Privacy policy

2024.04.02

1. Privacy Policy

ASTRA: Knights of Veda SERVICE PRIVACY POLICY

Article 1 Privacy Notice

This Privacy Policy (this “Policy”) is issued by HYBE IM Co., Ltd. (“HYBE IM,” "Company", “we,” “us,” or “our”) and is addressed to our general customers, visitors to our Sites, users of our Apps and other users of our services (together, “you”). In this Policy, the term “App” means any application made available by us (including where we make such applications available via third-party stores or marketplaces, or by any other means), and the term “Site” means any website operated, or maintained, by us or on our behalf. However, services with their own privacy notice will adhere to their own privacy notice.

As this Policy may be amended or updated from time to time, we encourage you to regularly check this Policy to review any changes with the terms.

The definition of “personal information” used in this Policy is as follows:

The term “personal information,” as used in this Policy, shall mean personal information as defined under Article 2 of the Personal Information Protection Act; for the purposes of the General Data Protection Regulation 2016/679 (the “GDPR”) and the UK Data Protection Act 2018, “personal information” shall mean information that is about any individual, or from which any individual is directly or indirectly identifiable, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual; and, for the purposes of the California Consumer Privacy Act (the “CCPA”), “personal information” shall be read to also include information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Article 2 Purposes of Processing Personal Information

We process your personal information for the following purposes pursuant to applicable law:

Purposes of Processing

To provide our Sites, Apps, products and services: Providing our Sites, Apps, products or services; creating an account; providing customer support on the use of services; identifying and preventing wrongful uses; providing functions for joining the and for activities; performing statistical analyses; providing promotional materials (upon request); and communicating with you in relation to our Sites, Apps or services, provision and operation of event services (confirming participants for events, providing and delivering prizes to winners, handling other complaints), providing individually customized products, and legal representative certification.

To operate our business: Operating and managing our Sites, Apps and services; providing content to you; the identification uses or other wrongful uses; communicating and interacting with you via our Sites, Apps or services; and notifying you of changes to any of our Sites, Apps or services.

To perform communications and marketing activities: Communicating with you via any means (including via email and app push alerts) to provide news items and other information in which you may be interested, subject to obtaining your prior opt-in consent to the extent required under applicable law; personalizing our Sites, products and services for you; maintaining and updating your contact information where appropriate; where applicable, enabling you to opt-out to withdraw your consent to or unsubscribe from emails sent by us, and recording your choice.

To manage IT systems: Managing and operating our communications, IT and security systems; and auditing (including security audits) and monitoring such systems.

To improve our Sites, Apps and services: Identifying issues related to our Sites, Apps or services; planning improvements to our Sites, Apps or services; and developing new Sites, Apps or services.

Article 3 Processed Personal Information

The personal information that we process about you is as follows:

What is "required items"?: Information required to provide the service's fundamental functions
What is "optional items"?: Information collected additionally to provide specialized services (Your use of the service will not be restricted even if you do not enter optional items.)

[Required items]

Process timing	Personal information Processed	Period for retention and use
Information required to be collected upon account creation	(Common) identification value linked to the member, e-mail address, character nickname, date of birth (Korean users) Personal identification information (name, date of birth, gender, nationality, mobile phone number, connecting information (CI), mobile carrier information)	30 days after users’ request to withdraw from the service
Upon pre-registration of the service	(For users logging-in from South Korea, Taiwan, Hong Kong, or Macau) Mobile phone number (For users logging-in from regions other than the above) E-mail address	1 year after the service launch
Upon participating in events and promotions	Name, mobile phone number, gender, date of birth, e-mail address, social media platform ID, address	Period indicated on each event page
Upon receipt of customer inquiry	character nickname, e-mail address, identification value linked to the member, payment information, device information, service access environment, and other information required for consultation	3 years after registration of inquiry in accordance with relevant laws and regulations
Upon receipt of customer inquiry	Name, mobile phone number, date of birth, gender, address, personal identification information
Upon reporting service-related issues	character nickname, device information, and service access environment	3 years after registration of inquiry in accordance with relevant laws and regulations
Upon log-in and using the service	Information automatically generated by cookie, service use history (date of access/log-in, IP address, fraudulent use/access, etc.), device information (unique device identifiers and OS version) and logged-in country, advertisement identifier(ADID, IDFA)	30 days after withdrawal from the service or period stated in relevant laws.
Tax and Public Fees Processing	Resident registration number, name	For 5 years from the progressed date, as stated in relevant laws
Refund Processing	Account information (account holder’s name, account number, bank name)	For 5 years from the progressed date, as stated in relevant laws

[optional items]

Time of processing	Personal information Processed	Period for retention and use
Send of promotional alerts for event	Email, mobile phone number (telephone number), App Push Identification	For 30 days after leaving the service, or until you unsubscribe from promotional alerts for the event.

Our service is not offered for children. If we discover that we have collected the personal information of a child, we will delete the information and cancel the user's account. If you believe that we have collected information of a child, please inform us via contact information in Article 13.

Age definition of “children”
- South Korea: Under 14 years old
- United States: Under 13 years old
- Other regions: Under 16 years old

Article 4 Provision of Personal Information to Third Parties

Except in the following cases, we do not provide third parties with your personal information, unless you consent thereto or the disclosure is otherwise expressly prescribed in applicable law.

In addition, in accordance with relevant laws and regulations, we may share personal information without your consent to the extent that such sharing is reasonably related to the purpose of the collection of such personal information. In the foregoing case, we will comprehensively consider factors such as whether the sharing is related to the original purpose of collection, whether the sharing is predictable in light of the circumstances under which the personal information was collected or under usual processing practices, whether the sharing unreasonably infringes upon your interests and whether security measures such as pseudonymization or encryption have been implemented.

Article 5 Entrustment of Personal Information

When necessary for the purposes of service use, performing contractual obligations and improving member convenience, we entrust the processing of personal information to specialized service providers or utilize specialized platforms, within the scope disclosed in this Privacy Notice.

1) Details About Entities To Which Personal Information Is Outsourced

In the event of outsourcing the processing of personal information to use the service

The status of sub-outsourcing of the outsourced tasks may be confirmed through the privacy policy of the outsourced entity.

Outsourced person	Outsourced tasks
Gamedex Corp.	Customer support and consultation, complaint handling
ONIONFIVE Inc.	Customer center system operation and management
GranMonster	Event and marketing support and event operation, prize shipping, and responding to inquiries
Korea Mobile Certification Inc.	Identity verification and response to inquiries
Daou Tech., Inc.	Text messaging (SMS, LMS), e-mail sending and system management
Major Nine Co.,Ltd.	Event and marketing support and event operation, prize shipping, and responding to inquiries
Co. Easter C& I	Event and marketing support and event operation, prize shipping, and responding to inquiries

2) Details About platform companies

Current status of platform providers

Consignee	Consigned tasks
Amazon Web Services, Inc.(Seoul)	Cloud server operations and management

When signing the consignment contract to entrust the personal information processing, we include clauses stating the consignee's responsibilities such as the prohibition of processing personal information for purposes other than entrusted tasks, technical/administrative measures, prohibition of reconsigning, managerial and supervision of consignee, and compensations for damages, and we supervise the consignees to handle the information safely.

We will immediately disclose when there is any change in the entrusted tasks or consignees via the Notice.

Article 6 International Transfer of Personal Information

For the purposes of providing our services and enhancing users’ convenience, we may transfer and/or manage your personal information overseas as follows. The details on our international transfer of personal information are described below.

1) Consignment of Personal Information Processing

Recipient of personal information (Contact information of information officer)	HYBE JAPAN (hybeim_privacy@hybecorp.com)
	Digital Hearts : (cs-management@digitalhearts.com)
Country where the information is provided	Japan
Date and method of provision	Transfer via network when using game services
Purpose of provision	Service operation in Japan, customer support and consultation, complaint handling
Information provided	Nickname, e-mail address, payment information, and other information required for consultation
Retention and Use Period	30 days after users’ request to withdraw from the service or until the contract expires

Recipient of personal information (Contact information of information officer)	Gdex (billy@g-dex.biz)
Country where the information is provided	Philippines
Date and method of provision	Transfer via network when using game services
Purpose of provision	Customer support and consultation, complaint handling
Information provided	Nickname, e-mail address, payment information, and other information required for consultation
Retention and Use Period	30 days after requesting to withdraw from the service or until the contract expires

Recipient of personal information (Contact information of information officer)	GAME FIRST INTERNATIONAL CORPORATION (aovservice@gamefirst.com.tw)
Country where the information is provided	Taiwan
Date and method of provision	Transfer via network when using game services
Purpose of provision	Customer support and consultation, complaint handling, Community and Event management
Information provided	Nickname, e-mail address, payment information, and other information required for consultation
Retention and Use Period	30 days after requesting to withdraw from the service or until the contract expires

Recipient of personal information (Contact information of information officer)	SOFTWORLD INTERNATIONAL CORPORATION (koalawu@soft-world.com.tw, weiwang@soft-world.com.tw, service@mycard520.com.tw)
Country where the information is provided	Taiwan, Hong Kong, Macau
Date and method of provision	Transfer via network when using game services, Transfer via network at the point of purchase.
Purpose of provision	Event and marketing support and event operation, Send marketing LMS messages to consenters, Payment service
Information provided	e-mail address, mobile phone number, payment information
Retention and Use Period	1 year after the service launch, or 30 days after a withdrawal request, or until the contract expires

Recipient of personal information (Contact information of information officer)	Xsolla, Inc (support@xsolla.com)
Country where the information is provided	America
Date and method of provision	Transfer via network at the point of purchase.
Purpose of provision	Payment Service
Information provided	Payment Information
Retention and Use Period	30 days after a withdrawal request, or until the contract expires

Recipient of personal information (Contact information of information officer)	Aceville Pte Ltd (cloudlegalnotices@tencent.com)
Country where the information is provided	Singapore
Date and method of provision	Transfer via network when using game services
Purpose of provision	Global service operation agency
Information provided	Article 1 All Information Collected
Retention and Use Period	30 days after requesting to withdraw from the service or until the contract expires

2) Provision of personal information to third parties

● None

3) Current status of overseas platform utilization

Recipient of personal information (contact information of information officer)	Amazon Web Services Inc. (https://aws.amazon.com/compliance/contact)
Country where the information is provided	Japan, Hong Kong, Singapore, Frankfurt, Virginia
Date and method of provision	Transfer via network when using game services
Purpose of provision	Cloud server operations and management
Information provided	ID, nickname, e-mail address
Retention and Use Period	30 days after withdrawing from the game or until the contract expires

Users may refuse the international transfer of personal information, but in such cases, services that require international transfer of personal information will be restricted. If you do not wish to have your information transferred overseas, you can withdraw your membership by accessing the page specified below or request the suspension of the processing of your personal information through the Personal Information Protection Officer or Personal Information Complaint Resolution Department.

- In-game [Settings - Account] menu, go to [Withdrawal]

Article 7 Retention of Personal Information

If we collect any personal information from you, we comply with our internal policy to use and retain such personal information for the period during which you use our services.

In addition, if we need to preserve personal information in accordance with the provisions of applicable law or our internal policies, we will retain relevant personal information for a specified period as follows:

1) Details About Keeping Of Personal Information In Accordance With Relevant Laws

Records regarding contracts or withdrawal of offer, etc.: 5 years (Act on the Consumer Protection in Electronic Commerce)
Records regarding payment and supply of goods, etc.: 5 years (Act on the Consumer Protection in Electronic Commerce)
Records regarding the handling of consumer complaints or disputes: 3 years (Act on the Consumer Protection in Electronic Commerce)
Users’ Internet logs, materials to trace location of access, history of website visits: 3 months (Protection of Communications Secrets Act)
Records regarding labeling and advertising: 6 months (Act on the Consumer Protection in Electronic Commerce)
Records of processing required by tax law: 5 years (Framework Act on National Taxes, Income Tax Act)

2) Details About Information Kept In Accordance With Our Internal Policies

Records on provision of goods or services: 30 days from membership cancellation apply or the relevant period under applicable law
If prior consent has been obtained from individual members with respect to the period for retaining their personal information: The relevant retention period

Article 8 Procedures and Methods of Destroying Personal Information

Once the purposes of collection and use of your personal information are achieved, we destroy your personal information in accordance with our internal policies and other applicable laws. However, personal information collected with your consent or stored in the form of electronic files will be deleted using technical means that make the records unreproducible, and personal information printed on paper such as filings or printed materials will be shredded or incinerated.

Article 9 Your Legal Rights

Subject to applicable law, you may have the following rights relating to your personal information managed by us. You may exercise your rights at any time, by contacting the data protection officer via the contact information provided in Article 13 (Data Protection Officer).

The right not to provide your personal information to us (however, please note that we will be unable to provide you with the full benefit of our Sites, Apps, or services, if you do not provide us with your personal information – e.g., we might not be able to process your requests without the necessary details);
The right to request information regarding the nature, processing and disclosure of your personal information managed by us and request access to, or copies of such personal information;
The right to request rectification of any inaccuracies in your personal information managed by us;
The right to request, on legitimate grounds:
- Deletion of your personal information managed by us; or
- Suspension of processing of your personal information managed by us;
The right to have certain personal information transferred to another entity, in a structured, commonly used and machine-readable format, to the extent applicable;
Where we process your personal information managed by us on the basis of your prior consent, the right to withdraw that consent (noting that such withdrawal does not affect the lawfulness of any processing performed prior to the date on which we receive notice of such withdrawal, and does not prevent the processing of your personal information in reliance upon any other available legal bases, as applicable); and
The right to submit complaints to an authority in charge of protection of data regarding the processing of your personal information managed by us.

Article 10 Technical/Administrative Measures for Protecting Personal Data

When handling personal information, we take appropriate measures to keep the information safe and prevent from loss, theft, leakage, falsification, or damage, and we take technical measures as follows:

Your personal information is protected by password and encrypted information. However, your information can be exposed to others in many ways including when you use the public internet, so you need to be responsible for protecting your own information. We are not responsible for any damages that arise from your negligence or the fundamental nature and risks of the internet.
Your personal information is protected with a password and encrypted information by default, and important data are protected with separate security functions by encrypting files and transmitted date.
We use vaccine programs to prevent possible damage by computer viruses, and vaccine programs are updated periodically.
We prevent leakage and damage of personal information caused by hacking and viruses by monitoring the system 24 hours a day using a system that detects and blocks external intrusion.
We ensure the safe management of personal information by comprehensively understanding the data protection regulations of the foreign jurisdictions where this information is stored.

We fully acknowledge the importance of your personal information, and accordingly, we have a reasonably limited number of employees handling personal information. The personnel in charge of protecting personal information conducts periodical education for the employees, putting the utmost effort to protect personal information. Also, we periodically check the compliance status of commitments stated in the policy and relevant employees, and when we detect any violation, we immediately correct and improve the issue and take necessary measures.

Article 11 Installation and Operation of Automatic Collection Tools for Personal Information and Refusal Thereof

We use cookies to store and discover information about members. Cookies are strings of small amounts of text transmitted by the website server to users’ computer browsers (e.g., Internet Explorer, Safari, Chrome, Firefox). Cookies identify each member’s computer, but do not identify individual members.

We use Google Analytics (Terms of Service)and API provided by Google (Privacy Policy), for providing services and statistics analyses. For further details, please see our Cookie Policy

(1) Operation of Cookies

① Provide differentiated information depending on each individual’s interests

② Analyze members’ and non-members’ frequency of visits and time spent on each visit to identify members’ tastes and interests for use in targeted marketing

③ Identify the traces of browsing records of contents in which members were interested in to provide personalized services on the next visit

④ Analyze customers’ habits and use the results as criteria for service reorganization, etc.

(2) Cookie options

By adjusting the settings on their web browser, members may accept all cookies, receive notifications whenever cookies are installed, or refuse all cookies. However, if you refuse cookies, you may not be able to use certain functions of the service that require login.

You can set whether to permit cookies (on Internet Explorer) as follows:

① Go to [Tools] and [Internet Options].

② Click [Privacy].

③ Under the tab [Settings], choose the level you want from “Accept All Cookies – Low – Medium – Medium High – High – Block All Cookies.”

(3) Cookies expire when you close or log off from the browser.

(4) The Company allows analytics companies and advertising companies to automatically collect users’ advertising identifiers and related information for the purpose of conducting and analyzing marketing campaigns.

Behavioral information collected: advertising identifier (ADID, IDFA), country, city, IP address, device information (OS, hardware information, language, service use history)
How to collect behavioral information: Automatic collection upon running the app
Purpose of collecting behavioral information: Improving service quality and promoting active use by utilizing user behavioral information
Period of retention and use of behavioral information, information processing method thereafter: up to 25 months (please refer to the relevant period provided by each provider), automatic destruction by electronic method
How to exercise user control: Please refer to the method for each device (Article 11, Section 5)
Relief method for user damage: Game Business 3 team (hybeim_privacy@hybecorp.com)
Categories of provided behavioral information: advertising identifier (ADID, IDFA), country, city, IP address, device information (OS, hardware information, language, service usage details)
How to collect behavioral information: Automatic collection and network transmission when using the service
Purpose of use by those who receive behavioral information: Collect and analyze marketing data using user behavioral information, operate advertisements
Retention and use period: Google Ads, Twitter (18 months), Adjust (25 months), META, Tiktok (6 months), MOLOCO (3 months), Criteo, etc. (13 months)
Details regarding the advertising company’s handling behavioral information can be found in the Privacy Policy of the relevant advertising company.
List of Advertising Partners and Privacy Policy

Advertisers	Privacy Policy
Adjust	Privacy Policy
Google Ads	Privacy Policy
Meta	Privacy Policy
Twitter	Privacy Policy
Criteo	Privacy Policy
Admob	Privacy Policy
Unity Ads	Privacy Policy
AdColony	Privacy Policy
MOLOCO	Privacy Policy
Buzzvil	Privacy Policy
Kakao	Privacy Policy
Apple Search Ads	Privacy Policy
Tiktok	Privacy Policy
Applovin	Privacy Policy
Remerge	Privacy Policy
ironSource	Privacy Policy
Cauly	Privacy Policy
Naver	Privacy Policy
Appier	Privacy Policy
RTB HOUSE	Privacy Policy
INMOBI	Privacy Policy
Aarki	Privacy Policy
Adikteev	Privacy Policy
LiftOff	Privacy Policy
Vungle	Privacy Policy
Digital Turbine	Privacy Policy
Tapjoy	Privacy Policy
AdPopcorn	Privacy Policy
Appsflyer	Privacy Policy
Blind Ferret	Privacy Policy
BlueStacks	Privacy Policy
Chartboost	Privacy Policy
Cyber Agent	Privacy Policy
Gunosy	Privacy Policy
i-mobile	Privacy Policy
LINE Ads	Privacy Policy
Mintegral	Privacy Policy
Mistplay	Privacy Policy
Nend	Privacy Policy
NYLE	Privacy Policy
SmaAD	Privacy Policy
SmartNews	Privacy Policy
Snapchat	Privacy Policy
Tencent	Privacy Policy
Unicorn	Privacy Policy
Yahoo Japan	Privacy Policy
Zucks	Privacy Policy
PLAYIO	Privacy Policy
TOSS	Privacy Policy
TNK	Privacy Policy
Appliv	Privacy Policy
Novasell	Privacy Policy
AIBID	Privacy Policy
Smart-C	Privacy Policy
seedApp	Privacy Policy

(5) When the company advertises the company’s services on users’ device, the advertisement identifier of the user’s device and other information associated therewith may be used to help the company deliver advertisements related to the user’s interests and improve and measure the effectiveness of the advertising campaign. You can block your device's advertising identifier from being used for interest-based advertising or reset your device's advertising identifier by changing your device settings.

[Method of Changing Device Settings]

Android: Settings > Google Settings > Ads> Opt out of Ads Personalization
If iOS 14 or higher: Settings > Personal Information Protection > Tracking > Turn off Allow apps to request track
If iOS 14 or less: Settings > Personal Information Protection> Ads > Limit Ad Tracking

Article 12 Decision-Making Standards for Additional Use and Provision of Personal Information

In accordance with Article 15(3) and Article 17(4) of the Personal Information Act of South Korea, we may additionally use or provide your personal information without your consent, in consideration of Article 14-2 of the Enforcement Decree of the Personal Information Protection Act of South Korea.

Personal information to be provided	Purpose of provision	Period for retention and use
Automatically generated information (internal identification key, device information, etc.), service use records (date and time of visit, IP address, incorrect use records, etc.), device information (unique device identification value, OS version), country accessed from	Statistics and sales analysis on game and platform service use	30 days after withdrawal from the service or a period specified in the relevant laws and regulations
(Event winners) E-mail address	Event winner information and confirmation	Retained for 1 year after the end of the event

Accordingly, we have considered the below items for additional use and provision of information without the user's consent.

Whether the purpose of additionally using and providing the personal information is relevant to initial purpose of collecting the information.
Whether there is predictability about additional use and provision of personal information, based on the circumstances of collecting information or its processing practices.
Whether the additional use and provision of personal information violates your rights.
Whether security measures have been taken, such as pseudonymization or encryption.

Article 13 Data Protection Officer

In order to protect users’ personal information and handle complaints related to personal information, we have designated our Data Protection Officer as follows. Users may report all complaints related to personal information protection arising in the course of using our services to the Data Protection Officer, and we will provide prompt and sufficient responses to such reports.

Data Protection Officer: Sung-gu Yeo
Department responsible for processing complaint: Game Business 3 team
Department responsible for information inspection request: Game Business 3 team
Email address: hybeim_privacy@hybecorp.com

Article 14 Handling of Comments and Complaints

We operate a customer services center for smooth communication and resolution of any comments and/or complaints presented by our users in connection with personal information protection. If you are a user in Korea, in the event of a dispute arising between us and you in connection with personal information protection, for which you require help regarding potential infringement upon your information, you can contact the Personal Information Infringement Report Center of the Korea Internet & Security Agency, the Cyber Bureau of the National Police Agency, or other relevant agencies.

Korea Internet & Security Agency	https://privacy.kisa.or.kr	118
Personal Information Dispute Mediation Committee	https://www.kopico.go.kr	1833-6972
Cybercrime Investigation Division of Supreme Prosecutors’ Office	https://www.spo.go.kr	1303
Cyber Bureau of National Police Agency	https://cyber.go.kr	182

Article 15 Changes in Privacy Notice

This Privacy Policy will take into effect from April 2, 2024 (KST). Please refer to the link below to see the previous version of Privacy Policy.

Privacy Policy version number: V1.3
Effective date: April 2, 2024

Previous Privacy Policy

Jurisdiction-Specific Terms

The following are supplementary clauses applicable depending on your location or nationality. In the event of conflict between the following and the main text of this Privacy Notice, the following shall prevail.

EEA and UK

For the purposes of this section, the term “personal information” used in the General Content of this Policy shall be replaced with the term “personal data” – the term shall have the same meaning as set out in Article 1

Article 1 of the General Content above shall be supplemented with the following text as a new final paragraph:

For the purposes of the GDPR and the UK Data Protection Act 2018, HYBE IM Co., Ltd. is the entity (or “controller”) that decides how and why your personal data are processed and has primary responsibility for complying with applicable data protection laws.

Article 2 of the General Content above shall be replaced with the following:

Article 2 Purposes and Legal Bases for Processing of Personal Data

The purposes of processing of your personal data and the legal bases on which we rely under applicable laws are as follows:

Processing activity	Legal basis for processing
To provide our Sites, Apps, products and services: Providing our Sites, Apps, products or services; creating an account; providing customer support on the use of services; identifying and preventing wrongful uses; providing functions for joining the game community and for community activities; performing statistical analyses; providing promotional materials (upon request); and communicating with you in relation to our Sites, Apps or services; and providing and operating event services (confirming participants for events, providing and delivering prizes to winners, handling other complaints).	· The processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or · We have a legitimate interest in carrying out the processing for the purpose of providing you with our Sites, Apps or services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or · We have obtained your prior consent to the processing (the aforementioned legal basis is only used in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way).
To operate our business: Operating and managing our Sites, Apps and services; providing you with content; authenticating users for the sales/delivery of products and the identification and prevention of other wrongful uses; communicating and interacting with you via our Sites, Apps or services; and notifying you of changes to any of our Sites, Apps or services.	· The processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or · We have a legitimate interest in carrying out the processing for the purpose of providing you with our Sites, Apps or services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or · We have obtained your prior consent to the processing (the aforementioned legal basis is only used in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way).
To perform communications and marketing activities: Communicating with you via any means (including via email and app push alerts) to provide news items and other information in which you may be interested, subject to obtaining your prior opt-in consent to the extent required under applicable law; personalizing our Sites, products and services for you; maintaining and updating your contact information where appropriate; where applicable, enabling you to opt-out to withdraw your consent to or unsubscribe from emails sent by us, and recording your choice.	· The processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or · We have a legitimate interest in carrying out the processing for the purpose of contacting you, subject always to compliance with applicable law (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or · We have obtained your prior consent to the processing (the aforementioned legal basis is only used in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way).
To manage IT systems: Managing and operating our communications, IT and security systems; and auditing (including security audits) and monitoring such systems.	· The processing is necessary for our compliance with a legal obligation; or · We have a legitimate interest in carrying out the processing for the purpose of managing and maintaining our communications and IT systems (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms).
To improve our Sites, Apps and services: Identifying issues related to our Sites, Apps or services; planning improvements to our Sites, Apps or services; and developing new Sites, Apps or services.	· We have a legitimate interest in carrying out the processing for the purpose of improving our Sites, Apps or services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or · We have obtained your prior consent to the processing (this legal basis is only used in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way).

Direct Marketing

We process personal data to contact you via email, telephone, direct mail or other communication formats to provide you with information regarding Sites, Apps or services that may be of interest to you. We also process personal data for the purposes of displaying content tailored to your use of our Sites, Apps or services. If we provide Sites, Apps or services to you, we may send or display information to you regarding our Sites, Apps or services, upcoming promotions and other information that may be of interest to you, including by using the contact details that you have provided to us, or any other appropriate means, subject always to obtaining your prior opt-in consent, to the extent required under applicable law.

You may unsubscribe from our promotional email list at any time by simply clicking on the unsubscribe link included in every promotional electronic communication we send or by unsubscribing online by selecting the ‘Decline’ option found in-game through the [Account] setting. Please note that it may take up to 2 weeks to process your unsubscribe request, during which time you may continue to receive communications from us. After you unsubscribe, we will not send you further promotional emails, but in some circumstances we will continue to contact you to the extent necessary for the purposes of any Sites, Apps or services you have requested.

The final paragraph of Article 4 of the General Content above shall be replaced with the following:

Article 4 Disclosure of Personal Data to Third Parties

We disclose personal data to other entities, for legitimate business purposes and the operation of our Sites, Apps or services to you, in accordance with applicable law. In addition, we disclose personal data to:

you and, where appropriate, your appointed representatives;
legal and regulatory authorities, upon request, or for the purposes of reporting any actual or suspected breach of applicable law or regulation;
accountants, auditors, consultants, lawyers and other outside professional advisors to HYBE IM, subject to binding contractual obligations of confidentiality;
third party processors, located anywhere in the world, subject to the requirements noted below in this Section Article 4;
any relevant party, regulatory body, governmental authority, law enforcement agency or court, to the extent necessary for the establishment, exercise or defence of legal claims;
any relevant party, regulatory body, governmental authority, law enforcement agency or court, for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;
any relevant third party acquirer(s) or successor(s) in title, in the event that we sell or transfer all or any relevant portion of our business or assets (including in the event of a reorganization, dissolution or liquidation); and
any relevant third party provider, where our Sites and our Apps use third party advertising, plugins or content. If you choose to interact with any such advertising, plugins or content, your personal data may be shared with the relevant third party provider. We recommend that you review that third party’s privacy policy before interacting with its advertising, plugins or content.

If we engage a third-party processor to process your personal data, the processor will be subject to binding contractual obligations to:

(i) only process the personal data in accordance with our prior written instructions; and

(ii) use measures to protect the confidentiality and security of the personal data; together with any additional requirements under applicable law.

Please see Article 5 for more information on the third-party processors.

1) Details About Providing Personal Information To Third Parties

None

Article 6 of the General Content above shall be replaced with the following:

Article 6 International Transfer of Personal Data

Because of the international nature of our business, we transfer personal data within the HYBE group, and to third parties, as discussed further in Article 6, in connection with the purposes set out in this Policy. For this reason, we transfer personal data to other countries that may have different laws and data protection compliance requirements to those that apply in the country in which you are located, including Korea, Japan, and the United States.

If an exemption or derogation applies (e.g., where a transfer is necessary to establish, exercise or defend a legal claim) we may rely on that exemption or derogation, as appropriate. Where no exemption or derogation applies, and we transfer your personal data from the EEA or UK to recipients located outside the EEA or UK who are not in jurisdictions formally designated by the European Commission or UK Government as providing an adequate level of protection for personal data, we do so on the basis of template transfer clauses adopted by the European Commission or adopted by a Data Protection Authority and approved by the European Commission, or adopted by the UK Government (as appropriate). You are entitled to request a copy of these clauses using the contact details provided in Section Article 13 below.

Please note that when you transfer any personal data directly to any HYBE entity established outside the EEA or UK, we are not responsible for that transfer of your personal data. We will nevertheless process your personal data, from the point at which we receive those data, in accordance with the provisions of this Policy.

Article 8 of the General Content above shall be replaced with the following:

Article 8 Procedures and Methods of Destroying Personal Data

We destroy your personal information in accordance with our internal policies and other applicable laws.

The following shall supplement Article 9:

Article 9 Your Legal Rights

In addition to the above rights, you remain entitled to all other statutory rights.

You may also have the following additional rights regarding the processing of your personal information:

the right to object, on grounds relating to your particular situation, to the processing of your personal information by us or on our behalf, where such processing is based on Articles 6(1)(e) (public interest) or 6(1)(f) (legitimate interests) of the GDPR; and
the right to object to the processing of your relevant personal data by us or on our behalf for direct marketing purposes.

Article 11 of the General Content above shall be replaced with the following:

Article 11 Cookies and Similar Technologies

When you visit a Site or use an App, we will typically place cookies onto your device or read cookies already on your device, subject always to obtaining your prior consent, where required, in accordance with applicable law. For further details, please see our Cookie Policy.

Article 13 of the General Content above shall be replaced with the following:

Article 13 Contact Information

You may contact our DPO [hybeim_privacy@hybecorp.com] if you wish to exercise your rights in connection with this Policy or your personal data. You may also contact our representative.

1) EDPO

info@edpo.com
Mr Olivier Willocx, Managing Director
Avenue Huart Hamoir 71, 1030 Brussels, Belgium
online request form: https://edpo.com/gdpr-data-request/

2) EDPO UK

info@edpo.com
Mr Olivier Willocx, Managing Director
8 Northumberland Avenue, London WC2N 5BY, United Kingdom
online request form: https://edpo.com/uk-gdpr-data-request/

Article 14 of the General Content above shall not apply.

California Consumer Privacy Act (CCPA)

Article 7 of the General Content above shall be replaced with the following:

Article 7 Data Retention Period

We take every reasonable step to ensure that your personal information is only processed for the minimum period necessary for the purposes set out in this Policy. We will retain your personal information in a form that permits identification only for as long as:

(1) we maintain an ongoing relationship with you; or

(2) your personal information is necessary in connection with the lawful purposes set out in this Policy, for which we have a valid legal basis.

Article 9 of the General Content shall be replaced with the following:

Article 9 California Consumer Privacy Act Disclosures

Under the California Consumer Privacy Act (“CCPA”), we must disclose our practices regarding the collection, use, and disclosure of the personal information of California residents (“Consumers”).

Collection of Personal Information

We have collected and will collect the following general categories of personal information about Consumers:

Personal identifiers, including names, postal addresses, IP addresses, and email addresses;
Protected classifications, including age;
Internet or other electronic network activity information; and
Inferences for use in creating a consumer profile.

Use of Personal information

We may use the categories of personal information described above for the following business or commercial purposes:

Advance our commercial or economic business interests;
Maintain or service customer accounts;
Provide customer service;
Process or fulfill orders and transactions;
Provide advertising or marketing services;
Provide analytic services;
Perform internal research for technological development;
Ensure the quality and safety of services or devices;
Improve the quality and safety of services or devices;
Debugging to address impairments to operational functionality;
Detect security incidents;
Comply with applicable law and law enforcement requirements;
Protect against malicious, deceptive, fraudulent or illegal activity;
Prosecute those responsible for malicious, deceptive, fraudulent or illegal activity; and
Defend against or bring legal action, claims and other liabilities.

Categories of Sources of Personal information

We collect or obtain personal information of Consumers from the following sources:

Information provided to us by Consumers;
Information we obtain on our own;
Information provided to us through collaboration with Consumers;
Information provided to us in the course of our relationship with Consumers;
Information made public by Consumers;
App data;
Site data;
Information registered by Consumers;
Information obtained from content and advertising providers; or
Information provided to us by third parties.

Disclosure of Personal information

We do not sell any personal information to third parties. In particular, we do not sell the personal information of minors under 16 years of age. In the preceding 12 months, we have disclosed the following categories of personal information to the following categories of recipients:

Categories of recipients	Categories of personal information
Vendors who may need access to Consumers’ personal information to help us provide our services.	Personal identifiers Categories of personal information enumerated in Cal. Civ. Code § 1798.80 (e) Protected classification (if provided) Internet or other electronic network activity information Inferences for use in creating a consumer profile
Entities who provide us with email address management and communication contact services, and those who analyze and enhance our marketing campaigns and service.	Personal identifiers Categories of personal information enumerated in Cal. Civ. Code § 1789.80 (e) Protected classification (if provided) Internet or other electronic network activity information Inferences for use in creating a consumer profile
Entities that provide assistance to us.	Personal identifiers Categories of personal information enumerated in Cal. Civ. Code § 1789.80 (e)

Article 11 of the General Content above shall be replaced with the following:

Article 14 California’s “Shine the Light” Law

Under California’s “Shine the Light” law, California residents are entitled to ask us for a notice describing what categories of personal customer information we share with third parties or our affiliates in connection with direct marketing performed by such third parties or our affiliates. The aforementioned notice will identify the categories of information we shared with third parties and our affiliates, and will include a list of names and addresses of such data recipients. If you are a California resident and would like a copy of this Policy, please submit a written request to the following email address:

email address: hybeim_privacy@hybecorp.com

Article 13 of the General Content above shall be replaced with the following:

Article 13 Consumer Rights under the CCPA

If you are a Consumer, the CCPA grants you the following rights regarding your personal information. If you make a certain request to us in order to exercise, or cause an authorized representative you appointed to exercise on your behalf, your rights to know and delete set forth in the CCPA, we will generally require you to provide us with certain personal information for the purpose of identifying you in the course of handling your request and compare such personal information against the personal information we have collected about you to verify your identity (“verifiable consumer request”).

Verifiable consumer requests to know or delete may be submitted through one of the following methods:

email address: hybeim_privacy@hybecorp.com

Right to Know About Personal Information We Collected about You.

Consumers have the right to submit a verifiable consumer request that we disclose the following personal information we collected about you over the 12-month period preceding the verifiable consumer request, in a readily useable format:

The categories of personal information we collected about you.
The purposes for which the categories of personal information collected about you will be used.
The categories of sources for the personal information we collected about you.
The categories of third parties with whom we share your personal information.
Our business or commercial purpose for collecting your personal information.
The specific pieces of personal information we collected about you.
The categories of personal information we have disclosed for a business purpose.

Right to Request Deletion of Personal Information.

Consumers have the right to request that we delete any personal information we have collected from them.

Right to Non-Discrimination.

Consumers have the right to be free from discrimination when they exercise their rights under the CCPA and, should you exercise those rights, we cannot:

Deny you goods or services;
Charge you a different price or rate for goods or services;
Provide you with a different level of quality of goods or services;
Suggest that you may receive a different level of quality of goods or services.

Notice of Financial Incentive

We offer consumers who provide personal identifiers, including their name, home address, and email address, and commercial information, including their purchase history and access to events. As participants in these programs, consumers will have the opportunity to win prizes. Consumers may opt-in to our community events by signing up on our website. Consumers may cancel their participation in these events at any time.

Authorized Agent

Under the CCPA, you may appoint an authorized agent to submit requests to exercise your rights on your behalf. Should you choose to do so, for your and our protection, we will require your authorized agent to provide us with a signed permission demonstrating they are authorized to submit a request on your behalf. We note, should your authorized agent fail to submit proof that they have been authorized to act on your behalf, we will deny their request.

Article 14 of the General Content above shall not apply.

Japan

According to the purpose of the Article, the “relevant laws" and “relevant Korean laws" stated in this Policy shall be replaced with the Act on the Protection of Personal Information (Act No. 57 of 2003) and relevant Japanese laws.

The terms used in Article 2 of the General Content above shall be replaced with the following:

The description of this Policy shall be replaced with the following: “We process your personal information for the following purposes pursuant to applicable law.”

Article 4 (Provision of Personal Information to Third Parties), Article 5 (Entrustment of Personal Information), and Article 6 (International Transfer of Personal Information) of the General Content above shall be replaced with the following:

Except in the following cases, we do not provide third parties with your personal information, unless you consent thereto or the disclosure is otherwise expressly prescribed in applicable law.

Details About Providing Personal Information To Third Parties

None

Details About International Transfer of Personal Information

1) Consignment of Personal Information Processing

Recipient of personal information (Contact information of information officer)	HYBE JAPAN (hybeim_privacy@hybecorp.com)
	Digital Hearts : (cs-management@digitalhearts.com)
Country where the information is provided	Japan
Date and method of provision	Transfer via network when using game services
Purpose of provision	Service operation in Japan, customer support and consultation, complaint handling
Information provided	Nickname, e-mail address, payment information, and other information required for consultation
Retention and Use Period	30 days after users’ request to withdraw from the service or until the contract expires

Recipient of personal information (Contact information of information officer)	Gdex (billy@g-dex.biz)
Country where the information is provided	Philippines
Date and method of provision	Transfer via network when using game services
Purpose of provision	Customer support and consultation, complaint handling
Information provided	Nickname, e-mail address, payment information, and other information required for consultation
Retention and Use Period	30 days after requesting to withdraw from the service or until the contract expires

Recipient of personal information (Contact information of information officer)	GAME FIRST INTERNATIONAL CORPORATION (aovservice@gamefirst.com.tw)
Country where the information is provided	Taiwan
Date and method of provision	Transfer via network when using game services
Purpose of provision	Customer support and consultation, complaint handling, Community and Event management
Information provided	Nickname, e-mail address, payment information, and other information required for consultation
Retention and Use Period	30 days after requesting to withdraw from the service or until the contract expires

Recipient of personal information (Contact information of information officer)	SOFTWORLD INTERNATIONAL CORPORATION (koalawu@soft-world.com.tw, weiwang@soft-world.com.tw, service@mycard520.com.tw)
Country where the information is provided	Taiwan, Hong Kong, Macau
Date and method of provision	Transfer via network when using game services, transfer via network at the point of purchase.
Purpose of provision	Event and marketing support and event operation, Send marketing LMS messages to consenters, Payment Service
Information provided	e-mail address, mobile phone number, payment information
Retention and Use Period	1 year after the service launch, or 30 days after a withdrawal request, or until the contract expires

Recipient of personal information (Contact information of information officer)	Xsolla, Inc (support@xsolla.com)
Country where the information is provided	America
Date and method of provision	Transfer via network at the point of purchase.
Purpose of provision	Payment Service
Information provided	Payment information
Retention and Use Period	30 days after a withdrawal request, or until the contract expires

Recipient of personal information (Contact information of information officer)	Aceville Pte Ltd (cloudlegalnotices@tencent.com)
Country where the information is provided	Singapore
Date and method of provision	Transfer via network when using game services
Purpose of provision	Global service operation agency
Information provided	Article 1 All Information Collected
Retention and Use Period	30 days after requesting to withdraw from the service or until the contract expires

2) Provision of personal information to third parties

● None

3) Current status of overseas platform utilization

Recipient of personal information (contact information of information officer)	Amazon Web Services Inc. (https://aws.amazon.com/compliance/contact)
Country where the information is provided	Japan, Hong Kong, Singapore, Frankfurt, Virginia
Date and method of provision	Transfer via network when using game services
Purpose of provision	Cloud server operations and management
Information provided	ID, nickname, e-mail address
Retention and Use Period	30 days after withdrawing from the game or until the contract expires

4) Notice Regarding External Transmission

Our app is currently sending user data to the external sources detailed below:

Recipients	Content Provided	Purpose of Provision
Adjust	・Device information (device ID, OS version, advertising ID, language settings, timezone, etc.) ・Access information (IP address, accessing carrier, etc.) ・Country and region information	・Measurement and analysis of advertising effectiveness ・Data analysis for the improvement of game service quality
onionfive Inc.	・User information in the app ・Device information (device name, OS version, language settings, time zone, etc.) ・Country and region information ・App version information	・Responding to customer inquiries
Google LLC	・Device information (device name, OS version, language settings, time zone, etc.) ・App operation information (in-app taps, crash logs, etc.) ・Connection information (country, region) ・App version information	・Analyze crash logs to improve game service quality ・Analyzing push notifications and access
HYBE IM	・User information in the app ・In-app behavior data ・In-app payment-related behavior data ・Device information (device ID, OS version, advertising ID, language settings, timezone, etc.) ・Country and region information	・Analyzing data to improve game service quality ・Assist in responding to customer inquiries

【Joint Use】

The companies listed below and included in the above details about third parties provided with personal information are part of the company’s group. The types of jointly used personal information; the bounds of jointly using parties; the purpose of using; and the names of the companies and their representatives with responsibilities of managing personal information are listed below.

Companies included in the group (jointly using parties): HYBE Corp., HYBE IM, BIGHIT MUSIC Co., Ltd., Pledis Entertainment Co., Ltd., BELIFT LAB Co., Ltd., KOZ Entertainment Co., Ltd., Source Music Co., Ltd., ADOR Co., Ltd., Weverse Company Inc., Weverse Japan Inc., HYBE Japan Inc., HYBE Labels JAPAN, NAECO, HYBE America, Inc.. Weverse America Inc.

Types of information for joint use: Same as listed in “Details About Providing Personal Information To Third Parties" and “Types of personal information”.
Purpose of use: Same as listed in “Details About Providing Personal Information To Third Parties" and “Types of personal information”.
Management responsibilities: The names of the company’s representatives are the same as listed in each company’s website.

References

Personal Information Protection Systems of Countries Receiving Information

HYBE IM Co., Ltd. (hereinafter “the company”) provides various services to its customers, and in the process, the company comes across many occasions in which the user’s personal information needs to be provided to companies located outside the country or region of the user’s residence, with the user’s consent. The company’s Privacy Policy describes that the company may provide the user’s personal information to companies outside the country.

This page describes the details of the company’s provision of user’s personal information to companies outside the country or region of the user’s residence, using the privacy regulations of other countries as reference.

The privacy regulations of various countries have been examined according to the below standards.

■ Existence of the data privacy regulations

This is an indication of whether the country has established data protection and privacy regulations, including a comprehensive regulation.

■ Reference for data privacy regulations

The following types of information are used as references for the standards of each country’s privacy regulations.
▪ Whether the standards of the privacy regulations of the corresponding country/region are equivalent to those of Japan

It will be indicated if the privacy regulations of the corresponding country/region is equivalent to those of Japan.

▪ EU adequacy decision
It will be indicated if the EU adequacy decision has been adopted in the corresponding country/region. EU adequacy decision refers to the European Commission’s decision that indicates the corresponding country/region has secured an adequate level of data protection. If a country has adopted the EU adequacy decision, we can expect the same level of protection of personal information in the country/region as in Japan.

▪ Participation in APEC CBPR

It will be indicated if the corresponding country/region is a participating country of the APEC CBPR system.

When the corresponding country/region is a participating country of the APEC CBPR system, we can expect the same level of protection of personal information in the country/region as in Japan, as it signifies that the laws of the corresponding country/region would be enforced in compliance with the APEC privacy framework and an enforcement office.

▪ Satisfaction of OECD’s Eight Principles
It will be indicated, as necessary, if the privacy regulation of the corresponding country/region includes rules that meet OECD’s Eight Principles.

OECD’s Eight Principles provides the basic principles to be referenced in performing international efforts for personal information protection, and they are considered to be the substantial global standards for each country’s establishment of the personal information protection system.

In this page, it will be indicated if the data privacy regulation of the corresponding country/region includes rules corresponding to OECD’s Eight Principles, according to the following legends for each of OECD’s Eight Principles.

Legends: ○ Rules are included in the comprehensive system; ∆ Certain rules are included in the comprehensive system/Rules are included in individual systems; — No rules could be found

OECD’s Eight Principles are as indicated in (1) to (8) below.

1. Collection Limitation Principle

Personal data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

2. Data Quality Principle

Personal data should be relevant to the purposes for which they are to be used, and should be accurate, complete and kept up-to-date

3. Purpose Specification Principle

The purposes for which personal data are collected should be specified, and the subsequent use limited to the fulfillment of those purposes.

4. Use Limitation Principle

Personal data should not be used for purposes other than those specified except with the consent of the data subject or by the authority of law.

5. Security Safeguards Principle

Personal data should be protected by reasonable security safeguards against such risks as loss, destruction, use, modification or disclosure of data.

6. Openness Principle

There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence of personal data, and the purposes of their use, as well as the data controller.

7. Individual Participation Principle

An individual should have the right to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him, and to challenge data relating to him.

8. Accountability Principle

A data controller should be accountable for complying with measures which give effect to the principles stated above.

■ Existence of system that may significantly affect the rights and interests of individuals

Information on whether there is a system that may significantly affect the rights and interests of individuals pursuant to the transfer of personal data to the corresponding country/region in comparison to Japan’s data privacy regulation is indicated.

Specifically, the following information which may significantly affect the rights and interests of individuals in the system of the corresponding country/region is indicated; namely, (1) existence of rules which directly obligate the recipient of personal information, which was collected within the corresponding country/region, to retain such personal information within the corresponding country/region, or obligates the recipient of personal information to substantially retain such personal information within the corresponding country/region by imposing restrictions on carrying such personal information outside the corresponding country/region (system related to data localization), and (2) existence of rules which allow the government to access the personal data retained by private businesses or obligate private businesses to provide personal data to the government under laws for the purpose of enforcement of criminal laws and/or national security safeguards (system related to government access).

Please note that the information may not be the latest at present, as each country periodically updates the information related to the data privacy regulation. Please review the information on the data privacy regulations of foreign countries provided by the Personal Information Protection Commission of Japan. (Source: Personal Information Protection Commission of Japan)

South Korea (Link)

Existence of the data privacy regulations
- Comprehensive system: Yes
Reference for data privacy regulations
- EU adequacy decision: Adopted
- CBPR system: Participating
Existence of system that will significantly affect the rights and interests of individuals
- Disclosure and notification of personal information of convicted sex offenders

Germany (Link)

Existence of the data privacy regulations
▪ Comprehensive system: Yes
Reference for data privacy regulations
▪ There is a data privacy regulation acknowledged as being the same level as in Japan.

United States of America (Link)

Existence of the data privacy regulations
- Comprehensive system: No
- System of individual sectors/regions: Yes
Reference for data privacy regulations
- EU adequacy decision: Not adopted
- CBPR system: Participating
Existence of system that will significantly affect the rights and interests of individuals
- None

Singapore (Link)

Existence of the data privacy regulations
- Comprehensive system: Yes
Reference for data privacy regulations
- EU adequacy decision: Not adopted
- CBPR system: Participating
Existence of system that will significantly affect the rights and interests of individuals
- There is a system related to government access that may significantly affect the rights and interests of individuals.

United Kingdom (Link)

Existence of the data privacy regulations
- Comprehensive system: Yes
Reference for data privacy regulations
- There is a data privacy regulation acknowledged as being the same level as in Japan.

Japan (Link)

Existence of the data privacy regulations
- Comprehensive system: Yes
Reference for data privacy regulations
- EU adequacy decision: Adopted
- CBPR system: Participating
Existence of system that will significantly affect the rights and interests of individuals
- None

【Provision by Entrustment】

The company has entrusted specialized companies and platforms with the tasks of processing personal information within reasonable scopes, in order to achieve the purposes of providing service and fulfilling contracts, and improving the convenience of customers.

Details About Providing Personal Information To Third Parties

None

Details About International Transfer of Personal Information

1) Consignment of Personal Information Processing

Recipient of personal information (Contact information of information officer)	HYBE JAPAN (hybeim_privacy@hybecorp.com)
	Digital Hearts : (cs-management@digitalhearts.com)
Country where the information is provided	Japan
Date and method of provision	Transfer via network when using game services
Purpose of provision	Service operation in Japan, customer support and consultation, complaint handling
Information provided	Nickname, e-mail address, payment information, and other information required for consultation
Retention and Use Period	30 days after users’ request to withdraw from the service or until the contract expires

Recipient of personal information (Contact information of information officer)	Gdex (billy@g-dex.biz)
Country where the information is provided	Philippines
Date and method of provision	Transfer via network when using game services
Purpose of provision	Customer support and consultation, complaint handling
Information provided	Nickname, e-mail address, payment information, and other information required for consultation
Retention and Use Period	30 days after requesting to withdraw from the service or until the contract expires

Recipient of personal information (Contact information of information officer)	GAME FIRST INTERNATIONAL CORPORATION (aovservice@gamefirst.com.tw)
Country where the information is provided	Taiwan
Date and method of provision	Transfer via network when using game services
Purpose of provision	Customer support and consultation, complaint handling, Community and Event management
Information provided	Nickname, e-mail address, payment information, and other information required for consultation
Retention and Use Period	30 days after requesting to withdraw from the service or until the contract expires

Recipient of personal information (Contact information of information officer)	SOFTWORLD INTERNATIONAL CORPORATION (koalawu@soft-world.com.tw, weiwang@soft-world.com.tw, service@mycard520.com.tw)
Country where the information is provided	Taiwan, Hong Kong, Macau
Date and method of provision	Transfer via network when using game services, Transfer via network at the time of payment.
Purpose of provision	Event and marketing support and event operation, Send marketing LMS messages to consenters, payment service
Information provided	e-mail address, mobile phone number, payment information
Retention and Use Period	1 year after the service launch, or 30 days after a withdrawal request, or until the contract expires

Recipient of personal information (Contact information of information officer)	Xsolla, Inc (support@xsolla.com)
Country where the information is provided	America
Date and method of provision	Transfer via network at the point of purchase.
Purpose of provision	Payment service
Information provided	Payment information
Retention and Use Period	30 days after a withdrawal request, or until the contract expires

Recipient of personal information (Contact information of information officer)	Aceville Pte Ltd (cloudlegalnotices@tencent.com)
Country where the information is provided	Singapore
Date and method of provision	Transfer via network when using game services
Purpose of provision	Global service operation agency
Information provided	Article 1 All Information Collected
Retention and Use Period	30 days after requesting to withdraw from the service or until the contract expires

2) Provision of personal information to third parties

● None

3) Current status of overseas platform utilization

Recipient of personal information (contact information of information officer)	Amazon Web Services Inc. (https://aws.amazon.com/compliance/contact)
Country where the information is provided	Japan, Hong Kong, Singapore, Frankfurt, Virginia
Date and method of provision	Transfer via network when using game services
Purpose of provision	Cloud server operations and management
Information provided	ID, nickname, e-mail address
Retention and Use Period	30 days after withdrawing from the game or until the contract expires

4) Notice Regarding External Transmission

Our app is currently sending user data to the external sources detailed below:

Recipients	Content Provided	Purpose of Provision
Adjust	・Device information (device ID, OS version, advertising ID, language settings, timezone, etc.) ・Access information (IP address, accessing carrier, etc.) ・Country and region information	・Measurement and analysis of advertising effectiveness ・Data analysis for the improvement of game service quality
onionfive Inc.	・User information in the app ・Device information (device name, OS version, language settings, time zone, etc.) ・Country and region information ・App version information	・Responding to customer inquiries
Google LLC	・Device information (device name, OS version, language settings, time zone, etc.) ・App operation information (in-app taps, crash logs, etc.) ・Connection information (country, region) ・App version information	・Analyze crash logs to improve game service quality ・Analyzing push notifications and access
HYBE IM	・User information in the app ・In-app behavior data ・In-app payment-related behavior data ・Device information (device ID, OS version, advertising ID, language settings, timezone, etc.) ・Country and region information	・Analyzing data to improve game service quality ・Assist in responding to customer inquiries

When signing a contract with entrusted companies, important issues are addressed including prohibition of processing personal information for purposes other than entrusted purposes; technical and managerial measures to protect information; prohibition of re-entrustment; management and supervision of entrusted companies; and indemnification for possible damages. The company supervises the entrusted companies to ensure they handle the information safely.

If there are any changes in the entrusted tasks or list of entrusted companies, we will make sure to notify by sharing the revised Privacy Policy.

References

Personal Information Protection Systems of Countries Receiving Information

The privacy regulations of various countries have been examined according to the below standards.

■ Existence of the data privacy regulations

This is an indication of whether the country has established data protection and privacy regulations, including a comprehensive regulation.

■ Reference for data privacy regulations

It will be indicated if the privacy regulations of the corresponding country/region is equivalent to those of Japan.

▪ Participation in APEC CBPR

It will be indicated if the corresponding country/region is a participating country of the APEC CBPR system.

▪ Satisfaction of OECD’s Eight Principles
It will be indicated, as necessary, if the privacy regulation of the corresponding country/region includes rules that meet OECD’s Eight Principles.

Legends: ○ Rules are included in the comprehensive system; ∆ Certain rules are included in the comprehensive system/Rules are included in individual systems; — No rules could be found

OECD’s Eight Principles are as indicated in (1) to (8) below.

1. Collection Limitation Principle

Personal data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

2. Data Quality Principle

Personal data should be relevant to the purposes for which they are to be used, and should be accurate, complete and kept up-to-date

3. Purpose Specification Principle

The purposes for which personal data are collected should be specified, and the subsequent use limited to the fulfillment of those purposes.

4. Use Limitation Principle

Personal data should not be used for purposes other than those specified except with the consent of the data subject or by the authority of law.

5. Security Safeguards Principle

Personal data should be protected by reasonable security safeguards against such risks as loss, destruction, use, modification or disclosure of data.

6. Openness Principle

7. Individual Participation Principle

An individual should have the right to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him, and to challenge data relating to him.

8. Accountability Principle

A data controller should be accountable for complying with measures which give effect to the principles stated above.

■ Existence of system that may significantly affect the rights and interests of individuals

South Korea (Link)

Existence of the data privacy regulations
- Comprehensive system: Yes
Reference for data privacy regulations
- EU adequacy decision: Adopted
- CBPR system: Participating
Existence of system that will significantly affect the rights and interests of individuals
- Disclosure and notification of personal information of convicted sex offenders

Germany (Link)

Existence of the data privacy regulations
▪ Comprehensive system: Yes
Reference for data privacy regulations
▪ There is a data privacy regulation acknowledged as being the same level as in Japan.

United States of America (Link)

Existence of the data privacy regulations
- Comprehensive system: No
- System of individual sectors/regions: Yes
Reference for data privacy regulations
- EU adequacy decision: Not adopted
- CBPR system: Participating
Existence of system that will significantly affect the rights and interests of individuals
- None

Singapore (Link)

Existence of the data privacy regulations
- Comprehensive system: Yes
Reference for data privacy regulations
- EU adequacy decision: Not adopted
- CBPR system: Participating
Existence of system that will significantly affect the rights and interests of individuals
- There is a system related to government access that may significantly affect the rights and interests of individuals.

United Kingdom (Link)

Existence of the data privacy regulations
- Comprehensive system: Yes
Reference for data privacy regulations
- There is a data privacy regulation acknowledged as being the same level as in Japan.

Japan (Link)

Existence of the data privacy regulations
- Comprehensive system: Yes
Reference for data privacy regulations
- EU adequacy decision: Adopted
- CBPR system: Participating
Existence of system that will significantly affect the rights and interests of individuals
- None

Article 12 of the General Content above is inapplicable.

The following shall be added to Article 13 of the General Content above.

COMPANY: HYBE IM
ADDRESS: 2nd floor, 42 Teheran-ro 108-gil, Gangnam-gu, Seoul, South Korea (MDM Tower, Daechi-dong)
CEO: Jung Woo Yong

Article 14 of the General Content above is inapplicable.