Devsisters Corp. (the “Company”) values the protection of users’ personal information and complies with all applicable data protection laws and regulations. This Privacy Policy explains how personal information is collected, used, and protected, and how related concerns are handled promptly and efficiently.
1. Categories of Personal Information Collected and Methods of Collection
1). Categories of Personal Information Collected (Without User Consent)
| Legal Basis | Purpose of Collection | Data Collected | Retention and Use Period |
|---|---|---|---|
| Article 15(1)4 of the Personal Information Protection Act (Execution and Performance of Contract) | Product delivery | Recipient name, shipping address, contact information | After withdrawal from membership, destroy after completion of delivery work |
| Cash settlement | Account holder name, bank name, account number | After withdrawal of membership, after completion of settlement work, it is destroyed | |
| Article 15(1)2 of the Personal Information Protection Act (Special provisions under law), Article 160-2 of the Income Tax Act | Payment of taxes and charges | Resident registration number, copy of identification | 5 years in accordance with applicable laws |
2). Categories of Personal Information Collected (With User Consent)
| Legal Basis | Purpose of Collection | Data Collected | Retention and Use Period |
|---|---|---|---|
| Article 15(1)1 of the Personal Information Protection Act (Consent) | Service registration and identity verification | Name, channel URL, email address, mobile phone number | until the withdrawal of membership |
| Customer support (inquiries/responses) | Email address, inquiry details | 3 years in accordance with applicable laws |
※ (Google API Policy) The Company complies with the Google API Services User Data Policy, including the Limited Use requirements, when using and transferring information received from Google APIs.
The Company uses data collected through Google APIs only within the scope of user consent and does not sell such data to third parties or use it for advertising or other commercial purposes.
2. Purpose of Processing Personal Information
The Company processes personal information for the following purposes. Personal information will not be used for purposes other than those specified below. If the purpose of use changes, the Company will take necessary measures, such as obtaining additional consent, in accordance with applicable laws.
- Review of eligibility for the CookieRun Creator Family Program and provision of content and verification services
- Securing communication channels for delivering notices and updates
- Product delivery, tax processing, and cash settlement through Point-based rewards
- Handling user inquiries, resolving disputes, and providing customer support
3. Retention and Use Period of Personal Information
The Company retains and processes personal information for the retention period agreed to by the user at the time of collection, or as required by applicable laws.
-
Service usage records
- Purpose: Management of withdrawn users, prevention of fraudulent use, and dispute resolution
- Retention period: 1 month from account withdrawal
Retention in Accordance with Applicable Laws:
| Category | Legal Basis | Retention Period |
|---|---|---|
| Records of access logs | Protection of Communications Secrets Act | 3 months |
| Records related to advertising and labeling | Act on Consumer Protection in Electronic Commerce | 6 months |
| Records of consumer complaints or dispute resolution | 3 years | |
| Records of contracts or withdrawal of offers | 5 years | |
| Records of payment and supply of goods | 5 years | |
| Records related to tax obligations | Framework Act on National Taxes, Income Tax Act | 5 years |
Upon request, the Company will allow users to access and review their personal information without delay.
4. Destruction of Personal Information
The Company will promptly destroy personal information when it is no longer necessary due to the expiration of the retention period, the fulfillment of the processing purpose, or the withdrawal of consent.
If personal information must be retained in accordance with applicable laws even after the purpose has been fulfilled, such information will be stored separately or in a different database.
Destruction Procedures and Methods:
-
Procedure: The Company selects personal information subject to destruction and proceeds accordingly
-
Method:
- Electronic data: permanently deleted to prevent recovery
- Paper records: shredded or incinerated
5. Entrustment of Personal Information Processing
To ensure efficient service provision and operation, the Company entrusts certain tasks as follows:
| Service Provider (Entrusted Party) | Scope of Entrusted Work |
|---|---|
| Hanbom Studio | Operation and maintenance of the Creator Family website/platform system |
| Korea Post (Postal Service) | Product delivery |
When entering into entrustment agreements, the Company specifies in contracts or other written documents, in accordance with Article 26 of the Personal Information Protection Act, matters concerning the prohibition of processing personal information for purposes other than the entrusted tasks, technical and administrative safeguards, restrictions on re-entrustment, supervision and management of the entrusted party, and liability, including damages.
The Company supervises and monitors entrusted parties to ensure that personal information is processed safely.
If there are any changes to the entrusted parties or the scope of entrusted work, such changes will be disclosed without delay through this Privacy Policy.
For cases in which personal information processing is entrusted to overseas entities, please refer to Section 6 (Cross-Border Transfer of Personal Information).
6. Cross-Border Transfer of Personal Information
To provide seamless services, the Company entrusts the processing of users’ personal information to overseas service providers as follows:
| Legal Basis | Recipient | Purpose of Transfer | Data Transferred | Country of Transfer | Timing and Method of Transfer | Timing and Method of Transfer |
|---|---|---|---|---|---|---|
| Article 28-8(1)3 of the Personal Information Protection Act (Necessary for contract performance with the data subject) | Amazon Web Services Inc.(https://aws.amazon.com/ko/contact-us/) | Service registration and identity verification | Name, channel URL, email address, mobile phone number | United States | Transferred via real-time database synchronization upon service registration | until completion of the settlement process after account withdrawal) |
| Cash settlement | Account holder name, bank name, account number | Transferred via real-time database synchronization upon service registration | until completion of the settlement process after account withdrawal) | |||
| Product delivery | Recipient name, shipping address, contact information | To be specified (until completion of the settlement process after account withdrawal) | ||||
| Zendesk Inc.(https://www.zendesk.kr/company/contact-info/#georedirect) | Customer support (inquiries/responses) | Email address | Ireland | Transferred via real-time database synchronization during customer support | 3 years from the completion of customer support |
Users may refuse cross-border transfer by contacting the Company. However, refusal may result in limitations on certain services.
7. User Rights and Methods of Exercise
Users may exercise their rights at any time with respect to the Company, including requests for access, correction, deletion, suspension of processing of their personal information, and withdrawal of consent.
※ Users who are minors aged 14 or older may exercise their rights regarding their personal information either directly or through their legal representatives.
Rights may be exercised by submitting a written request, via email, or through other available means to the Personal Information Protection Officer. Upon receiving such a request, the Company shall take the necessary measures within ten (10) days of receipt and notify the user of the results.
Rights may also be exercised through a legal representative or an authorized agent. In such cases, a power of attorney in the form prescribed under Appendix Form No. 11 of the “Notice on the Methods of Processing Personal Information” must be submitted.
Requests for access to personal information, suspension of processing, or withdrawal of consent may be restricted pursuant to Article 35(4) and Article 37(2) of the Personal Information Protection Act.
If a user requests correction of errors in their personal information, the Company shall not use or provide such personal information until the correction is completed. If incorrect personal information has already been provided to a third party, the Company shall promptly notify the third party of the correction results so that the necessary corrections can be made.
Requests for correction or deletion of personal information may not be granted where such information is required to be collected under other applicable laws and regulations.
Personal information that has been terminated or deleted at the request of the user or their legal representative shall be processed in accordance with Section 4 (Retention and Use Period of Personal Information) and shall not be accessed or used for any other purpose.
The Company shall verify whether the person making a request for access, correction, deletion, suspension of processing, or withdrawal of consent is the user or a duly authorized representative.
8. Installation, Operation, and Refusal of Automatic Data Collection Devices
The Company uses “cookies” to store and retrieve user information in order to provide personalized services and a more convenient website experience.
Cookies are small pieces of data sent by the server (HTTP) used to operate the website in the user’s browser and may be stored on the user’s computer hard drive. Refusing to store cookies may result in difficulties in using certain services.
(1) Purpose of Use of Cookies: Cookies are used to analyze users’ service and website usage patterns (such as visit time, frequency of visits, and access frequency), as well as users’ preferences and areas of interest, in order to provide optimized information and services.
(2) Installation, Operation, and Refusal of Cookies: Users have the right to choose whether to allow the installation and collection of cookies. Accordingly, users may refuse to store cookies by adjusting their web browser settings.
How to Manage Cookie Settings
-
Web Browsers (Allow/Block Cookies)
- Chrome: Click the “⋮” icon in the upper-right corner of the browser > Open a New Incognito Window (Shortcut: Ctrl+Shift+N)
- Edge: Click the “...” icon in the upper-right corner of the browser > Open a New InPrivate Window (Shortcut: Ctrl+Shift+N)
-
Mobile Browsers
- Chrome: Tap the “⋮” icon in the upper-right corner of the mobile browser > Open a New Incognito Tab
- Safari: Device Settings > Safari > Advanced > Block All Cookies
- Samsung Internet: Tap the “Tabs” icon at the bottom of the mobile browser > Turn on Secret Mode > Start
※ For other browsers, please refer to the respective browser settings.
9. Measures to Ensure the Security of Personal Information
In processing users’ personal information, the Company implements the following measures in accordance with the Personal Information Protection Act and its subordinate statutes to ensure that personal information is not lost, stolen, leaked, altered, or damaged:
- Administrative Measures: Establishment and implementation of internal management plans, operation of dedicated organizations, and regular employee training
- Technical Measures: Access control for personal information processing systems, installation of access control systems, encryption of personal information, and installation and regular updates of security programs
- Physical Measures: Access control to facilities such as data centers and document storage rooms
In addition to the measures required by applicable laws and regulations, the Company also implements the following:
-
(1) One-way Encryption of Passwords
- The Company does not collect users' passwords from affiliated platforms for the provision of services.
-
(2) Measures Against Hacking and Other Threats
-
The Company installs and operates security systems to prevent unauthorized external access and protect against hacking and other cyber threats. In particular, servers that store users’ personal information are managed separately and are not directly connected to external internet lines, maintaining a high level of security.
The Company also maintains backup systems for data and infrastructure in preparation for unforeseen circumstances and uses antivirus programs to prevent damage from computer viruses. These programs are regularly updated, and when new threats emerge, updates are applied promptly to prevent breaches of personal information.
-
The Company installs and operates security systems to prevent unauthorized external access and protect against hacking and other cyber threats. In particular, servers that store users’ personal information are managed separately and are not directly connected to external internet lines, maintaining a high level of security.
-
(3) Restriction and Training of Personnel
- The Company limits access to personal information to a minimum number of authorized personnel and provides regular training to ensure compliance with this Privacy Policy.
-
(4) Operation of a Dedicated Personal Information Protection Organization
- The Company operates an internal organization dedicated to personal information protection, which regularly reviews compliance with this Privacy Policy and monitors responsible personnel. If any issues are identified, corrective actions are taken immediately. However, the Company shall not be liable for any issues arising from the leakage of personal information (including account IDs, passwords, nicknames, or email addresses) due to the user’s own negligence or internet-related problems, including those related to affiliated platforms.
-
(5) Access Control and Log Retention
- The Company periodically reviews access rights and securely maintains access logs.
10. Personal Information Protection Officer and Responsible Department
The Company designates a Personal Information Protection Officer and operates a responsible department as set forth below to oversee all matters related to the processing of personal information, including handling user complaints and providing remedies for damages.
Users may contact the Personal Information Protection Officer or the responsible department regarding any inquiries, complaints, requests for remedies, or requests for access related to personal information arising from the use of the Company’s services. The Company will respond to such inquiries promptly and in good faith.
| Personal Information Protection Officer | Department for Access Requests and Complaint Handling | Phone | Fax | |
|---|---|---|---|---|
| Soonho Kwon (Head of Risk Management Division) | Information Security Cell, Risk Management Division | privacy@devsisters.com | 1899-3674 | 02-2148-0626 |
11. Remedies for Infringement of Rights
Users may apply for dispute resolution or consultation regarding personal information infringement to the following organizations:
- Personal Information Dispute Mediation Committee: (without area code) 1833-6972 (www.privacy.go.kr)
- Personal Information Infringement Report Center: (without area code) 118 (privacy.kisa.or.kr)
- Supreme Prosecutors’ Office Cyber Investigation Division: (without area code) 1301 (www.spo.go.kr)
- National Police Agency Cyber Bureau: (without area code) 182 (ecrm.police.go.kr)
12. Amendments to the Privacy Policy
This Privacy Policy shall take effect on March 26, 2026.
In the event of any changes to this Privacy Policy, the Company will notify users of such changes at least seven (7) days prior to the effective date through the Company’s website or applications provided by the Company.
Announcement Date of this Privacy Policy: March 27, 2026
Effective Date of this Privacy Policy: March 27, 2026