I SEE STOCKS
Log inSign up
LEGAL

Privacy Policy

Updated 2026-06-12

I SEE STOCKS — Privacy Policy

1. Who We Are

1.1 Identity

Hatdown LLC ("we," "us," "our," the "Company") is a Delaware limited liability company. We operate the I SEE STOCKS Service. We act as the data controller under EU/UK GDPR, the business under CCPA/CPRA, the personal-information processor (개인정보처리자) under Korean PIPA, and the personal-information handling business operator (個人情報取扱事業者) under Japanese APPI.

1.2 Contact

  • E-mail: [email protected]
  • Postal: c/o registered agent at our registered office (NM, USA) — exact address available on written request.

    • 1.3 Representative in the EU / UK

    Not yet appointed. To be designated by counsel upon launch in EU/UK if and when our processing crosses the GDPR Article 27 / UK GDPR threshold.

    2. What Data We Collect

    2.1 Account Data (provided at registration)

  • E-mail address;
  • Password (stored only as a one-way bcrypt-class hash; plaintext never retained) OR OAuth identifier (Google subject ID, Kakao user ID);
  • Handle (@handle);
  • Display name;
  • Locale (`ko` / `en` / `jp`);
  • Markets of interest (KR / US / JP / BR / ES, multi-select);
  • Acceptance timestamps for Terms of Service (`tos_accepted_at`) and Disclaimer (`disclaimer_ack_at`), and the version of the Disclaimer accepted.

    • 2.2 Profile Data (optional, User-supplied)

  • Display name (changes permitted);
  • Bio;
  • Avatar image (subject to image-processing rules in Section 4).

    • 2.3 Content Data (User-generated, during use)

  • Retrospective post body (Markdown), tickers, action verb (one of six closed past-tense verbs), period dates, self-reported ROI percentage;
  • Uploaded image originals + processed variants + thumbnails;
  • Comments, likes, saves, follows (relational edges);
  • Group memberships, invite codes, group-scoped posts.

    • 2.4 Payment Data (Premium subscribers only)

  • Stripe Customer ID;
  • Stripe Subscription ID;
  • Stripe Price ID;
  • Billing metadata (amount, currency, timestamp, status, invoice ID, charge ID).
  • Card numbers, CVCs, and expiration dates are processed and stored directly by Stripe, Inc. The Company never receives them.

    • 2.5 Technical Data (automatically collected)

  • IP address;
  • User-Agent string;
  • Session token (HTTP-Only, Secure, SameSite=Strict cookie issued by Better Auth);
  • Access timestamps;
  • Error logs (captured by self-hosted GlitchTip, including stack traces and possibly IP / UA).

    • 2.6 We Do NOT Collect

  • Brokerage API keys, brokerage account numbers, brokerage trade/order data, or brokerage balances (the previous KIS-API integration was removed in v12);
  • Telegram chat IDs (the previous real-time-alerts feature was removed in v12);
  • Kakao Alimtalk identifiers (deferred indefinitely in v12);
  • Real-time market data tied to individual Users;
  • Sensitive categories under GDPR Art. 9 (race, religion, health, etc.), CCPA "sensitive personal information," Korean PIPA "sensitive information" (민감정보), or Japanese APPI "special-care-required personal information" (要配慮個人情報).

    • 3. How We Use Your Data

    | Purpose | Categories Used | |---|---| | Account registration and authentication | §2.1 | | Service delivery (publishing posts, comments, follows, groups) | §2.1, §2.2, §2.3 | | Image processing (EXIF strip, blur, watermark) | §2.3 (images) | | Premium subscription management | §2.4 | | Transactional e-mail (verification, billing notices) | §2.1 (e-mail), §2.4 | | Security, fraud detection, and abuse prevention | §2.5 | | Aggregate, de-identified product analytics | §2.3 (de-identified), §2.5 (de-identified) | | Compliance with legal obligations | as required | | AI personal-record analysis (`/me/insights`, Premium, opt-in) | Your own past User Content (text) only |

    4. Image Processing and Watermarking

    When you upload an image to the Service, we automatically apply, in this order:

  • EXIF metadata strip. GPS coordinates, device model, capture timestamp, and other EXIF metadata are permanently removed from the stored image.
  • Dollar-amount blur. Rectangular regions you mark in the upload UI are composited with an opaque black overlay. The default is ON; you may toggle OFF per upload. We do NOT perform OCR; only regions you explicitly mark are processed.
  • Watermark burn-in. The bottom-right of every processed image is pixel-baked with `SELF-REPORTED · UNVERIFIED · @yourhandle · vN.N-locale` (where `vN.N-locale` is the version of the Disclaimer in force at upload). This watermark cannot be removed via CSS or DOM manipulation.
  • Storage variants. Processed images are stored as 1200px and 600px WebP variants. The original is retained in your private object-storage prefix and deleted alongside the variants on post or account deletion.

    • These steps reduce the risk of accidental disclosure of sensitive information. You remain responsible for redacting sensitive content before upload.

    5. Legal Bases for Processing

    5.1 United States

    Processing is performed pursuant to contract (these Terms), our legitimate operational interests, and your consent where required.

    5.2 European Union / European Economic Area / United Kingdom (GDPR / UK GDPR)

  • Art. 6(1)(b) (contract): for account creation, Service delivery, payment processing, and transactional e-mail.
  • Art. 6(1)(f) (legitimate interest): for security, fraud prevention, abuse detection, aggregate analytics, and Service improvement. Our legitimate interest is balanced against your rights and freedoms; a balancing test is documented and available to supervisory authorities on request.
  • Art. 6(1)(c) (legal obligation): for retention of payment records (VAT/MOSS) and response to lawful judicial or administrative orders.
  • Art. 6(1)(a) (consent): for AI personal-record analysis (`/me/insights`, Premium opt-in) and for any future processing not covered by the bases above.

    • 5.3 Republic of Korea (PIPA)

    Processing is based on (i) the contract with the User (PIPA §15(1)(4)), (ii) the User's consent for processing not strictly necessary to the contract (PIPA §15(1)(1)), and (iii) legitimate interests where the User's rights are not unduly prejudiced (PIPA §15(1)(6)).

    5.4 Japan (APPI)

    Processing is performed for the utilization purposes (利用目的) specified in Section 3, with notification to the User as required under APPI Art. 21.

    6. Cross-Border Transfers (PIPA §28 Disclosure Table)

    Because Hatdown LLC is a Delaware LLC operating servers in Germany and using sub-processors in the United States, Korea, and Germany, the following cross-border transfers occur. This table is structured to meet the disclosure requirements of Korean PIPA §28 and to inform users in the EU/UK/JP/BR of equivalent transfer details.

    | Recipient | Country | Purpose | Data Categories | Method | Retention | |---|---|---|---|---|---| | Contabo GmbH | Germany (EU) | Primary VPS hosting; Postgres, Redis, Cloudflared tunnel | All processed data | TLS 1.2+ in transit; AES-256 at rest at host | 30 days after account hard-delete + backup rotation | | Stripe, Inc. | United States (Ireland for EU) | Payment processing; subscription management | E-mail, handle, payment instrument, payment history | TLS 1.2+ to Stripe API; Stripe SCCs (EU) | Per Stripe retention policy; minimum 5 years (IRS / EU VAT) | | Buchida Co., Ltd. | Republic of Korea | Transactional e-mail delivery | E-mail address, recipient name, message body | TLS 1.2+ to Buchida API | Per Buchida retention policy | | Cloudflare, Inc. (R2) | Global (North America preferred) | Image and backup object storage | Processed screenshots; age-encrypted DB backups | TLS 1.2+ + AES-256 at rest; backups additionally age-encrypted (X25519) | 30 days after account hard-delete; backups 30 daily + 6 monthly | | Anthropic, PBC | United States | AI personal-record analysis on Your own past post text only (Premium, opt-in) | Your own post text (no other Users' text) | TLS 1.2+ to Anthropic API; Anthropic DPA + SCCs | Per Anthropic policy (currently zero retention for API) | | Google LLC | United States | OAuth authentication (Google sign-in) | OAuth identifier | Browser-redirect handshake | 30 days after account hard-delete | | Kakao Corp. | Republic of Korea | OAuth authentication (Kakao sign-in) | OAuth identifier | Browser-redirect handshake | 30 days after account hard-delete | | GlitchTip (self-hosted on Contabo) | Germany | Error / exception tracking | Stack trace; IP; User-Agent | TLS 1.2+ internal | 90 days |

    6.1 Mechanism for EU/UK Transfers Outside EEA

    For transfers to U.S. recipients (Stripe, Anthropic, Google, Cloudflare U.S. endpoints), we rely on:
  • The EU-U.S. Data Privacy Framework (DPF) where the recipient is certified;
  • Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) where the recipient is not DPF-certified;
  • Supplementary technical measures (TLS 1.2+, encryption at rest, age-encryption of backups).

    • 6.2 Mechanism for KR User Transfers Outside Korea

    Pursuant to PIPA §28, we disclose the recipient identity, country, purpose, categories, method, and retention as set forth in the table above, and we obtain User consent at registration via the Privacy Policy acceptance flow. Users may withhold consent, in which case Service features dependent on the relevant sub-processor will be unavailable.

    7. Cookies and Similar Technologies

    7.1 Categories Used

  • Session cookie — issued by Better Auth. HTTP-Only, Secure, SameSite=Strict. Strictly necessary; cannot be disabled without disabling login.
  • OAuth state cookie — short-lived (≤ 10 minutes) state token used to prevent CSRF in the OAuth handshake. Strictly necessary.
  • Locale cookie — stores your preferred language. Functional.

    • 7.2 Categories NOT Used

  • We do NOT use advertising cookies.
  • We do NOT integrate Google Analytics, Meta Pixel, TikTok Pixel, or any cross-site tracker.
  • We do NOT sell or share personal information for cross-context behavioral advertising (CCPA/CPRA §1798.140(ah)).

    • 7.3 Cookie Consent

    Because we use only strictly necessary and functional cookies, no consent banner is presented for EU/UK Users under ePrivacy Directive Article 5(3). If we ever introduce non-essential cookies, a consent banner will be added.

    8. Retention

    | Category | Retention Period | Basis | |---|---|---| | Account data | Until User-initiated deletion; soft-deleted on request; hard-deleted by automated worker after 30 days | GDPR Art. 5(1)(e), PIPA §21, contract, consent | | Retrospective posts | Until post deletion or account deletion; hidden immediately; hard-deleted with account at 30 days | Consent | | Comments | Same as posts | Consent | | Uploaded images | Removed permanently on post or account deletion | Consent | | Stripe payment records | Minimum 5 years from each transaction | IRS recordkeeping; EU VAT (Council Directive 2006/112/EC); Korean E-Commerce Act §22 | | Access logs and IPs | 3 months | Korean Communications Privacy Act §15-2; GDPR Art. 5(1)(e) data-minimization | | Reporting / moderation records | 1 year | Moderation audit; DSA Art. 24 transparency | | Backups (age-encrypted, in R2) | 30 rolling daily + 6 monthly snapshots | Security and disaster recovery | | Soft-deleted profile (30-day grace) | 30 days | User restoration opportunity | | GlitchTip error logs | 90 days | Security and reliability |

    8.1 Hard-Delete Procedure

    A scheduled background worker (`hard-delete-soft-deleted`) runs daily and permanently removes records older than 30 days from primary storage. Backups containing deleted records are not actively rewritten; they age out under the rotation policy above (a deleted record persists in encrypted backups for at most 6 months from the rotation cycle).

    8.2 Legal Hold

    Where a legal or regulatory hold applies (e.g., active subpoena, court order, tax audit), the relevant records are preserved beyond the retention period, segregated, and access-controlled.

    9. Your Rights

    9.1 Rights Available to All Users

    You may at any time:
  • Access your data via `/me`;
  • Rectify profile data via `/me/edit`;
  • Delete your account via `/settings` (soft-delete immediate; hard-delete after 30 days);
  • Withdraw consent for opt-in processing (e.g., AI insights) at any time;
  • Contact us at [email protected] to exercise any right described below.

    • 9.2 GDPR / UK GDPR Rights (EU / EEA / UK residents)

  • Art. 15 — Access;
  • Art. 16 — Rectification;
  • Art. 17 — Erasure ("right to be forgotten");
  • Art. 18 — Restriction of processing;
  • Art. 20 — Portability (JSON export available on request);
  • Art. 21 — Objection (including to processing based on legitimate interest);
  • Art. 22 — Not to be subject to solely automated decision-making with legal effect (the Service does not subject Users to such decisions);
  • Art. 77 — Right to lodge a complaint with a supervisory authority.

    • 9.3 CCPA / CPRA Rights (California residents)

  • Right to know the categories of personal information collected, the purposes, the categories of third parties, and specific pieces collected (CCPA §1798.110, §1798.115);
  • Right to delete (CCPA §1798.105);
  • Right to correct (CPRA §1798.106);
  • Right to opt out of sale or sharing (CCPA §1798.120, CPRA §1798.121) — we do not sell or share personal information;
  • Right to limit use of sensitive personal information (CPRA §1798.121) — we do not collect sensitive PI as defined;
  • Right to non-discrimination for exercising these rights (CCPA §1798.125);
  • Authorized agent requests permitted under CPRA §1798.185(a)(7).

    • 9.4 Korean PIPA Rights

  • Right of access (PIPA §35);
  • Right of correction and deletion (PIPA §36);
  • Right of processing-suspension (PIPA §37);
  • Right to damages (PIPA §39);
  • Right to lodge complaints (Korea Internet & Security Agency — 118; Personal Information Dispute Mediation Committee — 1833-6972).

    • 9.5 Japan APPI Rights

  • Right of disclosure (Art. 33);
  • Right of correction (Art. 34);
  • Right of cessation of utilization (Art. 35);
  • Right to lodge complaints (Personal Information Protection Commission, 個人情報保護委員会).

    • 9.6 Brazil LGPD (Brazil residents — Day 1 market support)

    Equivalent rights to GDPR Art. 15-22 apply under LGPD Arts. 17-22.

    9.7 Australia Privacy Act 1988 (Australia residents)

    Access and correction rights under APP 12 and APP 13.

    9.8 Response Time

    We respond to verifiable rights requests within 30 days of receipt, extendable by up to 60 days for complex requests (GDPR Art. 12(3)). For CCPA/CPRA, we respond within 45 days, extendable by 45 days. For PIPA, within 10 days.

    9.9 How to Exercise Rights

    E-mail [email protected] with subject `[Privacy Request] – ` and your account e-mail. We may request additional verification to confirm your identity before action.

    10. Security

    10.1 Technical Measures

  • Passwords hashed by Better Auth (bcrypt-class, salted, one-way);
  • TLS 1.2+ end-to-end (Cloudflare edge + Cloudflared Tunnel to origin);
  • AES-256-GCM at rest for sensitive secrets (any third-party API tokens we retain);
  • Daily encrypted Postgres backups (age, X25519 public-key encryption; private key stored separately);
  • HTTP-Only, Secure, SameSite=Strict session cookies;
  • Database bound to 127.0.0.1 on the host; not publicly reachable; SSH key authentication only;
  • Application-layer "scoped queries" pattern enforced at code-review time (replacement for Postgres RLS): no route handler may query the database without first establishing a session, and every helper function takes `userId` as its first parameter;
  • Automated dependency vulnerability scanning (GitHub Dependabot);
  • CI/CD security gates (forbidden-word scan, secret scan).

    • 10.2 Organizational Measures

  • Access limited to designated officers (currently CEO);
  • Confidentiality terms with every sub-processor;
  • Annual review of sub-processor list.

    • 10.3 Physical Measures

  • Contabo data center (Germany) physical access controls (ISO 27001 certified).

    • 10.4 Breach Notification

    In the event of a personal-data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority within 72 hours (GDPR Art. 33), notify affected Users without undue delay (GDPR Art. 34, KISA notification under PIPA §34, JP PIPC notification under APPI Art. 26), and provide CCPA-required notice to affected California residents.

    11. Children's Privacy

    The Service is intended for adults 18+. We do not knowingly collect personal information from:

  • Children under 13 (United States COPPA, 15 U.S.C. §6501 *et seq.*; UK / EU under-13 / under-16 thresholds per Article 8 GDPR);
  • Children under 14 (Republic of Korea PIPA);
  • Children under 13 (Japan APPI guidelines for minors).

    • If we discover that a minor has registered, we will delete the account and associated data without undue delay. Parents or guardians who believe a minor has registered may contact [email protected].

    12. Sub-processors

    Section 6 above contains the current sub-processor list. We will update this Policy at least 30 days before adding or replacing a sub-processor handling personal data. Material additions will be e-mailed to Premium subscribers.

    13. Marketing Communications

    We do not send marketing e-mail by default. Transactional e-mail (account verification, billing receipts, security alerts) is sent under contract basis without consent (GDPR recital 47). If we ever introduce a marketing newsletter, it will be opt-in and unsubscribable from every message.

    14. Automated Decision-Making and Profiling

    The Service does not subject Users to automated decisions with legal or similarly significant effect (GDPR Art. 22). Engagement-based feed ordering on the Discover page is a content-presentation choice, not a decision that produces legal effects for Users.

    15. Changes to This Policy

    Material modifications take effect at least 30 days after notice (in-app + e-mail to all account holders); non-material modifications take effect at least 7 days after notice. We retain prior versions accessible at versioned URLs (e.g., `/privacy/v2.0`, `/privacy/v3.0`).

    16. Complaints and Supervisory Authorities

    16.1 EU / EEA

    You may lodge a complaint with the data protection authority of your country of residence. A list is maintained at https://edpb.europa.eu.

    16.2 United Kingdom

    Information Commissioner's Office (ICO) — https://ico.org.uk.

    16.3 Korea

  • Personal Information Dispute Mediation Committee: 1833-6972 — www.kopico.go.kr;
  • Personal Information Infringement Reporting Center: 118 — privacy.kisa.or.kr.

    • 16.4 California

    California Attorney General — https://oag.ca.gov/privacy/ccpa.

    16.5 Japan

    Personal Information Protection Commission (個人情報保護委員会) — https://www.ppc.go.jp.

    16.6 Brazil

    Autoridade Nacional de Proteção de Dados (ANPD).

    16.7 Australia

    Office of the Australian Information Commissioner (OAIC).

    17. Data Protection Officer (DPO)

    A Data Protection Officer has not been designated. We do not believe we meet the GDPR Art. 37 mandatory designation thresholds (no large-scale systematic monitoring; no large-scale processing of special categories). A point of contact for privacy is the CEO at [email protected].

    18. Contact

    Controller: Hatdown LLC E-mail: [email protected] Service URL: https://iseestocks.com