Piccha

1. Significance of the Privacy Policy

The “Privacy Policy” refers to the guidelines that Piccha must follow to ensure that users' personal information is protected, allowing users to use the service with peace of mind. Piccha, operated by Moon Corporation (hereinafter referred to as “the Company”), collects, uses, and provides personal information based on users' consent, and strives to guarantee users' right to self-determination regarding their personal information. Piccha complies with privacy-related laws such as the “Personal Information Protection Act”, the “Act on Promotion of Information and Communications Network Utilization and Information Protection”, the “Telecommunications Privacy Protection Act”, and the “Telecommunications Business Act”, which must be adhered to by information and communications service providers.

2. Collection Items and Methods of Personal Information

Piccha collects the minimum amount of personal information necessary for providing services. During registration or throughout the use of the service, Piccha collects the minimum personal information required for providing the service through the website, individual applications, or programs, as detailed below.

[During Registration/Login]

Categories	Items
Email	Required: Email, Password, Membership Type, Mobile Phone Number, Name, Phone Number, Address Optional: Referral Source
Naver	Required: Naver account email Optional: Naver nickname and profile picture, birthdate, gender
Apple	Required: Apple account email Optional: Apple nickname, birthdate, gender
KakaoTalk	Required: Kakao account email Optional: Kakao nickname and profile picture, birthdate, gender
Google	Required: Google account email Optional: Google nickname and profile picture, birthdate, gender
Facebook	Required: Facebook account email Optional: Facebook nickname and profile picture, birthdate, gender

[Information Required During Service Use]

Nickname, gender, birthdate, SNS account address, photos, videos (including screenshots), audio information provided, captured, transmitted, streamed, and/or uploaded by the user during service use, short messages written by the user, posts written by the user, geographical information based on the user's network access, log data, cookies, location information, access information, IP address, device performance, bandwidth, service usage statistics (URL, redirect URL, etc.), network type, carrier information, device information (device type, model name, device ID, OS), error occurrence time and the status of the function and application in use at the time of the error, advertisement identifier, the user's service activity history, gift purchase and provision history, user interactions such as following other users, user report history, broadcast time, viewing time, etc. regarding each interaction between the user and the service or between the user and the company's website, device time zone, application version used by the user, user's device locale (country and language), location of user login (country, city), app store purchase history, card information and payment details, paid service usage, information and history related to purchases and refunds, languages available to the user, [Offline Quest Service] quest performance location, visit history, performance verification data (photos, videos, location information included). [Location-Based Services] GPS, Wi-Fi, and base station information used for the user's location.
※ If using the live streaming feature, Piccha will use the user's information for posting, transmitting, and broadcasting the live stream, which can be viewed not only by the user but also by non-member users through the web or third-party applications.

[When Participating in Support Events and Reward Programs(Optional)]

Copy of ID, full name, resident registration number, account information, email address

[When Contacting Customer Service(Optional)]

Phone Customer Service: Outgoing phone number

Web Customer Service: Email, mobile phone number

※ When contacting/reporting to customer service, the above information may be collected, and depending on the type of inquiry/report, additional personal information may be provided by the member.

3. Information Automatically Collected During Service Use

When using the PC web, mobile web/app, device information (OS, screen size, device ID, phone model, device model), IP address, cookies, and similar technologies (such as network beacons, flash cookies, etc.), visit date and time, fraudulent usage records, service usage history, and other information may be automatically generated and collected.

4. Purpose of Using Personal Information

Personal information is used solely for purposes related to the operation of the Piccha service (including mobile web/app), such as member management, development, provision, and improvement of services, building a secure internet environment, and developing new services. The minimum necessary personal information is collected through the homepage, individual applications, or programs during the membership registration or service usage process for the purpose of providing services, as follows

Confirming membership intention, age verification, user and legal guardian identity verification, user identification, confirming intent to withdraw membership, etc.
Service provision, handling inquiries or complaints, managing payment history for paid services, etc.
Taking measures to restrict usage for members violating laws or Piccha’s terms of service, preventing fraudulent activities, preventing actions that hinder smooth service operation, preventing account theft and fraudulent transactions, delivering notices such as terms and conditions updates, maintaining records for dispute resolution, processing complaints, etc., to protect users and operate the service.
Providing event information and opportunities to participate, providing advertising information such as new products, features, or services of Piccha, marketing and promotions, and business purposes.
Providing personalized services through the estimation of demographic characteristics, user interests, preferences, and tendencies.
Analyzing service usage history, frequency of access, and statistical data about service usage, building a service environment focused on privacy protection, and utilizing it to improve services.

5. Provision and Processing of Personal Information

Piccha may outsource the processing of personal information to third parties for the better provision of services, user convenience, and performing marketing tasks. For quest services, data is primarily managed internally by the company, and in some cases, it may be outsourced in a limited manner. Piccha regulates compliance with personal information protection laws, prohibits the processing of personal information for purposes other than the outsourcing work, and sets obligations for the third-party contractors to return or destroy personal information after processing is completed.

Outsourcing Company	Outsourced Task Description
Amazon Web Services Inc.	Information Storage and System Operation
Braze Inc.	Service usage behavior analysis and communication
AppsFlyer Ltd.	Service improvement and advertisement analysis
AWS Pinpoint	Service provision
Google Cloud Platform	Information storage and system operation
Google Analytics	Service usage behavior analysis
Google Firebase	Service usage behavior analysis
Facebook	Advertisement analysis
Tiktok Pte. Ltd.	Advertisement analysis
Apple search ads.	Advertisement analysis
Google Ads	Advertisement analysis
Twitter	Advertisement analysis
Google DV360	Advertisement analysis
Toss Payments (Toss Payments Co., Ltd.)	Payment processing (mobile phone, credit card, paper vouchers, and other payment methods)
Nice Information Service Co., Ltd.	Identity verification
Korea Mobile Certification Co., Ltd.	Service provision
SCI Evaluation Information Co., Ltd.	Adult verification and identity verification services
KG Inicis Co., Ltd.	Payment services and notification services

6. Overseas Transfer of Personal Information

Piccha complies with the following provisions regarding the overseas transfer of personal information

① Compliance with GDPR Articles 45 and Standard Contractual Clauses (SCC), and International Data Protection Regulations

Piccha conducts data transfers based on the EU-US Data Privacy Framework and strictly adheres to GDPR Articles 44-50.

② The purpose of the transfer, details about the data processors, the countries involved, and other related details are specified in this policy.

③ Users may request to access, correct, delete, or stop the processing of their data in relation to the overseas transfer. To do so, users should contact the person responsible for personal data protection. Refusal of consent may result in limitations on some services.

Recipient of Data (Contact)	Transfer Country	Transferred Personal Information	Purpose of Recipient	Retention and Use Period	Transfer Date and Method
Google Cloud Platform (googlekrsupport@google.com)	United States	All information collected during the service provision process	Information storage and system operation	When the purpose of use is achieved	Transferred frequently through the information and communication network during the membership registration and service provision process
Google Analytics (googlekrsupport@google.com)	United States	Device information, gender, age, IP address, location information, purchase history	Service usage behavior analysis
Google Firebase (googlekrsupport@google.com)	United States	Device information, gender, age, IP address, location information, purchase history	Service use behavior analysis
META (+82 2-6980-2500)	United States	Device information, device language, advertising identifier information, IP address, location information, access logs, purchase history, app activity history (including gender selection), carrier information	Advertising analysis
Tiktok Pte. Ltd. (business-servicesupport@tiktok.com)	Singapore	Device information, device language, advertising identifier information, IP address, location information, access logs, purchase history, app activity history, carrier information	Advertising analysis
Apple search ads (https://www.apple.com/kr/privacy/contact/)	United States	Device information, device language, advertising identifier information, IP address, location information, access logs, purchase history, app activity history, carrier information	Advertising analysis
Google Ads (kr-lcs-game@google.com)	United States	Device information, device language, advertising identifier information, IP address, location information, access logs, purchase history, app activity history (including gender selection), carrier information	Advertising analysis
Twitter (lcs_kr@twitter.com)	United States	Device information, device language, advertising identifier information, IP address, location information, access logs, purchase history, app activity history (including gender selection), carrier information	Advertising analysis
Google DV360 (googlekrsupport@google.com)	United States	Device information, device language, advertising identifier information, IP address, location information, access logs, purchase history, app activity history (including gender selection), carrier information	Advertising analysis
AppsFlyer Ltd. (privacy@appsflyer.com)	United States	Gender, country information, device language, access logs, and purchase history	Service improvement, advertising analysis
Cloudflare, Inc. (privacyquestions@cloudflare.com)	United States and other countries	All information collected during the service provision process	Information storage and system operation	up to 7 days

④ The company applies the following protective measures regarding the transfer of personal data abroad

When cooperating with third-party service providers listed in the table above, the company ensures that these providers comply with the GDPR by taking the following measures
- The company prioritizes working with providers located in countries that have received an adequacy decision from the European Union (EU).
- If cooperating with providers in countries without an adequacy decision (e.g., the United States), the company verifies whether the provider has obtained Standard Contractual Clauses (SCC) or EU-US Data Privacy Framework certification.
- The company explicitly includes personal data protection obligations in service agreements.
The company obtains explicit consent from users during the registration process regarding the transfer of personal data abroad.
The company transparently discloses the scope of personal data transferred abroad, the destination country, the recipient, and the purpose of use in this policy.
The company maintains documentation on protective measures related to international data transfers and provides additional information upon user request. Furthermore, the company has appointed a Data Protection Officer (DPO) responsible for data protection. Users may contact the DPO through the following details
- Name: Customer Service Team
- Email: help@piccha.app
- Contact: +82 70 4154 1737

7. Automated Decision-Making and Profiling

The company may use automated decision-making and profiling to deliver personalized advertisements, recommended content, and prevent abuse of the service. Users have the following rights concerning automated decision-making and profiling.

Right to Explanation: The right to be informed of the impact of automated decisions on their legal rights (GDPR Articles 13, 14, 22).
Right to Object and Refuse: The right to challenge the results of automated processing and request a decision made by a person (GDPR Article 22).
Right to Withdraw Consent: Users may refuse automated profiling and manage this through setting changes.

Users may exercise their rights by contacting the company’s customer service or the Data Protection Officer (DPO).

8. Retention and Destruction of Personal Information

[Retention and Usage Period of Personal Information]

Piccha retains and uses personal information for the following periods

Retained Items: Same as in Article 2 (Personal Information Collected)
Retention Basis: User's consent (however, pseudonymized information is retained as per relevant privacy laws)
Retention Period: As long as the membership is active (however, pseudonymized information will be retained until needed by the company)

Piccha will destroy personal information within 5 days after the expiration of the retention period or if the purpose of processing the information is achieved, such as when the service is discontinued or the business ends, or when the information is no longer needed. However, the following information will be retained for a certain period before being destroyed according to internal policies

Items necessary for service operation and protection of member rights
- Retention items: Email address provided by the member, mobile phone number, membership type, name, date of birth, organization name, records of fraudulent use of services
- Retention basis: Member's consent
- Retention period: 6 months after membership cancellation
In addition, personal information that must be retained for a certain period according to relevant laws and regulations is as follows: [Regarding location information, for details on the retention basis and period for location information collection, use, and provision, please refer to the personal location information use or provision section (Article 7, Section 3) of the Location-Based Service Terms of Use.]
- Records related to transactions under the Consumer Protection in Electronic Commerce Act
  - Records of contracts or withdrawal of application, etc.: 5 years
  - Records of payment and supply of goods (payment products, payment dates, payment amounts, etc.): 5 years
  - Records of consumer complaints or dispute resolution: 3 years
  - Records of labeling and advertisements: 6 months
- Records related to electronic financial transactions under the Electronic Financial Transactions Act: 5 years
- Records of service visits under the Communications Privacy Protection Act: 3 months
Additionally, under the “Personal Information Expiry System”, Piccha separates and stores the personal information of users who have not used the service for one year. Users who are subject to this separation are notified via their email address at least 30 days before the separation process based on the date of the separation. The separated personal information will be stored for 4 years and then destroyed without delay. The procedures and methods for destroying personal information are as follows
- Destruction Procedure : The information entered for membership registration, etc., will be stored for a certain period after the purpose is achieved and then destroyed according to internal policies and other related legal reasons (see retention and usage periods). Such information will not be used for any purposes other than those stipulated by law.
- Destruction Method : Personal information printed on paper will be shredded or incinerated. Personal information stored in electronic file format will be deleted using technical methods that render the records unrecoverable.

9. Protection of Children’s Personal Information

Piccha does not collect personal information from children under the age of 13. In exceptional cases where legal consent is required, the following additional procedures apply

Age verification
- Date of birth input and government-issued ID verification
Parental consent
- Written consent from the parent or legal guardian
- Additional verification procedures for consent
Legal Compliance
- Compliance with COPPA and GDPR Article 8
- Compliance with the Korean Child and Youth Protection Act

10. Consent and Protection for Location-Based Service Use

① The company obtains explicit consent from the user to provide location-based services.

② Location information is used solely for improving user experience, offering personalized services, providing quest services, and delivering advertisements.

③ Method of Collecting Location Information

Location is tracked based on GPS, Wi-Fi networks, and base station information

④ Location Information Retention Period

Retained for up to 6 months after service usage ends, then deleted

⑤ Location information is retained only for the period necessary to provide the service, and users can withdraw their consent at any time.

⑥ Provision of location information to third parties is done in accordance with legal requirements, and additional consent from the user is required.

11. Rights of Users or Their Legal Representatives and How to Exercise Them

Users or their legal representatives may request access and correction of the following
- The personal information that Piccha holds about the user
- Records of how Piccha has used or provided the user's personal information to third parties
- Records of the user's consent to the collection, use, or provision of personal information
Users may directly access or correct their information through the website or app operated by Piccha. They can also request access or correction by contacting the Data Protection Officer in writing, by phone, or via email.
Users have the right to request the deletion of personal information under certain conditions. The circumstances in which a deletion request may be made include
- When personal information is no longer needed for the collection purpose
- When the user withdraws consent (GDPR Article 7)
- When the user objects to the processing of their personal information (GDPR Article 21)
- When personal information is processed unlawfully
However, the company may refuse a deletion request in the following cases (GDPR Article 17, Section 3).
- When retention is necessary for compliance with legal obligations
- When data is required for research or statistical purposes for the public interest
- When data is necessary for establishing, exercising, or defending legal claims
Users or their legal representatives may withdraw their consent (cancel membership) at any time. Membership cancellation can be performed in the app under [Settings] - [Cancel Membership] after going through an identity verification process. Once consent is withdrawn, personal information will be deleted promptly after the processing purpose is fulfilled. Withdrawal of consent can be easily done within the app. It can also be done by contacting the Data Protection Officer in writing, by phone, or via email. However, even after withdrawal of consent (membership cancellation), minimal information may be retained according to applicable laws.

12. Right to Data Portability

Users have the right to request their personal data in a machine-readable format. The company will process data portability requests as follows

Data Portability Request Processing Time
- Processing will be completed within 30 days from the receipt of the request
Available Data Formats
- Data will be provided in internationally recognized machine-readable formats such as CSV, JSON, etc.
Request Method
- Users can easily make a request via the customer service section on the company’s website or app

13. Installation and Operation of Automatic Personal Data Collection Devices and Refusal of These Devices

Piccha uses “cookies” and similar technologies to store and retrieve user information. Cookies are files that contain information about internet usage, sent by the company’s server to the user’s device, which are stored on the user’s device.

[Purpose of Using Cookies]

To analyze the frequency of access, visit duration, preferences, and interests of both members and non-members. This helps in tracking user behavior, determining participation in events, and providing targeted marketing and personalized services.

[How to Refuse Cookie Installation]

Users have the right to choose whether to allow cookies. Users can configure their web browser to accept all cookies, be notified every time a cookie is stored, or refuse the storage of all cookies. However, refusing cookie installation may cause inconvenience when using the website and could hinder the use of certain services that require login.

[How to Set]

For Internet Explorer: Go to the browser’s top menu > Tools > Internet Options > Privacy
For Chrome: Go to the browser’s right menu > Show Advanced Settings at the bottom of the page > Content Settings under Privacy > Cookies
For Microsoft Edge: Go to the browser’s top menu > Settings > Cookies and Site Permissions > Manage and Delete Cookies and Site Data > Block Third-Party Cookies
For Safari: Go to the top left menu > Safari > Preferences > Privacy > Cookies and Website Data > Block All Cookies

14. Personal Data Protection Officer

Piccha has designated a Personal Data Protection Officer to safeguard members’ personal information and address any personal data-related complaints

Personal Data Protection Officer and Responsible Person: Younhong Ko
Phone Number: +82 70-4154-1737
Email: help@piccha.app

Users are encouraged to contact the Personal Data Protection Officer or the responsible department for any data protection-related complaints that arise while using the Piccha service.

15. Measures to Ensure the Safety of Personal Data

Piccha takes the necessary technical and managerial measures to ensure the safety of users’ personal data and prevent loss, theft, leakage, alteration, or damage.

Personal Data Encryption
Users’ personal data is protected by passwords, and critical data is protected through additional security features such as file and transmission encryption or file-locking functions.
Technical Measures Against Hacking and Other Threats
Piccha implements access control mechanisms to prevent the leakage or damage of users’ personal data due to hacking or computer viruses (e.g., SSL), and regularly updates antivirus programs to protect personal data from breaches.
Access Restriction to Personal Data Processing Systems
Piccha records the granting, modification, and deletion of access rights for those handling personal data and enforces necessary measures, including the following password creation rules
- Combine at least six and at most sixteen characters using
  - Upper and lower case letters
  - Numbers
  - Special characters
- Avoid easily guessable passwords, such as consecutive numbers, birthdays, phone numbers, or those resembling personal information
Training of Personnel Handling Personal Data
Regular training is provided to personnel handling personal data on new security technologies and privacy protection duties. The access rights are managed by assigning separate passwords to the relevant personnel and taking other management measures.
Account and Password Management
Users’ email accounts and passwords are intended for use only by the individual user. Piccha is not responsible for issues arising from personal carelessness that leads to the leakage of accounts, passwords, or other personal data, or from general internet risks. Users should change their passwords frequently and be particularly cautious to prevent the leakage of personal data when logging in on shared computers.

16. Record Retention for Legal Dispute Preparation

① The company retains related personal data and service usage records for a certain period, as required by law, in case of legal disputes.

② Users have the right to be informed that these records will be kept in accordance with the relevant laws and this Privacy Policy, and the records will be deleted once the legal requirements are fulfilled.

17. Changes to the Privacy Policy

Piccha will notify users of any changes to the Privacy Policy at least 7 days in advance via the homepage’s notice section. If significant changes are made, such as alterations to the personal data items collected or the purposes of use, notice will be provided at least 30 days in advance, and the changes will take effect after the 30-day period unless otherwise stated. Additionally, Piccha may obtain separate consent from users, as required by relevant laws.

18. Personal Data-related Complaints and Support Services

If users need to report or seek consultation on personal data infringements, they can contact the following organizations

Personal Data Infringement Reporting Center: 118 (no area code) (https://privacy.kisa.or.kr)
Personal Data Dispute Mediation Committee: 1833-6972 (https://www.kopico.go.kr)
Supreme Prosecutor’s Office Cyber Investigation Department: 1301 (no area code), cid@spo.go.kr(https://www.spo.go.kr)
National Police Agency Cybercrime Reporting System: 182 (no area code) (https://ecrm.cyber.go.kr/minwon/main)

19. Personal Data Breach Notification

① In the event of a personal data breach, the company will notify the affected users without delay of the following

The fact of the breach and the time of occurrence
The scope of the affected personal data
The company’s actions regarding the breach
Protective measures users can take

② Notification Method

Email, app push notifications, SMS, etc.
Notification will be completed within 72 hours

③ Legal Compliance

Compliance with GDPR Articles 33-34 and CCPA Section 1798.82

20. Miscellaneous

Any matters not specified in this Privacy Policy will be governed by the relevant laws and the Terms of Use of Piccha.

Effective Date of Privacy Policy: March 19, 2025