Article 1 (Overview)

TOUCH PLAY Corp. (hereinafter referred to as the "Company") values the protection of personal information and the respect for users' rights as its highest priority when providing mobile games and related services to users worldwide.

The Company complies with the Personal Information Protection Act of the Republic of Korea, as well as global privacy regulations including the General Data Protection Regulation (GDPR) of the European Union, the California Consumer Privacy Act (CCPA), Brazil's General Data Protection Law (LGPD), Japan's Act on the Protection of Personal Information (PIPA), Taiwan’s Personal Data Protection Act, and applicable privacy laws in Southeast Asia. Accordingly, the Company takes all necessary measures to ensure that users' personal data is handled safely and lawfully.

This Privacy Policy clearly explains how personal information is collected, used, stored, and shared during the use of the Company’s mobile games, websites, customer support, events, and other services. It also outlines the rights of users and how those rights may be exercised. Furthermore, it stipulates the Company’s commitment to addressing any concerns or complaints regarding personal data in a timely and appropriate manner.

This policy may be amended due to changes in applicable laws, international guidelines, or the Company’s internal policies. Any such changes will be announced through the Company’s official communication channels.

Article 2 (Personal Information Collected and Collection Methods)

The Company collects only the minimum necessary personal information required to provide services, fulfill legal obligations, respond to customer inquiries, prevent misuse, improve content, and conduct marketing. The types of personal information collected and methods of collection are as follows:

1. Upon account registration and linkage
• [Required] External platform account information: External platform ID (Google, Apple, Facebook, etc.)
• [Required] Nationality status (used for verifying legal age and youth protection)
2. Automatically collected information during use of game services
• [Required] Game and service usage data: Nickname, download history, login timestamps and logs, IP address, game version, payment history, in-game activity logs, records of misuse
• [Required] Device information: Device model name, operating system (OS), language setting, country information, device identifiers (e.g., UUID, device ID), advertising identifiers (GAID/IDFA), location information (country level)

This information may be automatically collected through the game client or SDK.

3. When using customer support services
• [Required] Basic information for inquiry handling: Email address, game title, game ID, UID, nickname
• [Optional] Additional verification information: Device information (OS, version, model), payment history, inquiry-related screenshots and logs
4. When requesting a refund or filing a payment-related complaint
• [Required] Identity verification and refund processing: Email address, game title, game ID, nickname
• [Optional] Documents for verifying minority status or payment method: Real name, family relationship certificate, mobile carrier subscription certificate, payment statements, etc.

If needed, separate notice and consent will be obtained before collection, and the data will be promptly destroyed after the purpose is fulfilled.

5. When participating in marketing, events, or promotions
• [Optional] Information for receiving marketing materials or prize delivery: Email address, phone number, mailing address (for SMS/prize delivery)

Marketing communications and advertisements are sent only to users who have provided prior consent.

6. Methods of collection
• When installing or launching the game app
• When linking or logging in through an external platform
• When submitting a customer support inquiry
• When entering a promotion or event
• Automatically during service usage (SDK, logs, cookies, etc.)

The Company does not collect sensitive personal information (e.g., race, religion, health information) without explicit user consent. The collected data will not be used beyond the purposes specified.

Article 3 (Purpose of Using Personal Information)

The Company uses the collected personal information only for the following purposes and does not use it beyond these purposes without obtaining the user’s prior consent:

1. User Management
• User identification, authentication, and account management
• Prevention of duplicate registration and verification of external platform linkage
• Prevention of policy violations and misconduct (e.g., hacking, abuse)
• Verification of minor status and execution of legal guardian consent process
• Identity verification and response in the event of disputes
2. Provision and Operation of Services
• Provision and storage of game content and data synchronization
• Support for multiplayer and community features (e.g., friend invitations, guilds)
• Response to user inquiries and customer support
• Delivery of service-related notices and announcements
• Confirmation of paid purchases, refund processing, and other transaction-related services
3. Development of New Services and Quality Improvement
• Statistical analysis and user feedback for service enhancement
• Updates and optimization of game features
• System error handling and bug fixes
4. Marketing and Event Operations (with user consent)
• Notification and verification for events, promotions, campaigns, etc.
• Sending promotional materials (SMS, email, push notifications)
• Delivery of prizes and handling of tax-related administrative matters
• Providing personalized content and targeted advertising based on online identifiers
5. Fulfillment of Legal Obligations and Dispute Resolution
• Compliance with domestic and international laws, regulations, and administrative requests
• Collection of necessary data for legal responsibilities and dispute handling

 

Article 4 (Retention and Use Period of Personal Information)

1. The Company retains and uses personal information for as long as the user maintains their status or until the purpose of collection and use has been fulfilled. If the user deletes their account or the information is no longer required, the data will be destroyed without delay.
   However, information may be retained for a certain period if specified for the following purposes:

Purpose of Retention	Data Retained	Retention Period
Response to customer disputes and prevention of misuse after service withdrawal	External platform ID, access records(including IP), download history, misuse records, device information	30 days
Event or promotion prize verification	UID, Nickname, etc.	Immediately deleted after winner announcement

2. Additionally, in accordance with applicable laws, certain information may be retained for the period specified below. This data is only used for the purposes stated and is securely destroyed after the retention period.

Data Retained	Legal Basis	Retention Period
Records of advertisement display	Act on Consumer Protection in Electronic Commerce	6 months
Records related to contracts or withdrawals	Electronic Transactions Act	5 years
Records of payments and supply of goods	Electronic Transactions Act	5 years
Records of consumer complaints or dispute resolution	Electronic Transactions Act	3 years
Communication fact confirmation data, such as access logs and access IPs	Protection of Communications Secrets Act	1 year (based on Korean law), subject to local regulations

3. For users in countries or regions with separate data protection laws, such as the European Union (EU), Brazil, and California, USA, their retention standards and periods may be adjusted according to the laws of that region. For example, under the GDPR, data is retained only for the minimum necessary period, and users may request access, correction, or deletion at any time.

 

Article 5 (Procedures and Methods for the Destruction of Personal Information)

1. The Company will promptly destroy personal information without delay once the retention period has expired or the purpose of processing has been achieved, in accordance with applicable laws.
   However, even if the user deletes the mobile game application (hereinafter referred to as "app"), if they do not request membership withdrawal or personal information deletion, the personal information will not be immediately destroyed and may be stored for a certain period in accordance with relevant laws and the personal information processing policy.
2. The Company’s procedures for the destruction of personal information are as follows:
• Personal information is classified as subject to destruction according to internal management policies at the time a reason for destruction occurs, and is destroyed immediately or after a certain grace period upon expiration of the retention period or achievement of the processing purpose.
• The relevant personal information is deleted without delay and without separate storage, except in cases stipulated by law, and is not used for any other purpose.
3. The methods of destruction are as follows:
• Electronic files: Data is permanently deleted using technical methods that prevent recovery (e.g., overwriting, secure deletion, encryption followed by deletion).
• Paper documents: Physical documents are destroyed using shredders or through incineration.
4. Users residing in certain jurisdictions, including the European Union (EU), Brazil, and California, may request the deletion of their personal data in accordance with local laws (e.g., GDPR, LGPD, CCPA). The Company will comply with such requests unless retention is required by law.
   Users may request deletion at any time via customer support or the designated Data Protection Officer.

 

Article 6 (Provision of Personal Information to Third Parties)

1. The Company processes personal information only within the scope described in Article 3 (Purpose of Using Personal Information) and does not disclose personal information to third parties without the user’s prior consent. However, exceptions apply in the following cases:
• When the user has provided explicit prior consent
• Where there are special provisions in the law, or to fulfill legal obligations
• When required by a court judgment, administrative order, or lawful request from law enforcement or a government agency
• Where it is inevitably necessary to prevent imminent danger to the life, body, or property of the user or a third party
2. In emergencies such as disasters, epidemics, or accidents, the Company may provide minimal personal information to authorities without the user’s prior consent, in accordance with relevant government guidelines (e.g., “Emergency Personal Information Handling and Protection Guidelines”). In such cases, the Company will handle the data lawfully and notify the user when feasible.
3. If the Company transfers personal data outside the country or shares it with a third party located in another country, it will take appropriate protective measures in accordance with applicable laws (e.g., GDPR, LGPD) and notify the user in advance to obtain consent where necessary.
4. The Company ensures that third-party recipients handle personal information securely. Where required, contractual obligations regarding data protection will be included in the service agreements.

Note: If any provision of data to a third party occurs, the Company will clearly inform the user of the recipient, the data items shared, the purpose of provision, and the retention period, and obtain separate consent if required.

In accordance with applicable laws, users have the right to access or withdraw their consent to the provision of their personal data to third parties at any time.

Article 7 (Outsourcing of Personal Information Processing)

1. The Company may entrust the handling of personal information to specialized service providers to ensure the safe and efficient provision of services. The Company properly manages and supervises its contractors to ensure compliance with personal data protection laws.
2. The current outsourcing arrangements are as follows:

Service Provider	Outsourced Task Description	Retention and Use Period
Amazon Web Services, Inc. (AWS)	Operation of global servers and storage of game data	Until termination of service or outsourcing agreement
Google Firebase	User authentication, cloud database, and push notifications	Until termination of service or outsourcing agreement
Tencent Cloud	Server infrastructure operation in China and other regions	Until termination of service or outsourcing agreement
Google LLC / Apple Inc.	App store operation, payment processing, and purchase tracking	As required by applicable laws and app store policies
Adjust GmbH	Advertising performance analysis and marketing tracking	Until withdrawal of consent or fulfillment of the purpose
Google AdMob	Delivery of personalized ads and revenue analysis	Until withdrawal of consent or fulfillment of the purpose
Oqupie	Operation of customer support system and inquiry handling	Until termination of service or outsourcing agreement

3. The Company includes the following safeguards in its contracts with data processors:
• Prohibition on the use of personal information for purposes other than the contracted services
• Implementation of technical and administrative safeguards
• Obligation to return or destroy personal data after contract termination
• Immediate notification and liability in the event of a data breach
4. Some of the subcontractors are located overseas. When transferring data internationally, the Company complies with relevant laws (e.g., the Personal Information Protection Act, GDPR, LGPD) and informs users of the following:
• Countries of transfer: United States (Google Firebase, Google LLC, AdMob, AWS, Adjust), China (Tencent Cloud)
• Timing and method of transfer: Real-time transmission at the time of service use via networks
• Purpose of transfer: Cloud operation, user authentication, advertising, and payment services
• Retention and use period: Until the purpose of outsourcing is achieved, service is terminated, or consent is withdrawn

 

Article 8 (Rights of Users and Legal Representatives and How to Exercise Them)

1. Users may exercise the following rights regarding their personal data at any time. In the case of users under the age of 14, their legal guardian holds the same rights on their behalf:
• Request access to personal data (of self or a minor)
• Request correction or deletion of personal data
• Request suspension of personal data processing
• Withdraw consent for receiving marketing communications
• Request full account deletion and erasure of personal data
• Request data portability (applicable under certain laws such as the GDPR and LGPD)
2. These rights can be exercised through the following channels, and the Company will promptly respond after verifying the user’s identity:
• Email inquiry: touchplay@tp.co.kr
• In-app customer support or settings menu
• Inquiry form or customer service on the official website
• Any other official methods provided by the Company
3. If a request is made through a legal representative, the Company may require documentation proving the representative relationship (e.g., certificate of family relationship) and will proceed once the request is verified as legitimate.
4. The exercise of rights may be restricted in the following cases under relevant laws:
• If access or suspension of processing is restricted under Article 35(4) or Article 37(2) of the Personal Information Protection Act
• Where deletion is not possible because the preservation of personal information is stipulated by other laws
• If exercising the rights would likely infringe on the rights of a third party
5. Users residing in jurisdictions such as the European Union (EU), Brazil, or the state of California in the United States may also have specific rights under local laws, including the right to data portability, objection to automated processing, and the right to lodge a complaint with a supervisory authority.

Users or their legal representatives may request updates on the status or results of their rights-related requests, and the Company will make every effort to support these rights to the fullest extent.

 

Article 9 (Measures to Ensure the Security of Personal Information)

The Company implements the following administrative, technical, and physical safeguards to ensure that users' personal information is not lost, stolen, leaked, altered, or damaged, in accordance with applicable laws:

1. Administrative Safeguards
• Establishment and implementation of an internal management plan for personal data protection
• Regular security training for personal information handlers and employees
• Minimization of access privileges to personal data
• Storage of personal information handling records and internal audits
2. Technical Safeguards
• Access permission management and two-factor authentication application for personal information processing systems, etc.
• Measures to store access logs and prevent forgery or alteration
• Installation and maintenance of up-to-date antivirus/security programs on all company PCs and servers
• Application of encryption technology (passwords, authentication information, etc.)
• Operation of firewalls and intrusion detection systems (IDS) to prevent external intrusion
3. Physical Safeguards
• Access control to server rooms and information storage facilities
• Secure storage and destruction of documents and media (e.g., USB drives) with personal data
• Logging and monitoring of physical access to server infrastructure

The Company maintains an internal incident response system to swiftly address any security breaches and protect user data.

 

Article 10 (Matters concerning the installation, operation, and refusal of automatic personal information collection devices)

1. The Company allows for the automatic collection of user behavior information through the SDK or technology of online targeted advertising businesses, based on data such as user's website visit history and app usage patterns, to provide targeted advertising and statistical analysis services.
2. The Company itself does not use web browser-based cookies, and automatically collected behavior information is collected through external advertising partners or analytical tools.

[Behavioral Information Collection Notice]

• Data Collectors: Google, Facebook, AdMob, and other online advertising service providers
• Collected Items: App usage history, access time, search keywords, content interactions, ad impressions and responses, advertising identifiers (e.g., ADID, IDFA)
• Collection Method: Automatically collected when the app is launched or when ads are viewed or clicked
• Purpose: Providing personalized advertising, user interest-based marketing, analysis for service improvement

3. The Company and its advertising partners may analyze users’ behavior to provide targeted advertisements. This is based on anonymized or pseudonymized data and does not directly identify individual users.
4. Users can disable the collection of advertising identifiers or opt out of personalized ads through the following methods:

How to Disable Advertising Identifiers:

• Android:
• Settings > Google > Ads > Opt out of Ads Personalization
• or Settings > Privacy > Ads
• iOS:
• Settings > Privacy > Tracking > Disable "Allow Apps to Request to Track"
• or Settings > Privacy > Apple Advertising > Turn off Personalized Ads

Note: The specific path may vary depending on OS or device version.

5. Even if you disable the advertising identifier, general ads may still be displayed, and only personalized ads will not be provided.

If any automatically collected data is combined with personal information that can identify an individual, the Company will obtain explicit consent in accordance with applicable laws prior to processing such information.

 

Article 11 (Personal Information Protection Officer and Contact Information)

The Company designates a Personal Information Protection Officer and a department in charge of personal information protection, as follows, in order to protect user's personal information and smoothly handle inquiries, complaints, and damage relief related to personal information, etc.

■ Personal Information Protection Officer (Data Protection Officer, DPO)

• Name: Hyunseok Choi
• Department: Business Strategy Office
• Email: touchplay@tp.co.kr
• Phone: +82-10-9400-4374

■ Personal Information Protection Department

• Department Name: Customer Support Team
• Email: touchplay@tp.co.kr
• Business Hours: Weekdays 10:00 AM – 6:00 PM (KST, excluding public holidays)

Users may contact the above personnel or department for any inquiries or requests related to the protection of their personal data, including access, correction, deletion, and suspension of processing. The Company will respond sincerely and promptly to all user requests.

Users in the European Union (EU) or other countries where data protection laws apply can make inquiries through the designated DPO or local representative in accordance with the regulations of that region, and can directly file a complaint with the supervisory authority if necessary.

Article 12 (Remedies for Infringement of Rights)

1. Users may request consultation or dispute resolution from the institutions below to seek relief for damages caused by personal information infringement.
   Furthermore, if they disagree with the company's processing of personal information, they may file a complaint with the supervisory authority in the relevant country.

For users residing in the Republic of Korea:

• Personal Information Infringement Report Center (operated by Korea Internet & Security Agency)
• Website: https://privacy.kisa.or.kr
• Phone: 118 (no area code)
• Personal Information Dispute Mediation Committee
• Website: https://www.kopico.go.kr
• Phone: 1833-6972
• Supreme Prosecutors’ Office Cyber Investigation Division
• Website: http://www.spo.go.kr
• Phone: 1301
• KNPA (Korean National Police Agency) ECRM
• Website: http://ecrm.cyber.go.kr

For users residing in the European Union (EU):

• Users may file complaints with the data protection authority (DPA) in their country or region of residence (e.g., CNIL in France, BfDI in Germany, DPC in Ireland).

For users in Brazil:

• ANPD (Autoridade Nacional de Proteção de Dados)
• Website: https://www.gov.br/anpd

For users in the State of California, USA:

• California Attorney General’s Office
• Website: https://oag.ca.gov/privacy

2. If a dispute or request related to personal information arises, the Company will make every effort to resolve the issue quickly and sincerely. Users may contact the Customer Support Team or the Personal Information Protection Officer to check the progress and results of their case.

 

Article 13 (Changes to the Privacy Policy)

1. The Company may amend this Privacy Policy in accordance with relevant laws, policies, or changes to its services. When changes are made, the Company will clearly indicate the details and effective date of the changes and provide prior notice to users.
2. Notification of changes to the Privacy Policy will be made through one or more of the following methods:
• Posting in the notices section of the official website or within the game app
• In-app pop-up notifications or messages
• Email or push notifications, if consented by the user
3. The changed personal information processing policy will take effect 7 days after the date of announcement, unless there are special circumstances. However, matters related to significant changes in user rights or strengthening of obligations will be announced 30 days prior to enforcement.
4. If a user does not agree to the revised Privacy Policy, they may discontinue the use of the service and delete their account. If the user continues to use the service without explicitly expressing disagreement, the Company will regard this as consent to the revised policy.

The Company maintains a record of changes to the Privacy Policy and ensures that previous versions remain accessible to users.

 

(California Consumer Privacy Act – CCPA Notice)

This appendix applies only to users residing in the State of California.

Under the California Consumer Privacy Act (CCPA), users residing in California have the following rights:

1. Notice Regarding the Collection and Use of Personal Information

The Company collects and processes personal information as described in Article 2 (Categories of Personal Information Collected and Method of Collection) and Article 3 (Purpose of Using Personal Information), for the following purposes:

• Providing and operating the service
• User support and troubleshooting
• Advertising and marketing performance analysis (based on user consent)
1. User Rights

California residents may exercise the following rights:

• Request to access the categories of personal information collected and the history of use
• Request for deletion of personal information
• Request to opt-out of the sale or sharing of personal information ("Do Not Sell or Share My Personal Information")

The Company does not sell users’ personal information as defined under the CCPA. If any data is shared with third parties, the Company will obtain prior consent in accordance with the law.

3. How to Exercise The Rights

To exercise any of the CCPA rights, users may contact the Company through the following methods:

• Email: touchplay@tp.co.kr
• Customer Support: In-app inquiry or the official website

The Company will complete the verification process and respond within a reasonable timeframe as prescribed by applicable law.

This appendix is for the purpose of additional notice under CCPA and applies in conjunction with this Personal Information Processing Policy.

 

Effective Date

This Privacy Policy is effective as of May 13, 2025.

• Date of Announcement: May 13, 2025
• Date of Enforcement: May 13, 2025