ASTRA: Knights of Veda SERVICE PRIVACY POLICY
Article 1 Privacy Notice
This Privacy Policy (this “Policy”) is issued by HYBE IM Co., Ltd. (“HYBE IM,” "Company", “we,” “us,” or “our”) and is addressed to our general customers, visitors to our Sites, users of our Apps and other users of our services (together, “you”). In this Policy, the term “App” means any application made available by us (including where we make such applications available via third-party stores or marketplaces, or by any other means), and the term “Site” means any website operated, or maintained, by us or on our behalf. However, services with their own privacy notice will adhere to their own privacy notice.
As this Policy may be amended or updated from time to time, we encourage you to regularly check this Policy to review any changes with the terms.
The definition of “personal information” used in this Policy is as follows:
The term “personal information,” as used in this Policy, shall mean personal information as defined under Article 2 of the Personal Information Protection Act; for the purposes of the General Data Protection Regulation 2016/679 (the “GDPR”) and the UK Data Protection Act 2018, “personal information” shall mean information that is about any individual, or from which any individual is directly or indirectly identifiable, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual; and, for the purposes of the California Consumer Privacy Act (the “CCPA”), “personal information” shall be read to also include information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Article 2 Purposes of Processing Personal Information
We process your personal information for the following purposes pursuant to applicable law:
Purposes of Processing |
To provide our Sites, Apps, products and services: Providing our Sites, Apps, products or services; creating an account; providing customer support on the use of services; identifying and preventing wrongful uses; providing functions for joining the and for activities; performing statistical analyses; providing promotional materials (upon request); and communicating with you in relation to our Sites, Apps or services, provision and operation of event services (confirming participants for events, providing and delivering prizes to winners, handling other complaints), providing individually customized products, and legal representative certification. |
To operate our business: Operating and managing our Sites, Apps and services; providing content to you; the identification uses or other wrongful uses; communicating and interacting with you via our Sites, Apps or services; and notifying you of changes to any of our Sites, Apps or services. |
To perform communications and marketing activities: Communicating with you via any means (including via email and app push alerts) to provide news items and other information in which you may be interested, subject to obtaining your prior opt-in consent to the extent required under applicable law; personalizing our Sites, products and services for you; maintaining and updating your contact information where appropriate; where applicable, enabling you to opt-out to withdraw your consent to or unsubscribe from emails sent by us, and recording your choice. |
To manage IT systems: Managing and operating our communications, IT and security systems; and auditing (including security audits) and monitoring such systems. |
To improve our Sites, Apps and services: Identifying issues related to our Sites, Apps or services; planning improvements to our Sites, Apps or services; and developing new Sites, Apps or services. |
Article 3 Processed Personal Information
The personal information that we process about you is as follows:
[Required items]
Process timing | Personal information Processed | Period for retention and use |
Information required to be collected upon account creation | (Common) identification value linked to the member, e-mail address, character nickname, date of birth (Korean users) Personal identification information (name, date of birth, gender, nationality, mobile phone number, connecting information (CI), mobile carrier information) | 30 days after users’ request to withdraw from the service |
Upon pre-registration of the service | (For users logging-in from South Korea, Taiwan, Hong Kong, or Macau) Mobile phone number (For users logging-in from regions other than the above) E-mail address | 1 year after the service launch |
Upon participating in events and promotions | Name, mobile phone number, gender, date of birth, e-mail address, social media platform ID, address | Period indicated on each event page |
Upon receipt of customer inquiry | character nickname, e-mail address, identification value linked to the member, payment information, device information, service access environment, and other information required for consultation | 3 years after registration of inquiry in accordance with relevant laws and regulations |
Name, mobile phone number, date of birth, gender, address, personal identification information | ||
Upon reporting service-related issues | character nickname, device information, and service access environment | 3 years after registration of inquiry in accordance with relevant laws and regulations |
Upon log-in and using the service | Information automatically generated by cookie, service use history (date of access/log-in, IP address, fraudulent use/access, etc.), device information (unique device identifiers and OS version) and logged-in country, advertisement identifier(ADID, IDFA) | 30 days after withdrawal from the service or period stated in relevant laws. |
Tax and Public Fees Processing | Resident registration number, name | For 5 years from the progressed date, as stated in relevant laws |
Refund Processing | Account information (account holder’s name, account number, bank name) | For 5 years from the progressed date, as stated in relevant laws |
[optional items]
Time of processing | Personal information Processed | Period for retention and use |
Send of promotional alerts for event | Email, mobile phone number (telephone number), App Push Identification | For 30 days after leaving the service, or until you unsubscribe from promotional alerts for the event. |
Our service is not offered for children. If we discover that we have collected the personal information of a child, we will delete the information and cancel the user's account. If you believe that we have collected information of a child, please inform us via contact information in Article 13.
Article 4 Provision of Personal Information to Third Parties
Except in the following cases, we do not provide third parties with your personal information, unless you consent thereto or the disclosure is otherwise expressly prescribed in applicable law.
In addition, in accordance with relevant laws and regulations, we may share personal information without your consent to the extent that such sharing is reasonably related to the purpose of the collection of such personal information. In the foregoing case, we will comprehensively consider factors such as whether the sharing is related to the original purpose of collection, whether the sharing is predictable in light of the circumstances under which the personal information was collected or under usual processing practices, whether the sharing unreasonably infringes upon your interests and whether security measures such as pseudonymization or encryption have been implemented.
Article 5 Entrustment of Personal Information
When necessary for the purposes of service use, performing contractual obligations and improving member convenience, we entrust the processing of personal information to specialized service providers or utilize specialized platforms, within the scope disclosed in this Privacy Notice.
1) Details About Entities To Which Personal Information Is Outsourced
In the event of outsourcing the processing of personal information to use the service
The status of sub-outsourcing of the outsourced tasks may be confirmed through the privacy policy of the outsourced entity.
Outsourced person | Outsourced tasks |
Gamedex Corp. | Customer support and consultation, complaint handling |
ONIONFIVE Inc. | Customer center system operation and management |
GranMonster | Event and marketing support and event operation, prize shipping, and responding to inquiries |
Korea Mobile Certification Inc. | Identity verification and response to inquiries |
Daou Tech., Inc. | Text messaging (SMS, LMS), e-mail sending and system management |
Major Nine Co.,Ltd. | Event and marketing support and event operation, prize shipping, and responding to inquiries |
Co. Easter C& I | Event and marketing support and event operation, prize shipping, and responding to inquiries |
2) Details About platform companies
Current status of platform providers
Consignee | Consigned tasks |
Amazon Web Services, Inc.(Seoul) | Cloud server operations and management |
When signing the consignment contract to entrust the personal information processing, we include clauses stating the consignee's responsibilities such as the prohibition of processing personal information for purposes other than entrusted tasks, technical/administrative measures, prohibition of reconsigning, managerial and supervision of consignee, and compensations for damages, and we supervise the consignees to handle the information safely.
We will immediately disclose when there is any change in the entrusted tasks or consignees via the Notice.
Article 6 International Transfer of Personal Information
For the purposes of providing our services and enhancing users’ convenience, we may transfer and/or manage your personal information overseas as follows. The details on our international transfer of personal information are described below.
1) Consignment of Personal Information Processing
Recipient of personal information (Contact information of information officer) | HYBE JAPAN (hybeim_privacy@hybecorp.com) |
Digital Hearts : (cs-management@digitalhearts.com) | |
Country where the information is provided | Japan |
Date and method of provision | Transfer via network when using game services |
Purpose of provision | Service operation in Japan, customer support and consultation, complaint handling |
Information provided | Nickname, e-mail address, payment information, and other information required for consultation |
Retention and Use Period | 30 days after users’ request to withdraw from the service or until the contract expires |
Recipient of personal information (Contact information of information officer) | Gdex (billy@g-dex.biz) |
Country where the information is provided | Philippines |
Date and method of provision | Transfer via network when using game services |
Purpose of provision | Customer support and consultation, complaint handling |
Information provided | Nickname, e-mail address, payment information, and other information required for consultation |
Retention and Use Period | 30 days after requesting to withdraw from the service or until the contract expires |
Recipient of personal information (Contact information of information officer) | GAME FIRST INTERNATIONAL CORPORATION (aovservice@gamefirst.com.tw) |
Country where the information is provided | Taiwan |
Date and method of provision | Transfer via network when using game services |
Purpose of provision | Customer support and consultation, complaint handling, Community and Event management |
Information provided | Nickname, e-mail address, payment information, and other information required for consultation |
Retention and Use Period | 30 days after requesting to withdraw from the service or until the contract expires |
Recipient of personal information (Contact information of information officer) | SOFTWORLD INTERNATIONAL CORPORATION (koalawu@soft-world.com.tw, weiwang@soft-world.com.tw, service@mycard520.com.tw) |
Country where the information is provided | Taiwan, Hong Kong, Macau |
Date and method of provision | Transfer via network when using game services, Transfer via network at the point of purchase. |
Purpose of provision | Event and marketing support and event operation, Send marketing LMS messages to consenters, Payment service |
Information provided | e-mail address, mobile phone number, payment information |
Retention and Use Period | 1 year after the service launch, or 30 days after a withdrawal request, or until the contract expires |
Recipient of personal information (Contact information of information officer) | Xsolla, Inc (support@xsolla.com) |
Country where the information is provided | America |
Date and method of provision | Transfer via network at the point of purchase. |
Purpose of provision | Payment Service |
Information provided | Payment Information |
Retention and Use Period | 30 days after a withdrawal request, or until the contract expires
|
Recipient of personal information (Contact information of information officer) | Aceville Pte Ltd (cloudlegalnotices@tencent.com) |
Country where the information is provided | Singapore |
Date and method of provision | Transfer via network when using game services |
Purpose of provision | Global service operation agency |
Information provided | Article 1 All Information Collected |
Retention and Use Period | 30 days after requesting to withdraw from the service or until the contract expires |
2) Provision of personal information to third parties
● None
3) Current status of overseas platform utilization
Recipient of personal information (contact information of information officer) | Amazon Web Services Inc. |
Country where the information is provided | Japan, Hong Kong, Singapore, Frankfurt, Virginia |
Date and method of provision | Transfer via network when using game services |
Purpose of provision | Cloud server operations and management |
Information provided | ID, nickname, e-mail address |
Retention and Use Period | 30 days after withdrawing from the game or until the contract expires |
Users may refuse the international transfer of personal information, but in such cases, services that require international transfer of personal information will be restricted. If you do not wish to have your information transferred overseas, you can withdraw your membership by accessing the page specified below or request the suspension of the processing of your personal information through the Personal Information Protection Officer or Personal Information Complaint Resolution Department.
- In-game [Settings - Account] menu, go to [Withdrawal]
Article 7 Retention of Personal Information
If we collect any personal information from you, we comply with our internal policy to use and retain such personal information for the period during which you use our services.
In addition, if we need to preserve personal information in accordance with the provisions of applicable law or our internal policies, we will retain relevant personal information for a specified period as follows:
1) Details About Keeping Of Personal Information In Accordance With Relevant Laws
2) Details About Information Kept In Accordance With Our Internal Policies
Article 8 Procedures and Methods of Destroying Personal Information
Once the purposes of collection and use of your personal information are achieved, we destroy your personal information in accordance with our internal policies and other applicable laws. However, personal information collected with your consent or stored in the form of electronic files will be deleted using technical means that make the records unreproducible, and personal information printed on paper such as filings or printed materials will be shredded or incinerated.
Article 9 Your Legal Rights
Subject to applicable law, you may have the following rights relating to your personal information managed by us. You may exercise your rights at any time, by contacting the data protection officer via the contact information provided in Article 13 (Data Protection Officer).
Article 10 Technical/Administrative Measures for Protecting Personal Data
When handling personal information, we take appropriate measures to keep the information safe and prevent from loss, theft, leakage, falsification, or damage, and we take technical measures as follows:
We fully acknowledge the importance of your personal information, and accordingly, we have a reasonably limited number of employees handling personal information. The personnel in charge of protecting personal information conducts periodical education for the employees, putting the utmost effort to protect personal information. Also, we periodically check the compliance status of commitments stated in the policy and relevant employees, and when we detect any violation, we immediately correct and improve the issue and take necessary measures.
Article 11 Installation and Operation of Automatic Collection Tools for Personal Information and Refusal Thereof
We use cookies to store and discover information about members. Cookies are strings of small amounts of text transmitted by the website server to users’ computer browsers (e.g., Internet Explorer, Safari, Chrome, Firefox). Cookies identify each member’s computer, but do not identify individual members.
We use Google Analytics (Terms of Service)and API provided by Google (Privacy Policy), for providing services and statistics analyses. For further details, please see our Cookie Policy
(1) Operation of Cookies
① Provide differentiated information depending on each individual’s interests
② Analyze members’ and non-members’ frequency of visits and time spent on each visit to identify members’ tastes and interests for use in targeted marketing
③ Identify the traces of browsing records of contents in which members were interested in to provide personalized services on the next visit
④ Analyze customers’ habits and use the results as criteria for service reorganization, etc.
(2) Cookie options
By adjusting the settings on their web browser, members may accept all cookies, receive notifications whenever cookies are installed, or refuse all cookies. However, if you refuse cookies, you may not be able to use certain functions of the service that require login.
You can set whether to permit cookies (on Internet Explorer) as follows:
① Go to [Tools] and [Internet Options].
② Click [Privacy].
③ Under the tab [Settings], choose the level you want from “Accept All Cookies – Low – Medium – Medium High – High – Block All Cookies.”
(3) Cookies expire when you close or log off from the browser.
(4) The Company allows analytics companies and advertising companies to automatically collect users’ advertising identifiers and related information for the purpose of conducting and analyzing marketing campaigns.
(5) When the company advertises the company’s services on users’ device, the advertisement identifier of the user’s device and other information associated therewith may be used to help the company deliver advertisements related to the user’s interests and improve and measure the effectiveness of the advertising campaign. You can block your device's advertising identifier from being used for interest-based advertising or reset your device's advertising identifier by changing your device settings.
[Method of Changing Device Settings]
Article 12 Decision-Making Standards for Additional Use and Provision of Personal Information
In accordance with Article 15(3) and Article 17(4) of the Personal Information Act of South Korea, we may additionally use or provide your personal information without your consent, in consideration of Article 14-2 of the Enforcement Decree of the Personal Information Protection Act of South Korea.
Personal information to be provided | Purpose of provision | Period for retention and use |
Automatically generated information (internal identification key, device information, etc.), service use records (date and time of visit, IP address, incorrect use records, etc.), device information (unique device identification value, OS version), country accessed from | Statistics and sales analysis on game and platform service use | 30 days after withdrawal from the service or a period specified in the relevant laws and regulations |
(Event winners) E-mail address | Event winner information and confirmation | Retained for 1 year after the end of the event |
Accordingly, we have considered the below items for additional use and provision of information without the user's consent.
Article 13 Data Protection Officer
In order to protect users’ personal information and handle complaints related to personal information, we have designated our Data Protection Officer as follows. Users may report all complaints related to personal information protection arising in the course of using our services to the Data Protection Officer, and we will provide prompt and sufficient responses to such reports.
Article 14 Handling of Comments and Complaints
We operate a customer services center for smooth communication and resolution of any comments and/or complaints presented by our users in connection with personal information protection. If you are a user in Korea, in the event of a dispute arising between us and you in connection with personal information protection, for which you require help regarding potential infringement upon your information, you can contact the Personal Information Infringement Report Center of the Korea Internet & Security Agency, the Cyber Bureau of the National Police Agency, or other relevant agencies.
Korea Internet & Security Agency | https://privacy.kisa.or.kr | 118 |
Personal Information Dispute Mediation Committee | https://www.kopico.go.kr | 1833-6972 |
Cybercrime Investigation Division of Supreme Prosecutors’ Office | https://www.spo.go.kr | 1303 |
Cyber Bureau of National Police Agency | https://cyber.go.kr | 182 |
Article 15 Changes in Privacy Notice
This Privacy Policy will take into effect from April 2, 2024 (KST). Please refer to the link below to see the previous version of Privacy Policy.
Previous Privacy Policy
Jurisdiction-Specific Terms
The following are supplementary clauses applicable depending on your location or nationality. In the event of conflict between the following and the main text of this Privacy Notice, the following shall prevail.
EEA and UK
For the purposes of this section, the term “personal information” used in the General Content of this Policy shall be replaced with the term “personal data” – the term shall have the same meaning as set out in Article 1
Article 1 of the General Content above shall be supplemented with the following text as a new final paragraph:
For the purposes of the GDPR and the UK Data Protection Act 2018, HYBE IM Co., Ltd. is the entity (or “controller”) that decides how and why your personal data are processed and has primary responsibility for complying with applicable data protection laws.
Article 2 of the General Content above shall be replaced with the following:
Article 2 Purposes and Legal Bases for Processing of Personal Data
The purposes of processing of your personal data and the legal bases on which we rely under applicable laws are as follows:
Processing activity | Legal basis for processing |
To provide our Sites, Apps, products and services: Providing our Sites, Apps, products or services; creating an account; providing customer support on the use of services; identifying and preventing wrongful uses; providing functions for joining the game community and for community activities; performing statistical analyses; providing promotional materials (upon request); and communicating with you in relation to our Sites, Apps or services; and providing and operating event services (confirming participants for events, providing and delivering prizes to winners, handling other complaints). | · The processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or · We have a legitimate interest in carrying out the processing for the purpose of providing you with our Sites, Apps or services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or · We have obtained your prior consent to the processing (the aforementioned legal basis is only used in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way). |
To operate our business: Operating and managing our Sites, Apps and services; providing you with content; authenticating users for the sales/delivery of products and the identification and prevention of other wrongful uses; communicating and interacting with you via our Sites, Apps or services; and notifying you of changes to any of our Sites, Apps or services. | · The processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or · We have a legitimate interest in carrying out the processing for the purpose of providing you with our Sites, Apps or services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or · We have obtained your prior consent to the processing (the aforementioned legal basis is only used in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way). |
To perform communications and marketing activities: Communicating with you via any means (including via email and app push alerts) to provide news items and other information in which you may be interested, subject to obtaining your prior opt-in consent to the extent required under applicable law; personalizing our Sites, products and services for you; maintaining and updating your contact information where appropriate; where applicable, enabling you to opt-out to withdraw your consent to or unsubscribe from emails sent by us, and recording your choice. | · The processing is necessary in connection with any contract that you have entered into with us, or to take steps prior to entering into a contract with us; or · We have a legitimate interest in carrying out the processing for the purpose of contacting you, subject always to compliance with applicable law (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or · We have obtained your prior consent to the processing (the aforementioned legal basis is only used in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way). |
To manage IT systems: Managing and operating our communications, IT and security systems; and auditing (including security audits) and monitoring such systems. | · The processing is necessary for our compliance with a legal obligation; or · We have a legitimate interest in carrying out the processing for the purpose of managing and maintaining our communications and IT systems (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms). |
To improve our Sites, Apps and services: Identifying issues related to our Sites, Apps or services; planning improvements to our Sites, Apps or services; and developing new Sites, Apps or services. | · We have a legitimate interest in carrying out the processing for the purpose of improving our Sites, Apps or services (to the extent that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms); or · We have obtained your prior consent to the processing (this legal basis is only used in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way). |
Direct Marketing
We process personal data to contact you via email, telephone, direct mail or other communication formats to provide you with information regarding Sites, Apps or services that may be of interest to you. We also process personal data for the purposes of displaying content tailored to your use of our Sites, Apps or services. If we provide Sites, Apps or services to you, we may send or display information to you regarding our Sites, Apps or services, upcoming promotions and other information that may be of interest to you, including by using the contact details that you have provided to us, or any other appropriate means, subject always to obtaining your prior opt-in consent, to the extent required under applicable law.
You may unsubscribe from our promotional email list at any time by simply clicking on the unsubscribe link included in every promotional electronic communication we send or by unsubscribing online by selecting the ‘Decline’ option found in-game through the [Account] setting. Please note that it may take up to 2 weeks to process your unsubscribe request, during which time you may continue to receive communications from us. After you unsubscribe, we will not send you further promotional emails, but in some circumstances we will continue to contact you to the extent necessary for the purposes of any Sites, Apps or services you have requested.
The final paragraph of Article 4 of the General Content above shall be replaced with the following:
Article 4 Disclosure of Personal Data to Third Parties
We disclose personal data to other entities, for legitimate business purposes and the operation of our Sites, Apps or services to you, in accordance with applicable law. In addition, we disclose personal data to:
If we engage a third-party processor to process your personal data, the processor will be subject to binding contractual obligations to:
(i) only process the personal data in accordance with our prior written instructions; and
(ii) use measures to protect the confidentiality and security of the personal data; together with any additional requirements under applicable law.
Please see Article 5 for more information on the third-party processors.
1) Details About Providing Personal Information To Third Parties
Article 6 of the General Content above shall be replaced with the following:
Article 6 International Transfer of Personal Data
Because of the international nature of our business, we transfer personal data within the HYBE group, and to third parties, as discussed further in Article 6, in connection with the purposes set out in this Policy. For this reason, we transfer personal data to other countries that may have different laws and data protection compliance requirements to those that apply in the country in which you are located, including Korea, Japan, and the United States.
If an exemption or derogation applies (e.g., where a transfer is necessary to establish, exercise or defend a legal claim) we may rely on that exemption or derogation, as appropriate. Where no exemption or derogation applies, and we transfer your personal data from the EEA or UK to recipients located outside the EEA or UK who are not in jurisdictions formally designated by the European Commission or UK Government as providing an adequate level of protection for personal data, we do so on the basis of template transfer clauses adopted by the European Commission or adopted by a Data Protection Authority and approved by the European Commission, or adopted by the UK Government (as appropriate). You are entitled to request a copy of these clauses using the contact details provided in Section Article 13 below.
Please note that when you transfer any personal data directly to any HYBE entity established outside the EEA or UK, we are not responsible for that transfer of your personal data. We will nevertheless process your personal data, from the point at which we receive those data, in accordance with the provisions of this Policy.
Article 8 of the General Content above shall be replaced with the following:
Article 8 Procedures and Methods of Destroying Personal Data
We destroy your personal information in accordance with our internal policies and other applicable laws.
The following shall supplement Article 9:
Article 9 Your Legal Rights
In addition to the above rights, you remain entitled to all other statutory rights.
You may also have the following additional rights regarding the processing of your personal information:
|
Article 11 of the General Content above shall be replaced with the following:
Article 11 Cookies and Similar Technologies
When you visit a Site or use an App, we will typically place cookies onto your device or read cookies already on your device, subject always to obtaining your prior consent, where required, in accordance with applicable law. For further details, please see our Cookie Policy.
Article 13 of the General Content above shall be replaced with the following:
Article 13 Contact Information
You may contact our DPO [hybeim_privacy@hybecorp.com] if you wish to exercise your rights in connection with this Policy or your personal data. You may also contact our representative.
1) EDPO
2) EDPO UK
Article 14 of the General Content above shall not apply.
California Consumer Privacy Act (CCPA)
Article 7 of the General Content above shall be replaced with the following:
Article 7 Data Retention Period
We take every reasonable step to ensure that your personal information is only processed for the minimum period necessary for the purposes set out in this Policy. We will retain your personal information in a form that permits identification only for as long as:
(1) we maintain an ongoing relationship with you; or
(2) your personal information is necessary in connection with the lawful purposes set out in this Policy, for which we have a valid legal basis.
Article 9 of the General Content shall be replaced with the following:
Article 9 California Consumer Privacy Act Disclosures
Under the California Consumer Privacy Act (“CCPA”), we must disclose our practices regarding the collection, use, and disclosure of the personal information of California residents (“Consumers”).
Collection of Personal Information
We have collected and will collect the following general categories of personal information about Consumers:
Use of Personal information
We may use the categories of personal information described above for the following business or commercial purposes:
Categories of Sources of Personal information
We collect or obtain personal information of Consumers from the following sources:
Disclosure of Personal information
We do not sell any personal information to third parties. In particular, we do not sell the personal information of minors under 16 years of age. In the preceding 12 months, we have disclosed the following categories of personal information to the following categories of recipients:
Categories of recipients | Categories of personal information |
Vendors who may need access to Consumers’ personal information to help us provide our services. |
|
Entities who provide us with email address management and communication contact services, and those who analyze and enhance our marketing campaigns and service. |
|
Entities that provide assistance to us. |
|
Article 11 of the General Content above shall be replaced with the following:
Article 14 California’s “Shine the Light” Law
Under California’s “Shine the Light” law, California residents are entitled to ask us for a notice describing what categories of personal customer information we share with third parties or our affiliates in connection with direct marketing performed by such third parties or our affiliates. The aforementioned notice will identify the categories of information we shared with third parties and our affiliates, and will include a list of names and addresses of such data recipients. If you are a California resident and would like a copy of this Policy, please submit a written request to the following email address:
Article 13 of the General Content above shall be replaced with the following:
Article 13 Consumer Rights under the CCPA
If you are a Consumer, the CCPA grants you the following rights regarding your personal information. If you make a certain request to us in order to exercise, or cause an authorized representative you appointed to exercise on your behalf, your rights to know and delete set forth in the CCPA, we will generally require you to provide us with certain personal information for the purpose of identifying you in the course of handling your request and compare such personal information against the personal information we have collected about you to verify your identity (“verifiable consumer request”).
Verifiable consumer requests to know or delete may be submitted through one of the following methods:
Right to Know About Personal Information We Collected about You.
Consumers have the right to submit a verifiable consumer request that we disclose the following personal information we collected about you over the 12-month period preceding the verifiable consumer request, in a readily useable format:
Right to Request Deletion of Personal Information.
Consumers have the right to request that we delete any personal information we have collected from them.
Right to Non-Discrimination.
Consumers have the right to be free from discrimination when they exercise their rights under the CCPA and, should you exercise those rights, we cannot:
Notice of Financial Incentive
We offer consumers who provide personal identifiers, including their name, home address, and email address, and commercial information, including their purchase history and access to events. As participants in these programs, consumers will have the opportunity to win prizes. Consumers may opt-in to our community events by signing up on our website. Consumers may cancel their participation in these events at any time.
Authorized Agent
Under the CCPA, you may appoint an authorized agent to submit requests to exercise your rights on your behalf. Should you choose to do so, for your and our protection, we will require your authorized agent to provide us with a signed permission demonstrating they are authorized to submit a request on your behalf. We note, should your authorized agent fail to submit proof that they have been authorized to act on your behalf, we will deny their request.
Article 14 of the General Content above shall not apply.
Japan
According to the purpose of the Article, the “relevant laws" and “relevant Korean laws" stated in this Policy shall be replaced with the Act on the Protection of Personal Information (Act No. 57 of 2003) and relevant Japanese laws.
The terms used in Article 2 of the General Content above shall be replaced with the following:
The description of this Policy shall be replaced with the following: “We process your personal information for the following purposes pursuant to applicable law.”
Article 4 (Provision of Personal Information to Third Parties), Article 5 (Entrustment of Personal Information), and Article 6 (International Transfer of Personal Information) of the General Content above shall be replaced with the following:
Except in the following cases, we do not provide third parties with your personal information, unless you consent thereto or the disclosure is otherwise expressly prescribed in applicable law.
Details About Providing Personal Information To Third Parties
Details About International Transfer of Personal Information
1) Consignment of Personal Information Processing
Recipient of personal information (Contact information of information officer) | HYBE JAPAN (hybeim_privacy@hybecorp.com) |
Digital Hearts : (cs-management@digitalhearts.com) | |
Country where the information is provided | Japan |
Date and method of provision | Transfer via network when using game services |
Purpose of provision | Service operation in Japan, customer support and consultation, complaint handling |
Information provided | Nickname, e-mail address, payment information, and other information required for consultation |
Retention and Use Period | 30 days after users’ request to withdraw from the service or until the contract expires |
Recipient of personal information (Contact information of information officer) | Gdex (billy@g-dex.biz) |
Country where the information is provided | Philippines |
Date and method of provision | Transfer via network when using game services |
Purpose of provision | Customer support and consultation, complaint handling |
Information provided | Nickname, e-mail address, payment information, and other information required for consultation |
Retention and Use Period | 30 days after requesting to withdraw from the service or until the contract expires |
Recipient of personal information (Contact information of information officer) | GAME FIRST INTERNATIONAL CORPORATION (aovservice@gamefirst.com.tw) |
Country where the information is provided | Taiwan |
Date and method of provision | Transfer via network when using game services |
Purpose of provision | Customer support and consultation, complaint handling, Community and Event management |
Information provided | Nickname, e-mail address, payment information, and other information required for consultation |
Retention and Use Period | 30 days after requesting to withdraw from the service or until the contract expires |
Recipient of personal information (Contact information of information officer) | SOFTWORLD INTERNATIONAL CORPORATION (koalawu@soft-world.com.tw, weiwang@soft-world.com.tw, service@mycard520.com.tw) |
Country where the information is provided | Taiwan, Hong Kong, Macau |
Date and method of provision | Transfer via network when using game services, transfer via network at the point of purchase.
|
Purpose of provision | Event and marketing support and event operation, Send marketing LMS messages to consenters, Payment Service
|
Information provided | e-mail address, mobile phone number, payment information |
Retention and Use Period | 1 year after the service launch, or 30 days after a withdrawal request, or until the contract expires
|
Recipient of personal information (Contact information of information officer) | Xsolla, Inc (support@xsolla.com) |
Country where the information is provided | America |
Date and method of provision | Transfer via network at the point of purchase. |
Purpose of provision | Payment Service |
Information provided | Payment information |
Retention and Use Period | 30 days after a withdrawal request, or until the contract expires
|
Recipient of personal information (Contact information of information officer) | Aceville Pte Ltd (cloudlegalnotices@tencent.com) |
Country where the information is provided | Singapore |
Date and method of provision | Transfer via network when using game services |
Purpose of provision | Global service operation agency |
Information provided | Article 1 All Information Collected |
Retention and Use Period | 30 days after requesting to withdraw from the service or until the contract expires |
2) Provision of personal information to third parties
● None
3) Current status of overseas platform utilization
Recipient of personal information (contact information of information officer) | Amazon Web Services Inc. |
Country where the information is provided | Japan, Hong Kong, Singapore, Frankfurt, Virginia |
Date and method of provision | Transfer via network when using game services |
Purpose of provision | Cloud server operations and management |
Information provided | ID, nickname, e-mail address |
Retention and Use Period | 30 days after withdrawing from the game or until the contract expires |
4) Notice Regarding External Transmission
Our app is currently sending user data to the external sources detailed below:
Recipients | Content Provided | Purpose of Provision |
Adjust | ・Device information (device ID, OS version, advertising ID, language settings, timezone, etc.) ・Access information (IP address, accessing carrier, etc.) ・Country and region information | ・Measurement and analysis of advertising effectiveness ・Data analysis for the improvement of game service quality
|
onionfive Inc. | ・User information in the app ・Device information (device name, OS version, language settings, time zone, etc.) ・Country and region information ・App version information
| ・Responding to customer inquiries |
Google LLC | ・Device information (device name, OS version, language settings, time zone, etc.) ・App operation information (in-app taps, crash logs, etc.) ・Connection information (country, region) ・App version information | ・Analyze crash logs to improve game service quality ・Analyzing push notifications and access
|
HYBE IM | ・User information in the app ・In-app behavior data ・In-app payment-related behavior data ・Device information (device ID, OS version, advertising ID, language settings, timezone, etc.) ・Country and region information | ・Analyzing data to improve game service quality ・Assist in responding to customer inquiries |
【Joint Use】
The companies listed below and included in the above details about third parties provided with personal information are part of the company’s group. The types of jointly used personal information; the bounds of jointly using parties; the purpose of using; and the names of the companies and their representatives with responsibilities of managing personal information are listed below.
Companies included in the group (jointly using parties): HYBE Corp., HYBE IM, BIGHIT MUSIC Co., Ltd., Pledis Entertainment Co., Ltd., BELIFT LAB Co., Ltd., KOZ Entertainment Co., Ltd., Source Music Co., Ltd., ADOR Co., Ltd., Weverse Company Inc., Weverse Japan Inc., HYBE Japan Inc., HYBE Labels JAPAN, NAECO, HYBE America, Inc.. Weverse America Inc.
References
Personal Information Protection Systems of Countries Receiving Information
HYBE IM Co., Ltd. (hereinafter “the company”) provides various services to its customers, and in the process, the company comes across many occasions in which the user’s personal information needs to be provided to companies located outside the country or region of the user’s residence, with the user’s consent. The company’s Privacy Policy describes that the company may provide the user’s personal information to companies outside the country.
This page describes the details of the company’s provision of user’s personal information to companies outside the country or region of the user’s residence, using the privacy regulations of other countries as reference.
The privacy regulations of various countries have been examined according to the below standards.
■ Existence of the data privacy regulations
This is an indication of whether the country has established data protection and privacy regulations, including a comprehensive regulation.
■ Reference for data privacy regulations
The following types of information are used as references for the standards of each country’s privacy regulations.
▪ Whether the standards of the privacy regulations of the corresponding country/region are equivalent to those of Japan
It will be indicated if the privacy regulations of the corresponding country/region is equivalent to those of Japan.
▪ EU adequacy decision
It will be indicated if the EU adequacy decision has been adopted in the corresponding country/region. EU adequacy decision refers to the European Commission’s decision that indicates the corresponding country/region has secured an adequate level of data protection. If a country has adopted the EU adequacy decision, we can expect the same level of protection of personal information in the country/region as in Japan.
▪ Participation in APEC CBPR
It will be indicated if the corresponding country/region is a participating country of the APEC CBPR system.
When the corresponding country/region is a participating country of the APEC CBPR system, we can expect the same level of protection of personal information in the country/region as in Japan, as it signifies that the laws of the corresponding country/region would be enforced in compliance with the APEC privacy framework and an enforcement office.
▪ Satisfaction of OECD’s Eight Principles
It will be indicated, as necessary, if the privacy regulation of the corresponding country/region includes rules that meet OECD’s Eight Principles.
OECD’s Eight Principles provides the basic principles to be referenced in performing international efforts for personal information protection, and they are considered to be the substantial global standards for each country’s establishment of the personal information protection system.
In this page, it will be indicated if the data privacy regulation of the corresponding country/region includes rules corresponding to OECD’s Eight Principles, according to the following legends for each of OECD’s Eight Principles.
Legends: ○ Rules are included in the comprehensive system; ∆ Certain rules are included in the comprehensive system/Rules are included in individual systems; — No rules could be found
OECD’s Eight Principles are as indicated in (1) to (8) below.
1. Collection Limitation Principle
Personal data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
2. Data Quality Principle
Personal data should be relevant to the purposes for which they are to be used, and should be accurate, complete and kept up-to-date
3. Purpose Specification Principle
The purposes for which personal data are collected should be specified, and the subsequent use limited to the fulfillment of those purposes.
4. Use Limitation Principle
Personal data should not be used for purposes other than those specified except with the consent of the data subject or by the authority of law.
5. Security Safeguards Principle
Personal data should be protected by reasonable security safeguards against such risks as loss, destruction, use, modification or disclosure of data.
6. Openness Principle
There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence of personal data, and the purposes of their use, as well as the data controller.
7. Individual Participation Principle
An individual should have the right to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him, and to challenge data relating to him.
8. Accountability Principle
A data controller should be accountable for complying with measures which give effect to the principles stated above.
■ Existence of system that may significantly affect the rights and interests of individuals
Information on whether there is a system that may significantly affect the rights and interests of individuals pursuant to the transfer of personal data to the corresponding country/region in comparison to Japan’s data privacy regulation is indicated.
Specifically, the following information which may significantly affect the rights and interests of individuals in the system of the corresponding country/region is indicated; namely, (1) existence of rules which directly obligate the recipient of personal information, which was collected within the corresponding country/region, to retain such personal information within the corresponding country/region, or obligates the recipient of personal information to substantially retain such personal information within the corresponding country/region by imposing restrictions on carrying such personal information outside the corresponding country/region (system related to data localization), and (2) existence of rules which allow the government to access the personal data retained by private businesses or obligate private businesses to provide personal data to the government under laws for the purpose of enforcement of criminal laws and/or national security safeguards (system related to government access).
Please note that the information may not be the latest at present, as each country periodically updates the information related to the data privacy regulation. Please review the information on the data privacy regulations of foreign countries provided by the Personal Information Protection Commission of Japan. (Source: Personal Information Protection Commission of Japan)
South Korea (Link)
Germany (Link)
United States of America (Link)
Singapore (Link)
United Kingdom (Link)
Japan (Link)
【Provision by Entrustment】
The company has entrusted specialized companies and platforms with the tasks of processing personal information within reasonable scopes, in order to achieve the purposes of providing service and fulfilling contracts, and improving the convenience of customers.
Details About Providing Personal Information To Third Parties
Details About International Transfer of Personal Information
1) Consignment of Personal Information Processing
Recipient of personal information (Contact information of information officer) | HYBE JAPAN (hybeim_privacy@hybecorp.com) |
Digital Hearts : (cs-management@digitalhearts.com) | |
Country where the information is provided | Japan |
Date and method of provision | Transfer via network when using game services |
Purpose of provision | Service operation in Japan, customer support and consultation, complaint handling |
Information provided | Nickname, e-mail address, payment information, and other information required for consultation |
Retention and Use Period | 30 days after users’ request to withdraw from the service or until the contract expires |
Recipient of personal information (Contact information of information officer) | Gdex (billy@g-dex.biz) |
Country where the information is provided | Philippines |
Date and method of provision | Transfer via network when using game services |
Purpose of provision | Customer support and consultation, complaint handling |
Information provided | Nickname, e-mail address, payment information, and other information required for consultation |
Retention and Use Period | 30 days after requesting to withdraw from the service or until the contract expires |
Recipient of personal information (Contact information of information officer) | GAME FIRST INTERNATIONAL CORPORATION (aovservice@gamefirst.com.tw) |
Country where the information is provided | Taiwan |
Date and method of provision | Transfer via network when using game services |
Purpose of provision | Customer support and consultation, complaint handling, Community and Event management |
Information provided | Nickname, e-mail address, payment information, and other information required for consultation |
Retention and Use Period | 30 days after requesting to withdraw from the service or until the contract expires |
Recipient of personal information (Contact information of information officer) | SOFTWORLD INTERNATIONAL CORPORATION (koalawu@soft-world.com.tw, weiwang@soft-world.com.tw, service@mycard520.com.tw) |
Country where the information is provided | Taiwan, Hong Kong, Macau |
Date and method of provision | Transfer via network when using game services, Transfer via network at the time of payment. |
Purpose of provision | Event and marketing support and event operation, Send marketing LMS messages to consenters, payment service |
Information provided | e-mail address, mobile phone number, payment information
|
Retention and Use Period | 1 year after the service launch, or 30 days after a withdrawal request, or until the contract expires |
Recipient of personal information (Contact information of information officer) | Xsolla, Inc (support@xsolla.com) |
Country where the information is provided | America |
Date and method of provision | Transfer via network at the point of purchase. |
Purpose of provision | Payment service |
Information provided | Payment information |
Retention and Use Period | 30 days after a withdrawal request, or until the contract expires
|
Recipient of personal information (Contact information of information officer) | Aceville Pte Ltd (cloudlegalnotices@tencent.com) |
Country where the information is provided | Singapore |
Date and method of provision | Transfer via network when using game services |
Purpose of provision | Global service operation agency |
Information provided | Article 1 All Information Collected |
Retention and Use Period | 30 days after requesting to withdraw from the service or until the contract expires |
2) Provision of personal information to third parties
● None
3) Current status of overseas platform utilization
Recipient of personal information (contact information of information officer) | Amazon Web Services Inc. |
Country where the information is provided | Japan, Hong Kong, Singapore, Frankfurt, Virginia |
Date and method of provision | Transfer via network when using game services |
Purpose of provision | Cloud server operations and management |
Information provided | ID, nickname, e-mail address |
Retention and Use Period | 30 days after withdrawing from the game or until the contract expires |
4) Notice Regarding External Transmission
Our app is currently sending user data to the external sources detailed below:
Recipients | Content Provided | Purpose of Provision |
Adjust | ・Device information (device ID, OS version, advertising ID, language settings, timezone, etc.) ・Access information (IP address, accessing carrier, etc.) ・Country and region information | ・Measurement and analysis of advertising effectiveness ・Data analysis for the improvement of game service quality
|
onionfive Inc. | ・User information in the app ・Device information (device name, OS version, language settings, time zone, etc.) ・Country and region information ・App version information
| ・Responding to customer inquiries |
Google LLC | ・Device information (device name, OS version, language settings, time zone, etc.) ・App operation information (in-app taps, crash logs, etc.) ・Connection information (country, region) ・App version information | ・Analyze crash logs to improve game service quality ・Analyzing push notifications and access
|
HYBE IM | ・User information in the app ・In-app behavior data ・In-app payment-related behavior data ・Device information (device ID, OS version, advertising ID, language settings, timezone, etc.) ・Country and region information | ・Analyzing data to improve game service quality ・Assist in responding to customer inquiries |
When signing a contract with entrusted companies, important issues are addressed including prohibition of processing personal information for purposes other than entrusted purposes; technical and managerial measures to protect information; prohibition of re-entrustment; management and supervision of entrusted companies; and indemnification for possible damages. The company supervises the entrusted companies to ensure they handle the information safely.
If there are any changes in the entrusted tasks or list of entrusted companies, we will make sure to notify by sharing the revised Privacy Policy.
References
Personal Information Protection Systems of Countries Receiving Information
HYBE IM Co., Ltd. (hereinafter “the company”) provides various services to its customers, and in the process, the company comes across many occasions in which the user’s personal information needs to be provided to companies located outside the country or region of the user’s residence, with the user’s consent. The company’s Privacy Policy describes that the company may provide the user’s personal information to companies outside the country.
This page describes the details of the company’s provision of user’s personal information to companies outside the country or region of the user’s residence, using the privacy regulations of other countries as reference.
The privacy regulations of various countries have been examined according to the below standards.
■ Existence of the data privacy regulations
This is an indication of whether the country has established data protection and privacy regulations, including a comprehensive regulation.
■ Reference for data privacy regulations
The following types of information are used as references for the standards of each country’s privacy regulations.
▪ Whether the standards of the privacy regulations of the corresponding country/region are equivalent to those of Japan
It will be indicated if the privacy regulations of the corresponding country/region is equivalent to those of Japan.
▪ EU adequacy decision
It will be indicated if the EU adequacy decision has been adopted in the corresponding country/region. EU adequacy decision refers to the European Commission’s decision that indicates the corresponding country/region has secured an adequate level of data protection. If a country has adopted the EU adequacy decision, we can expect the same level of protection of personal information in the country/region as in Japan.
▪ Participation in APEC CBPR
It will be indicated if the corresponding country/region is a participating country of the APEC CBPR system.
When the corresponding country/region is a participating country of the APEC CBPR system, we can expect the same level of protection of personal information in the country/region as in Japan, as it signifies that the laws of the corresponding country/region would be enforced in compliance with the APEC privacy framework and an enforcement office.
▪ Satisfaction of OECD’s Eight Principles
It will be indicated, as necessary, if the privacy regulation of the corresponding country/region includes rules that meet OECD’s Eight Principles.
OECD’s Eight Principles provides the basic principles to be referenced in performing international efforts for personal information protection, and they are considered to be the substantial global standards for each country’s establishment of the personal information protection system.
In this page, it will be indicated if the data privacy regulation of the corresponding country/region includes rules corresponding to OECD’s Eight Principles, according to the following legends for each of OECD’s Eight Principles.
Legends: ○ Rules are included in the comprehensive system; ∆ Certain rules are included in the comprehensive system/Rules are included in individual systems; — No rules could be found
OECD’s Eight Principles are as indicated in (1) to (8) below.
1. Collection Limitation Principle
Personal data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
2. Data Quality Principle
Personal data should be relevant to the purposes for which they are to be used, and should be accurate, complete and kept up-to-date
3. Purpose Specification Principle
The purposes for which personal data are collected should be specified, and the subsequent use limited to the fulfillment of those purposes.
4. Use Limitation Principle
Personal data should not be used for purposes other than those specified except with the consent of the data subject or by the authority of law.
5. Security Safeguards Principle
Personal data should be protected by reasonable security safeguards against such risks as loss, destruction, use, modification or disclosure of data.
6. Openness Principle
There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence of personal data, and the purposes of their use, as well as the data controller.
7. Individual Participation Principle
An individual should have the right to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him, and to challenge data relating to him.
8. Accountability Principle
A data controller should be accountable for complying with measures which give effect to the principles stated above.
■ Existence of system that may significantly affect the rights and interests of individuals
Information on whether there is a system that may significantly affect the rights and interests of individuals pursuant to the transfer of personal data to the corresponding country/region in comparison to Japan’s data privacy regulation is indicated.
Specifically, the following information which may significantly affect the rights and interests of individuals in the system of the corresponding country/region is indicated; namely, (1) existence of rules which directly obligate the recipient of personal information, which was collected within the corresponding country/region, to retain such personal information within the corresponding country/region, or obligates the recipient of personal information to substantially retain such personal information within the corresponding country/region by imposing restrictions on carrying such personal information outside the corresponding country/region (system related to data localization), and (2) existence of rules which allow the government to access the personal data retained by private businesses or obligate private businesses to provide personal data to the government under laws for the purpose of enforcement of criminal laws and/or national security safeguards (system related to government access).
Please note that the information may not be the latest at present, as each country periodically updates the information related to the data privacy regulation. Please review the information on the data privacy regulations of foreign countries provided by the Personal Information Protection Commission of Japan. (Source: Personal Information Protection Commission of Japan)
South Korea (Link)
Germany (Link)
United States of America (Link)
Singapore (Link)
United Kingdom (Link)
Japan (Link)
Article 12 of the General Content above is inapplicable.
The following shall be added to Article 13 of the General Content above.
Article 14 of the General Content above is inapplicable.