This Privacy Policy explains how CoinKirin (the "Service", "we", "us", or "our") collects, uses, shares, and protects personal data of visitors and registered users ("you"). It is written to comply with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and the People's Republic of China Personal Information Protection Law (PIPL). By using CoinKirin you acknowledge that you have read and understood this Policy.
1. Data controller
The entity responsible for processing your personal data (the "data controller" under GDPR, or the "personal information handler" under PIPL) is:
- Entity: CoinKirin.com
- General privacy contact: privacy@coinkirin.com
- Data Protection Officer (DPO): dpo@coinkirin.com
- EU representative (GDPR Art. 27): We are in the process of appointing an EU representative. Until one is designated, please contact us at privacy@coinkirin.com.
- PIPL representative in China: Not yet designated. Chinese users may contact privacy@coinkirin.com with the subject "PIPL Request".
2. Categories of personal data we collect
We collect the minimum data necessary to operate the Service. Specifically, we process the following categories of personal data:
Account data
Email address, password (stored only as a bcrypt hash with cost factor 12 — we never see or store the plaintext), TOTP secret for two-factor authentication (AES-GCM encrypted at rest), display name, account creation timestamp.
User preferences
Language, theme, locale, notification preferences, currency preference.
Financial data (user-entered)
Portfolio holdings, watchlist entries, price alert rules. This data is entered voluntarily by you and is never transmitted to external brokers or exchanges — it is used solely to power features you request.
Device and technical data
IP address (truncated to /24 before use in analytics), User-Agent string, device fingerprint / refresh-token device ID, screen resolution and locale (optional, client-side only).
Usage data
Pages viewed, features used, search queries, click events, Core Web Vitals (LCP, CLS, INP), and anonymized error reports.
Cookies and similar technologies
Strictly necessary cookies (session, CSRF, locale), preference cookies (theme), and — only with your explicit consent — analytics cookies. See our Cookie Policy for the full list.
We do not intentionally collect special-category data (race, religion, health, sexual orientation, political opinions, biometric or genetic data). Please do not submit such data to us.
3. How we collect your data
We obtain personal data in the following ways:
Directly from you
When you register an account, edit your profile, enter portfolio holdings, submit a support request, or otherwise interact with the Service.
Automatically
Through cookies, server logs, and usage analytics when you visit the Service.
From third parties
Cloudflare provides us with approximate country information derived from your IP address for security and localization purposes. We do not purchase personal data from data brokers.
4. Purposes of processing and legal bases
Under GDPR Article 6, we only process your personal data when at least one lawful basis applies. The table below lists our purposes and the corresponding legal basis:
| Purpose | Legal basis |
|---|---|
| Providing the Service (account creation, authentication, serving market data, portfolio and watchlist features) | Performance of a contract (GDPR Art. 6(1)(b)) |
| Security, abuse prevention, and fraud detection (rate limiting, CAPTCHA, anomaly detection, audit logging) | Legitimate interests (GDPR Art. 6(1)(f)) |
| Transactional emails (email verification, password reset, security alerts, welcome messages) | Performance of a contract / legitimate interests |
| Product analytics and improvement of the Service | Legitimate interests, with opt-out via cookie settings |
| Marketing emails and promotional content (future feature) | Consent (GDPR Art. 6(1)(a)); you may withdraw consent at any time |
| Complying with legal obligations (tax records, responding to lawful requests) | Legal obligation (GDPR Art. 6(1)(c)) |
5. Data retention
We retain personal data only for as long as necessary to fulfill the purposes described above, or as required by law. Specifically:
- Account data: for the lifetime of your active account. After you request deletion, your account enters a 30-day soft-delete grace period during which you may restore it; after that, it is permanently deleted.
- Audit logs (general): 1 year.
- Audit logs covering critical events (admin actions, account deletions, security incidents): up to 7 years, where required for regulatory compliance.
- Client error reports: 90 days (automatic TTL).
- Analytics data: 90 days (automatic TTL), after which it is either deleted or fully aggregated / anonymized.
- Refresh tokens: maximum 30 days; expired tokens are purged automatically.
- Backups: up to 35 days, encrypted at rest, then rotated out.
6. How we share your data
We do not sell your personal data. We do not share your personal data for cross-context behavioral advertising as defined under the CCPA/CPRA.
We rely on a limited number of trusted sub-processors who act on our instructions under written data processing agreements (DPAs) with Standard Contractual Clauses (SCCs) where applicable:
Active sub-processors
| Provider | Service | Data processed | Location | DPA / SCC |
|---|---|---|---|---|
| Cloudflare, Inc. | DNS, CDN, DDoS protection, WAF, Turnstile (bot protection), Access (zero-trust tunnel) | IP addresses, user-agent, TLS metadata, request paths, Turnstile challenge tokens | US (global edge; EU PoPs available) | DPA + SCC (Module 2) |
We announce new sub-processors at least 30 days before activation on this page (subscribers can monitor it via the public RSS feed at /sub-processors.xml or by checking back periodically). You have the right to object to a new sub-processor under GDPR Art. 28(2).
Planned / conditional sub-processors
The following are not currently engaged but are on our roadmap. We will announce activation 30 days in advance.
- Grafana Labs, Inc. (Grafana Cloud) — If we migrate observability from self-hosted
- Anthropic, PBC — If/when AI / MCP features launch
Not sub-processors
The following providers do not process user personal data and are therefore not listed as sub-processors: GitHub (code hosting only), npm / Go module proxy (dependencies), Let's Encrypt (TLS certificates), Docker Hub (image distribution).
Your right to object
You may object to a new sub-processor at any time by writing to dpo@coinkirin.com. If we cannot reasonably accommodate your objection, you retain the right to delete your account and export your data first.
Legal disclosures
We may disclose personal data when required by applicable law, court order, or valid legal process — for example, in response to a subpoena or a regulatory request. Where legally permitted, we will notify affected users before disclosure.
Business transfers
If CoinKirin is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify users and provide a meaningful choice where required by law.
7. International data transfers
Backups and sub-processor infrastructure may also be located in the United States.
For users in the European Economic Area, the United Kingdom, and Switzerland, transfers of personal data to the United States rely on the European Commission's Standard Contractual Clauses (SCCs) as the appropriate safeguard under GDPR Article 46. A copy of the SCCs may be requested at privacy@coinkirin.com.
For UK users, we rely on the UK International Data Transfer Addendum to the SCCs.
For users in the People's Republic of China, your personal information will be transferred, stored, and processed outside of mainland China, primarily in the United States. By creating an account and using CoinKirin, you expressly consent to this cross-border transfer of your personal information as required by PIPL Articles 38–39. You may withdraw this consent at any time by deleting your account; note that we cannot provide the Service without such transfer.
8. Your rights
Depending on where you reside, you have the following rights regarding your personal data. We honor these rights for all users to the greatest extent practical, regardless of jurisdiction.
Right of access / right to know
You may request a copy of the personal data we hold about you. Registered users can export their data at any time via /api/v1/auth/me/export ("Export my data" in profile settings). (GDPR Art. 15 / CCPA right to know / PIPL Art. 45.)
Right to rectification
You may correct inaccurate or incomplete personal data via your profile page. For data that you cannot edit directly, contact privacy@coinkirin.com. (GDPR Art. 16.)
Right to erasure / right to delete
You may delete your account from the profile page. Deletion triggers a 30-day soft-delete period, after which your account and associated personal data are permanently erased from production systems. Backups containing your data roll off within 35 days. (GDPR Art. 17 / CCPA right to delete / PIPL Art. 47.)
Right to restrict processing
You may ask us to restrict processing of your personal data in certain situations (e.g., while you contest its accuracy). Contact privacy@coinkirin.com. (GDPR Art. 18.)
Right to data portability
The data export endpoint returns your data in a structured, commonly-used, machine-readable JSON format. (GDPR Art. 20 / PIPL Art. 45.)
Right to object
You may object to processing based on legitimate interests, including direct marketing. Every marketing email contains a one-click unsubscribe link. (GDPR Art. 21.)
Right to withdraw consent
Where processing is based on consent (e.g., analytics cookies, marketing emails), you may withdraw consent at any time via our cookie banner ("Reject all") or by unsubscribing.
Right regarding automated decision-making
We do not subject users to solely automated decisions that produce legal or similarly significant effects.
California-specific rights (CCPA/CPRA)
California residents may additionally request disclosure of the categories of personal information collected, the sources of such information, the business purpose for collecting it, and the categories of third parties with whom it is shared. We do not sell your personal information and have not done so in the preceding 12 months.
PIPL-specific rights
Users in China have rights equivalent to those above, plus the right to have a copy of your personal information transferred to another handler, and the right to lodge a complaint with the Cyberspace Administration of China (CAC).
Right to lodge a complaint
You may lodge a complaint with your local Data Protection Authority. EU users can locate their DPA at https://edpb.europa.eu/about-edpb/about-edpb/members_en. We would appreciate the chance to address your concerns directly first — please email privacy@coinkirin.com.
How to exercise these rights
Where possible we have built self-service tools into the Service (export, delete, unsubscribe). For all other requests, email privacy@coinkirin.com. We will respond within 30 days (GDPR / PIPL) or 45 days (CCPA). We may ask you to verify your identity before acting on a request.
9. Children's data
CoinKirin is not intended for, and we do not knowingly direct the Service to, individuals under 18 years of age. In particular, we do not knowingly collect personal information from children under 13 (COPPA in the United States) or under 16 (GDPR Art. 8 in the EU). If we learn that we have collected personal data from a child without parental consent, we will delete it promptly and, where appropriate, notify the parent or guardian. If you believe we have collected data from a child, please contact privacy@coinkirin.com.
10. Security measures
We implement appropriate technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, including:
- TLS 1.2+ encryption for all data in transit.
- AES-GCM encryption at rest for TOTP secrets and other high-sensitivity fields.
- Passwords hashed with bcrypt at cost factor 12 — never stored or transmitted in plaintext.
- HTTPS-only, HSTS preloaded, strict Content Security Policy (CSP), and modern security headers.
- Rate limiting, Cloudflare Turnstile CAPTCHA on sensitive endpoints, and optional TOTP two-factor authentication for user accounts.
- Comprehensive audit logging for all administrative actions.
- Principle of least privilege for employee access, with access reviews and role-based permissions.
- Regular dependency scanning and security patching.
While we take security seriously, no system is 100% secure. You are responsible for keeping your account credentials confidential.
11. Data breach notification
In the unlikely event of a personal data breach, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly by email and in-app notification without undue delay.
12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be notified to registered users by email (where we have an address on file) and via a prominent notice on the Service at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.
Previous versions of this Policy are archived. To request a copy of a historical version, email privacy@coinkirin.com.
13. How to contact us
For any privacy-related question or to exercise your rights, please use the appropriate channel below:
- General privacy inquiries: privacy@coinkirin.com
- Data Protection Officer: dpo@coinkirin.com
- California CCPA requests: privacy@coinkirin.com — subject line: "CCPA Request"
- China PIPL requests: privacy@coinkirin.com — subject line: "PIPL Request"
- Postal mail: Contact us by email first; a postal address will be provided on request.