Privacy Policy
Last updated: May 22, 2026
1. Who
Korean Data MCP Hub team operates the Service. Privacy contact: privacy@korean-data.com.
2. What We Collect
- Email — for account, API key delivery, billing receipts, service notices
- API usage logs — tool_name, called_at, query_hash (one-way SHA-1 of query, not the query itself), user_id
- Payment events — top-up amount, Paddle transaction ID, timestamp. Card data is never visible to us; Paddle (PCI-DSS) handles all payment processing.
- Auth tokens — managed by Supabase Auth; magic-link JWTs stored in your browser
3. What We Don't Collect
- Query content (only the SHA-1 hash of the query is stored, never the query text itself)
- Device fingerprints
- Tracking cookies, Google Analytics, advertising trackers
- Behavioral profiles
4. How We Use It
- Service operation (authentication, quotas, transactional emails)
- Anomaly detection (abuse patterns, fraud signals)
- Aggregate analytics (server-side counts, no individual identification)
5. Sub-processors
| Sub-processor | Purpose | Region |
|---|---|---|
| Paddle.com | Payment processing, Merchant of Record | UK / EU |
| Supabase | Database, Auth, Edge Functions | US / EU |
| Resend | Transactional email | US |
| Apify | MCP server hosting | EU |
| Anthropic (optional) | AI agent operations; customer emails are masked before being sent | US |
We do not sell or share your data with advertisers. No third-party tracking.
6. Your Rights
- Access — request a copy of your data
- Rectify — correct inaccurate information
- Erase — delete your account and associated data
- Port — receive your data in JSON
- Object — opt out of non-essential processing
- Withdraw consent — disable auto top-up anytime from the dashboard
Email privacy@korean-data.com — we respond within 30 days.
7. Cookies & Browser Storage
Essential only:
- Supabase Auth session (browser localStorage)
- Dashboard temporary API key cache (tab-scoped sessionStorage, cleared on tab close)
- CSRF token (session cookie)
No advertising cookies. No analytics scripts. You may clear browser storage at any time.
8. Retention
- Active accounts: indefinite while in use
- Inactive accounts (12 months zero activity): reviewed and pruned
- Deleted accounts: 90 days, then permanently removed
- API usage logs (including query_hash): 12 months
- Payment records: retained as required by Paddle and applicable tax laws
9. Security
- HTTPS / TLS 1.2+ only
- API keys stored as SHA-256 hashes (plaintext never in DB)
- Row-level security on sensitive tables
- Payment data handled by Paddle (PCI-DSS)
- Automated security scans on every code change
10. Minors
The Service is not intended for minors. We do not knowingly collect data from children. If you believe a minor has provided data, email privacy@korean-data.com for immediate deletion.
11. International Transfers
Data may be processed in the US and EU via the sub-processors listed in §5. Standard contractual protections are in place with US providers.
12. Changes
Material changes: 30 days email notice. Continued use = acceptance.