request correction of inaccurate data
  • Right to Erasure: Request deletion of your data (Settings > Delete Account)
  • Right to Restrict Processing: Request restriction of data processing
  • Right to Data Portability (GDPR): Export your data in a structured format (JSON)
  • Right to Withdraw Consent: Withdraw optional consents (e.g., marketing)

7.1 How to Exercise Your Rights

  • Data Export: Settings > Account > “Export My Data”
  • Account Deletion: Settings > Account > “Request Account Deletion” (permanently deleted after 30-day grace period)
  • Email: privacy@corerounder.com

8. Cookies and Local Storage

CoreRounder does not use server-side cookies. Instead, we store the following data in your browser's local storage:

  • Authentication tokens: JWT tokens for maintaining login sessions
  • User preferences: Language selection, UI settings
  • Consent records: Privacy policy and terms of service acceptance

Local storage data can be cleared through your browser settings or is automatically removed upon logout.

9. International Data Transfers

Service usage may result in international data transfers as follows:

  • Anthropic (Claude AI, USA): AI Insights analysis query text is transmitted. Transfers are governed by GDPR Standard Contractual Clauses (SCCs)
  • OpenAI (USA): Conversation text is sent for embedding generation. Personally identifiable information is anonymized before transmission
  • Telegram (Russia): Market Reports and automated alert messages are sent. Messages contain only portfolio summaries and market analysis information

In all international transfers, personally identifiable information (name, email, API keys, etc.) is removed or anonymized before transmission.

10. Children's Privacy

CoreRounder does not provide services to individuals under the age of 14 and does not knowingly collect personal information from children. If we become aware that we have collected data from a child under 14, we will promptly delete it.

11. Changes to This Policy

We will notify you of any changes to this Privacy Policy at least 7 days before they take effect, via in-service notice or email. Material changes (additional data collection, changes in third-party sharing, etc.) will be notified 30 days in advance, and re-consent will be obtained when necessary.

12. Contact Information

  • Company: CoreRounder
  • Privacy Inquiries: privacy@corerounder.com
  • General Support: support@corerounder.com

For privacy-related complaints, you may also contact the Korea Internet & Security Agency (KISA) at 118 or the Personal Information Dispute Mediation Committee at 1833-6972.