Privacy Policy

TalTal Stock Privacy Policy

Explains what personal data is processed during signup, analysis, billing, and support flows, why it is processed, how long it is retained, and how users can exercise their rights.

Document version
Version 2026-04-15.v1 · Effective 2026-04-15
Processors
11

1. Purpose Of Processing

  • Account signup, login, email verification, and account security.
  • AI-powered analysis services, subscriptions, billing, and refunds.
  • Customer support, abuse prevention, service operations, and incident response.
  • Legal record retention and service-quality improvement.

2. Categories Of Personal Data

  • Required: email address, password hash, signup and verification metadata.
  • Billing/subscription: plan information, payment status, merchant UID, receipt URL, and related billing records.
  • Automatically collected: IP/log data, session identifiers, locale-preference cookies, and service usage records.
  • Optional or conditional: Google social-login profile data, support inquiry contents, and analysis request contents.

3. Retention Period

  • Account information is deleted without undue delay after withdrawal or when no longer needed, except where retention is required by applicable law.
  • E-commerce transaction and payment records are retained for the period required by applicable law.
  • Access logs and security-operation data are retained within the scope needed for security and incident response.
  • Consent history and policy-version records are retained as compliance evidence and dispute-response materials.

4. Processors And Possible Overseas Processing

The processors and service providers confirmed from the current codebase are Self-operated application hosting, Self-operated PostgreSQL database, NextAuth session management, Google OAuth, Configured SMTP mail provider, PortOne, OpenAI, Anthropic, Google AI / Gemini, Perplexity, and Essential cookies.

Some payment, email, authentication, and AI providers may process data outside Korea. The published processor list should be limited to providers that are actually enabled in production.

5. Third-Party Sharing

  • The service does not sell personal data or disclose it arbitrarily to unrelated third parties.
  • Exceptions may apply where disclosure is required by law, required for payment handling, or triggered by a provider the user intentionally selects such as social login or enabled AI analysis providers.

6. Data Subject Rights

  • Users may request access, correction, deletion, or suspension of processing by contacting support@taltalstock.store.
  • The service responds without undue delay after verifying the requester, within the scope allowed by law.
  • Privacy complaints or rights requests may also be directed to the privacy officer listed below.

7. Destruction Of Personal Data

  • When retention expires or the processing purpose ends, personal data is destroyed so that recovery or reuse is not reasonably possible.
  • Electronic files are deleted using technical methods designed to prevent restoration, and paper documents are shredded or otherwise destroyed.

8. Privacy Officer

  • Name: 홍길동
  • Contact: privacy@taltalstock.store

9. Cookies And Similar Technologies

Launch with essential cookies only and disclose them in the privacy policy.

Repository review confirmed locale and authenticated-session cookies, but did not confirm analytics or marketing trackers.

  • At the current launch, no separate cookie banner or preference center is shown because only essential cookies are in use.
  • Essential cookies currently include authenticated-session continuity and locale preference.
  • If analytics or marketing cookies are introduced later, the service will add explicit notice and consent controls.

10. Policy Changes

If this policy changes, the service will provide advance notice of the effective date and the reason for the change through the site or email when appropriate.

The current published version is 2026-04-15.v1, effective 2026-04-15.

Processor inventory

Processor inventory confirmed from the current codebase

Remove providers that are not enabled in production and publish only the providers actually used in the live environment.

Self-operated application hosting

operator-confirmation-required

Runs the Next.js application, middleware, and service APIs.

Data categories

account identifiers, analysis requests, support submissions, session metadata, IP/log data

Destinations

application server logs, runtime memory, service APIs

Trigger

Any page visit, account action, analysis request, or support submission.

Operator must confirm the production hosting vendor or infrastructure name before launch.

Self-operated PostgreSQL database

operator-confirmation-required

Stores accounts, subscriptions, payments, analysis history, and support-related records kept by the service.

Data categories

email address, hashed password, subscription records, payment records, analysis history, consent records

Destinations

PostgreSQL database

Trigger

Account creation, login, subscription management, and analysis persistence.

Operator must confirm the actual managed database or hosting vendor before launch.

NextAuth session management

code-confirmed

Maintains authenticated sessions for account access.

Data categories

session token, account identifier, preferred locale

Destinations

HTTP-only session cookie, application auth middleware

Trigger

Login, authenticated navigation, and session refresh.

The service uses NextAuth cookies such as `next-auth.session-token` or `__Secure-next-auth.session-token` depending on transport.

Google OAuth

config-confirmed

Optional social login provider for account authentication.

Data categories

email address, profile name, profile image, OAuth account identifier

Destinations

Google identity platform, application auth database

Trigger

Only when Google login is enabled and the user chooses Google sign-in.

This processor should be disclosed only if Google login remains enabled in production.

Configured SMTP mail provider

operator-confirmation-required

Sends verification emails, password reset emails, and support email notifications.

Data categories

email address, email content, support message content

Destinations

outbound SMTP delivery, support mailbox

Trigger

Signup verification, password reset, and support-contact workflows.

Operator must confirm the branded mail processor name used in production SMTP settings.

PortOne

code-confirmed

Processes subscription checkout and payment verification.

Data categories

payer email, subscription plan, merchant UID, payment status, receipt URL

Destinations

PortOne checkout SDK, PortOne payment API

Trigger

Subscription purchase, payment verification, cancellation, and webhook handling.

If an underlying acquiring PG is separately disclosed, add that vendor to the published policy as well.

OpenAI

code-confirmed

Optional AI analysis and web-search synthesis provider supported by the current codebase.

Data categories

analysis prompts, symbol/company context, generated report content

Destinations

OpenAI API

Trigger

Only when an OpenAI-backed analysis mode is selected or enabled in production.

If OpenAI is disabled in production, remove it from the published processor list.

Anthropic

code-confirmed

Optional AI analysis provider supported by the current codebase.

Data categories

analysis prompts, symbol/company context, generated report content

Destinations

Anthropic API

Trigger

Only when an Anthropic-backed analysis mode is selected or enabled in production.

If Anthropic is disabled in production, remove it from the published processor list.

Google AI / Gemini

code-confirmed

Optional AI analysis provider supported by the current codebase.

Data categories

analysis prompts, symbol/company context, generated report content

Destinations

Google Generative Language API

Trigger

Only when a Google-backed analysis mode is selected or enabled in production.

If Google AI is disabled in production, remove it from the published processor list.

Perplexity

code-confirmed

Optional AI analysis provider supported by the current codebase.

Data categories

analysis prompts, symbol/company context, generated report content

Destinations

Perplexity API

Trigger

Only when a Perplexity-backed analysis mode is selected or enabled in production.

If Perplexity is disabled in production, remove it from the published processor list.

Essential cookies

code-confirmed

Stores locale preference and authenticated session continuity.

Data categories

locale preference, session token

Destinations

taltal-locale, next-auth.session-token, __Secure-next-auth.session-token

Trigger

Locale switching and authenticated browsing.

No analytics or marketing tracker was confirmed in the repository at planning time.