โ Core principle: minimal collection, device-first storage
KSTA Calculator does not collect or store any personally identifiable information.
All personal data (portfolio, memos, settings, age-verification records, etc.) is stored only on your device (localStorage).
However, anonymous statistical data required for service operation (visit counts, feature usage counts) is aggregated via Firebase and does not identify users โ see section 2-4 for details.
๐ 1. Stored Information (device-internal only)
The following information is stored only in your device's localStorage and is not transmitted externally.
Type
Contents
Storage location
โ๏ธ Settings
Dark mode, language, voice options, theme colors
Device-local
๐ผ Portfolio
Held coins, quantities, average prices
Device-local
๐ Alerts
Target-price alerts, daily briefings, alert history
Device-local
๐ Investment memos
Voice memos, investment journal (v108)
Device-local
๐ Price history
24-hour price records (for chart analysis)
Device-local
๐ฌ AI conversation history
Recent AI conversations (temporary session cache)
Device-local
โ Consent records v127
Timestamps of terms / age-14+ consent
Device-local
๐ฒ Onboarding status
Whether first-entry guide was completed
Device-local
โญ Favorites
Frequently used conversion pairs, unit options
Device-local
๐ 2. Externally Transmitted Data
The data this service sends externally is limited to:
Contents: Coin symbol lookup requests (includes IP; no personally identifiable info)
Purpose: Real-time price lookup and Kimchi premium calculation. From v141, the 8 coins KSTA/LOUI/BTC/ETH/XRP/SOL/DOGE/TRX are polled directly against the LBank market-data endpoint (ccapi.rerrkvifj.com) for faster refresh.
Contains personal information? No (purely public API queries)
2-2. AI features (optional)
Targets: Anthropic / OpenAI / Google Gemini APIs (voice AI), AI backend via Cloudflare Workers (chat widget)
Contents: User-entered questions + market context (prices, some portfolio statistics)
Purpose: AI response generation
Condition: occurs only when AI features or chat widget are used
โน๏ธ Note on AI usage
AI providers (Anthropic, OpenAI, Google) have their own privacy policies. What you type or speak is sent to their servers, so please do not include sensitive personal information (national ID, card numbers, passwords, etc.).
2-3. PWA updates
App file updates via service worker (HTTPS)
No personally identifiable information
2-4. Firebase Realtime Database v135
We use Firebase (Google) for the following two purposes:
Announcements / events receiving (read-only): receives KSTA announcements / events posted by the operator in real time. No personal information is sent from the user side.
Anonymous usage statistics (aggregation only): records aggregate metrics needed for service-quality improvement, such as app visit counts, feature usage counts, error occurrences.
No personally identifiable information such as name, email, or phone number is recorded.
Only a randomly generated anonymous session ID is used, and it is discarded when the browser session ends.
Firebase is used only for the operator's internal statistics dashboard.
2-5. Push notifications v146+
When you enable push notifications, the following information is stored in the operator's Cloudflare Worker and Firebase Realtime Database:
Push endpoint URL (unique address issued by the browser โ FCM / Mozilla / Apple Push Service, etc.)
Morning briefing settings (enabled state, delivery time, nighttime-delivery consent time)
Subscription / renewal timestamps, device type (mobile / desktop), used language
Notification delivery history (last delivery time, failure count)
โ ๏ธ Personal-data relevance: The push endpoint URL may be interpreted as personally identifiable when combined with other information under privacy law, and is therefore managed at the same level as personal information.
Right to refuse: at any time via the browser's notification permission settings or the in-app unsubscribe button. Stored information is deleted immediately upon unsubscription.
Nighttime delivery consent (Korean Information & Communications Network Act ยง50-2): when setting the morning briefing time between 9 PM and 8 AM, separate consent for nighttime delivery is obtained. If you do not consent, that time cannot be set.
If the push body contains promotional information, it is prefixed with "(Ad)".
2-6. Cloudflare Insights
Cloudflare Web Analytics is used to aggregate page performance and traffic metrics.
Operates without cookies, with IP hashed / anonymized.
Not used for personal identification, ad tracking, or cross-site tracking.
๐๏ธ 3. Voice Data
Voice recognition / synthesis uses the browser's Web Speech API:
iOS Safari: uses Apple's voice services
Android Chrome: uses Google's voice services
Desktop: uses the respective browser vendor's services
Voice data is not transmitted to KSTA servers and follows the policy of the browser / OS vendor.
๐ก Tip
During voice recognition, please do not say sensitive personal information (national ID, passwords, etc.).
๐ช 4. Cookies and Tracking
โ No ad cookies / no cross-site tracking
This service does not use advertising cookies, tracking pixels, Google Analytics, or ad networks at all. Firebase is used only for anonymous aggregation without identifiable personal information (see 2-4).
The storage / communication technologies used are:
localStorage: device-internal storage for settings / portfolio / memos
All communication is encrypted with HTTPS (TLS 1.3).
External API calls are also made over HTTPS only.
5-2. Storage security
localStorage is accessible only from the corresponding domain.
For sensitive information, using the device's own security (PIN, biometrics) is recommended.
5-3. Data deletion
You can delete all data via the following methods:
In-app: "Reset data" in Settings (planned)
Browser: Settings โ Privacy โ Delete site data
iOS: Settings โ Safari โ Clear History and Website Data
Android: Chrome Settings โ Privacy โ Clear browsing data
๐ฆ 5-4. Processing Outsourcing Status (Korean Personal Information Protection Act ยง26) v146+
The operator outsources some processing to the following companies for service delivery. All processors maintain appropriate security levels and are managed safely under processing agreements or terms.
Processor
Outsourced task
Processed data
Cloudflare, Inc. (USA)
CDN, Workers (API backend), KV/D1 storage, Web Analytics
IP (hashed), push endpoint, anonymous statistics, analytics data
Google LLC / Firebase (USA)
Realtime Database, App Check, Analytics, FCM
Push subscription info, anonymous statistics, announcement / news data
Anthropic / OpenAI / Google Gemini
AI chat / voice response generation (only when activated by the user)
User-entered text / voice (one-time per conversation)
Mozilla Push / Apple Push
Firefox / Safari push delivery (when those browsers are used)
Push endpoint URL, notification payload
โป If processors change or are added, this policy will be updated to notify users.
๐ค 6. User Rights
Users have the following rights:
๐ Right of access: all device-stored data is viewable within the app
โ๏ธ Right of correction: all settings / portfolios can be directly edited
๐๏ธ Right of deletion: individual items or all data can be deleted
๐ซ Right to object to processing: AI / voice features can be turned off
๐ค Right of portability: (planned) data export feature
Since this service does not retain personal information on a server, users can exercise all rights themselves.
๐ถ 7. Child Protection ยท Age Verification strengthened in v127+
This service targets users aged 14 or older.
At first entry, you must select two checkboxes (age 14+ confirmation + terms acceptance) to begin using the service.
Children under 14 cannot use the service. Even those over 14 should use the service at their own discretion.
Consent records are stored only in the device's localStorage and are not transmitted to the operator.
These measures aim to comply with Korea's "Act on Promotion of Information and Communications Network Utilization and Information Protection", the EU GDPR, and minor-protection laws in each country.
๐ 8. International Users
This service is operated from the Republic of Korea, but is available worldwide.
๐ช๐บ GDPR: This service does not collect personal information, so most GDPR clauses do not apply.
๐บ๐ธ CCPA: No "sale" of personal information. California resident rights are respected.
๐ฐ๐ท Korean Personal Information Protection Act: We comply with Korean laws.
๐ค 9. AI Features in Detail (v76 ~ v141)
9-1. Voice AI Assistant
Voice input โ browser voice API โ text
Text โ admin-shared AI provider (Anthropic / OpenAI / Google) โ response
Response โ displayed in app + read aloud
9-2. AI Chat Widget v135
Typed conversation via the bottom-right chat button
Requests are routed to the AI provider via a Cloudflare Worker
The Cloudflare Worker is a simple proxy to protect the API key and does not store conversations
Conversation logs are discarded when the chat window is closed (no permanent server storage)
9-3. Information the AI provider receives
The user's question text
Market context (current prices, some portfolio statistics)
System prompt (instructions the app gives the AI)
9-4. Information the AI provider does not receive
Personally identifiable information (name, email, phone number)
Data from other users
The full precise amounts of your portfolio (only summary statistics are passed when needed)
๐ฐ 10. Announcement / Event Feed v135
The KSTA announcements / events feed on the main screen receives real-time data, read-only, from Firebase Realtime Database.
In this process, no user personal information is transmitted.
Announcement content is composed, reviewed, and posted by the operator, with an automatic disclaimer attached.
The record of which announcements a user has read (read/unread) is kept only in the device.
๐ 11. Policy Changes
This policy is updated as needed.
Important changes are notified via the in-app announcement feed.
Changes can be confirmed via the "Last updated" date.
For inquiries about personal information, correction / deletion requests, or rights exercise, please email the above and we will reply within 7 business days.