PRIVACY POLICY

This Privacy Policy describes how CYOINC ("Company," "we," "us," or "our") collects, uses, shares, and protects personal information in connection with the TradingNote service ("Service").

By accessing or using our Service, you acknowledge that you have read and understood this Privacy Policy. Where consent is required under applicable law, we obtain explicit consent through appropriate mechanisms. Use of the Service does not constitute blanket consent to all processing activities described herein.

If you do not agree, please do not use the Service.

1. DATA CONTROLLER INFORMATION

Data Controller: CYOINC
Service Name: TradingNote
Privacy Contact: [email protected]

CYOINC acts as the data controller under GDPR, CCPA/CPRA, South Korea PIPA, and Japan APPI.

1.1 Controller Status

For user-uploaded trading data, CYOINC acts as an independent controller solely for providing analytics and platform functionality. Users retain ownership of their trading data.

2. DATA PROTECTION PRINCIPLES

We adhere to:

• Lawfulness, fairness, transparency
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality

3. INFORMATION WE COLLECT

3.1 Information You Provide

Account Information

• Name
• Email
• Encrypted password
• Country/region
• Optional profile data

Subscription & Payment Information

Payments are processed exclusively by Polar.sh.

We do not store:

• Full card numbers
• CVV codes
• Banking credentials

We may store:

• Billing name
• Invoice records
• Subscription status
• Transaction confirmation data

All payment processing is handled by Polar under their security and compliance standards.

Trading Data & User Content

You may upload:

• Trading history
• Journals and notes
• Performance records
• Portfolio summaries

We do not collect:

• Brokerage login credentials
• Banking login credentials
• Government ID numbers
• Precise geolocation
• Biometric data

Communications

Emails, support tickets, surveys, feedback.

3.2 Automatically Collected Data

• IP address (city-level inference only)
• Device & browser data
• Usage analytics
• Error logs
• Cookie data

4. HOW WE USE YOUR INFORMATION

4.1 Service Operation

• Account management
• Analytics processing
• Data visualization
• Platform functionality
• Data synchronization

4.2 Billing

• Subscription management
• Invoice processing
• Payment confirmations

4.3 Service Improvement

• Usage analysis
• Platform performance optimization
• AI system improvement using anonymized data
• Bug detection

4.4 Communications

• Service notifications
• Support responses
• Policy updates
• Marketing (only with required consent)

4.5 Security

• Fraud detection
• Abuse prevention
• Infrastructure protection

4.6 Legal Compliance

• Regulatory obligations
• Legal claims
• Recordkeeping

5. LEGAL BASIS (GDPR)

Contract Performance (Art. 6(1)(b))

Account management, analytics delivery, subscription billing.

Legitimate Interests (Art. 6(1)(f))

Service improvement, fraud prevention, analytics research.

Balancing tests confirm proportionality and user rights protection.

Consent (Art. 6(1)(a))

• Marketing communications
• Non-essential cookies
• Certain international transfers

Consent may be withdrawn at any time.

Legal Obligation (Art. 6(1)(c))

Tax, accounting, regulatory duties.

6. INFORMATION SHARING

We do not sell personal information.

We share data only with:

• Cloud hosting providers
• Polar (payment processing)
• Email service providers
• Analytics services
• Security providers

All processors are contractually bound by confidentiality and data protection obligations.

7. INTERNATIONAL DATA TRANSFERS

Data may be processed in jurisdictions outside your country.

Safeguards include:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions
• Technical safeguards (encryption, access control)
• Consent where required

Users retain all statutory consumer protection rights.

8. DATA RETENTION

Active Accounts

Data retained while account is active.

After Account Closure

• Financial records: 7 years
• Fraud prevention logs: 5 years
• Support communications: 3 years
• Server logs: 90 days
• Backups: deleted within 90 days

Anonymized data may be retained indefinitely.

9. YOUR RIGHTS

Depending on jurisdiction:

GDPR

• Access
• Rectification
• Erasure
• Restriction
• Portability
• Objection
• Withdraw consent
• Complaint to authority

CCPA/CPRA

• Right to know
• Right to delete
• Right to correct
• Right to opt-out of sale (we do not sell)
• Non-discrimination

South Korea (PIPA)

• Access
• Correction
• Deletion
• Suspension

Japan (APPI)

• Disclosure
• Correction
• Suspension

Requests: [email protected]

10. COOKIES

We use:

• Essential cookies
• Analytics cookies
• Functional cookies
• Marketing cookies (consent-based)

Users can manage via browser or cookie settings.

11. AI AND AUTOMATED PROCESSING

TradingNote uses statistical analysis and machine learning models to generate analytical insights from user-uploaded trading data.

Important Clarifications

• AI outputs are informational and analytical only.
• We do not execute trades.
• We do not provide investment advice.
• We do not make legally binding automated decisions.
• Human oversight exists for account actions.

User Rights

You may request:

• Explanation of AI processing
• Human review
• Contestation of results

Contact [email protected].

12. DATA SECURITY

We implement:

• TLS encryption in transit
• Encryption at rest
• Role-based access control
• Security monitoring
• Incident response procedures

No system guarantees absolute security.

In case of breach, notification will occur per applicable law (GDPR 72-hour rule, etc.).

13. CHILDREN

Service is not intended for minors under applicable age of majority.

If discovered, data will be deleted promptly.

14. THIRD-PARTY LINKS

We are not responsible for third-party privacy practices.

15. POLICY CHANGES

Material updates will include:

• Updated Effective Date
• Website posting
• Email notification (if required)

Continued use constitutes acceptance unless consent is legally required.

16. CONTACT

CYOINC
[email protected]

Response commitment: Initial response within 5 business days.

17. JURISDICTION-SPECIFIC PROVISIONS

California

We do not sell personal information.

Users may opt-out of marketing cookies.

South Korea

Compliance with PIPA.

Japan

Compliance with APPI.

18. ACKNOWLEDGMENT

BY USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY POLICY.