Transparency Register
Version 1.0 · Last updated April 2026
The principle
If we monitor it, we disclose it. If we disclose it, we get consent. If we can't get consent, we don't do it.
This register lists every category of data PaperRush collects, why we collect it, who sees it, and how long we keep it. If it is not on this list, we do not do it.
Categories are listed by what we store. Retention columns use Auto when the data is automatically purged after the stated window with no manual action required.
| What | Why | Who sees it | Retention | Deletable |
|---|---|---|---|---|
| Account information | Identify you across sessionsDeleted when you delete your account | You, admins | Account lifetime | Yes |
| Profile data | Personalize the app, leaderboard display | You, leaderboard viewers (public fields only) | Account lifetime | Yes |
| Trading activity | Platform functionality, performance history | You, leaderboard (public stats only) | Account lifetime | Yes |
| Watchlists, predictions, challenges | Platform functionality | You, opponents (challenge participants only) | Account lifetime | Yes |
| Mirror conversations & transcripts | Digital twin feature you opted into | You only (encrypted at rest, AES-256-CBC) | Until you delete them | Yes |
| PaperCoin transactions | Virtual economy recordFinancial audit trail — non-deletable by design | You, counterparty, audit log | Permanent | No |
| Login & session data | Security, abuse prevention | System, security audit | 90 days | Auto |
| API call patterns | Rate limiting, anomaly detection | System, security audit | 90 days | Auto |
| Behavioral patterns | Anomaly detection (security only)Not reviewed by humans unless flagged for abuse | Automated system only | 30 days | Auto |
| Graffiti posts | Social feature you opt into per postAuthor can delete before expiry | Public (while live) | 24–48 hours (auto-expire) | Yes |
| Feedback submissions | Bug reports, feature requests | Admins, PO | Until resolved + 90 days | Yes |
| Cookies & local preferences | Authentication, UI settingsAnalytics cookies only with explicit consent | Your browser only | Until you clear them | Yes |
At any time you can ask:
Export your data now: /api/user/export (returns JSON when logged in, rate limited to 3 requests per hour).
Everything is at-will. You can delete your account any time. No lock-in, no forced retention, no “you can't leave because we have your data.” Delete means delete, except where an audit trail is required (those cases are flagged No in the register).
Before anything new is added to this register we document it, get legal review, announce it with 7 days of notice, and collect fresh consent. Retroactive monitoring — analyzing existing data for a new purpose — is prohibited.
When this register changes materially, existing users are re-prompted for consent on their next session. You can always re-read this page to see the current version.
The full Privacy Policy covers legal framing and third-party services. The Legal & Data Sources page lists provider attributions.
Questions? Use the feedback form.
Register version 1.0 · See Issue #250 for the doctrine this implements.