1. Significance of the Privacy Policy

STUCKPIXEL (hereinafter referred to as "the Company") collects users' personal information to provide Lucky Upgrade (hereinafter referred to as "the Service").
The Company highly values users' personal information and complies with the personal information protection regulations under the relevant laws, including the Personal Information Protection Act, that information and communication service providers must follow.
Through this Privacy Policy, the Company informs users of how the personal information they provide is used and what measures are taken to protect their privacy.
The Company makes this Privacy Policy easily accessible to users by publishing it on the following site: ‘https://sites.google.com/view/luckyupgrade/lucky_upgrade_kr’.
When the Company revises the Privacy Policy, it will notify users via email and in-game notices seven days prior to the effective date, and it will be enforced after the seven-day period. However, if there are significant changes such as the purposes for collecting and using personal information or third-party sharing, the Company will notify users 30 days in advance, and the revised policy will take effect after the 30-day period. The Company informs users of the revised policy via in-game notices and ensures that users can easily recognize the changes.

2. Personal Information Collected

The Company collects only the information necessary to provide basic services during the account registration process, service usage, product payment processes, and customer support. (Users may refuse to provide personal information; however, refusal to provide personal information may result in limited or restricted access to some or all services.) The information users directly provide to the Company during account registration includes:

• Email, password, CI (Connecting Information) The information the Company automatically collects during service usage includes:

• Data related to friends and guilds generated during interactions with other users

• Data related to content consumed, features used, and user behavior during service usage

• Data generated during in-app purchases, including order numbers, product names, payment amounts, payment methods, and payment dates

• Device-related data such as OS, hardware version, software version, browser type, device ID, language, IP address, cookies, and store information The information collected when contacting customer support includes:

• Email address, purchased product name, and purchase date

The Company collects personal information through the following methods:

• When users agree to the collection of personal information during account registration or service usage and enter their information directly.

• During customer support consultations via web pages, emails, or phone calls.

• During offline events, seminars, etc., where personal information is collected through separate consent forms.

• Device information may be automatically generated and collected during the use of PC web, mobile web/app. (Users have the option to manage cookies, allowing them to accept all cookies, be notified when cookies are saved, or refuse all cookies through their web browser settings. However, refusing cookies may cause inconvenience when using certain services that require login.)

3. Use of Collected Personal Information

The Company uses personal information solely for the purposes outlined below, including user management, service development and improvement, and the creation of a safe internet environment:

• To verify the intent to register, confirm age and legal representative consent, verify the identity of users and legal representatives, identify users, and confirm the intent to cancel membership for user management.

• To provide personalized services based on demographic analysis, analysis of service visits and usage records, and relationships formed between users based on personal information and interests, in addition to providing existing services (including advertisements).

• To limit the use of services for users who violate laws or terms of service, prevent and sanction behaviors that interfere with smooth service operation, prevent account theft and fraudulent transactions, deliver notifications such as amendments to terms of service, preserve records for dispute resolution, and protect users and operate the service.

• To authenticate users, process payments, and deliver products and services for paid services.

• With separate consent, to provide event information, participation opportunities, personalized advertising, and promotional information for marketing purposes.

• To analyze service usage records and access frequency, compile statistics on service usage, and provide customized services based on service analysis and statistics.

• To ensure a secure service environment so that users can use the service with peace of mind regarding security, privacy, and safety.

The Company may process collected personal information for purposes such as statistical analysis, scientific research, and public record preservation by anonymizing the data to prevent identification of specific individuals. In this case, anonymized information will be stored and managed separately from additional information to prevent re-identification, and necessary technical and managerial protection measures will be taken.

4. Provision (Sharing) and Delegation of Personal Information

The Company uses users' personal information only within the scope notified under the “Purpose of Collection and Use of Personal Information,” and does not use it beyond this scope, or provide or share it with third parties or other organizations without the prior consent of the user. However, the following cases are exceptions:

When Delegating Personal Information-Related Tasks

For the purpose of providing more convenient and enhanced services, the Company delegates certain tasks to external parties. When entering into a delegation contract, the Company specifies in documents such as the contract that the delegate is prohibited from processing personal information beyond the purpose of fulfilling the delegated tasks, and that they must establish and implement technical and managerial measures for the protection of personal information as outlined in Article 7. Additionally, it includes clauses that limit re-delegation, manage and supervise the delegate, and stipulate the delegate’s liability, including compensation for damages. The Company also monitors whether the delegate safely handles personal information. If the user does not use services related to the delegated tasks, the user’s personal information will not be provided to the delegate.

When necessary for fee settlement related to service provision

When the user has given prior consent
When a user violates the Company’s terms of use or policies and operational guidelines, and legal actions are required based on related laws or for investigative purposes in accordance with the procedures and methods prescribed by law
When there are specific provisions in the law, or if requested by a court, investigative agencies, or other administrative bodies for investigative purposes following legal procedures and methods

5. Destruction of Personal Information

Users’ personal information is destroyed (deleted) when the purpose of collecting or providing the personal information is achieved. When a user withdraws from membership or receives ID deletion due to false information, the collected personal information is completely destroyed and cannot be used for any purpose. However, to prevent unwanted withdrawal due to identity theft, the withdrawal will be completed within 7 days of the request, and the information will be completely deleted from the Company’s member information database (DB) within 7 days from the point of withdrawal. Information that must be retained in accordance with relevant laws is exempt.
Additionally, copies of identification documents received for identity verification in the event of disputes such as identity theft will be destroyed immediately after the verification process. Information regarding legal representatives of children and teenagers under 18 will be destroyed once the child reaches adulthood or when the child's personal information is destroyed due to membership withdrawal.
Personal information is destroyed immediately upon achieving the purpose of its collection and use, but in the following cases, it may be retained for the specified period and will not be used for any other purpose:
a. Personal information of users who have disrupted the service through improper use may be retained for one year for investigative purposes or to protect other members.
b. Personal information of users who request withdrawal can be retained for 7 days for management and customer support purposes.
c. If necessary, according to related laws, the Company may retain members' personal information for a certain period after achieving the purpose of collection and use:
i. Records regarding contracts or withdrawal of offers: 5 years (Consumer Protection Act in Electronic Commerce)
ii. Records of payment and supply of goods: 5 years (Consumer Protection Act in Electronic Commerce)
iii. Records regarding consumer complaints or disputes: 3 years (Consumer Protection Act in Electronic Commerce)
iv. Records of advertisements and promotions: 6 months (Consumer Protection Act in Electronic Commerce)
v. Retention of access records: 3 months (Protection of Communications Secrets Act)

6. Rights of Users and Legal Guardians, and How to Exercise Them

Users or their legal guardians can view, check, or modify their personal information at any time through the “Game Settings” within the game and may request withdrawal or deletion of personal information through the same settings. However, if the personal information necessary for service provision is deleted, the user may not be able to receive the relevant services.
Users or their legal guardians may withdraw consent to the provision of personal information (membership withdrawal) at any time. To withdraw consent, users can submit a withdrawal request via the game app at “officialstuckpixel@gmail.com.” The personal information will be deleted within 7 days from the completion of the withdrawal request. Users can also view or modify their registered personal information and exercise their rights as specified by law. In the event of withdrawal, any related information generated or accumulated while using the Company's services may also be destroyed.
When a user or legal guardian requests the correction or deletion of their personal information, the Company will take necessary actions without delay after confirming the user’s identity. In the event of usage restrictions in accordance with the terms of use, the Company may delete user IDs and other personal information under the judgment of the person responsible for data protection.
Users or their legal guardians can request access or correction of their personal information after confirming their identity.
If a correction is requested for inaccurate personal information, it will not be used or provided until the correction is completed. If inaccurate information has already been provided to a third party, the Company will notify the third party without delay to make the necessary corrections.
The Company handles personal information deleted or withdrawn by users or legal guardians in accordance with the "Retention and Usage Period of Personal Information" specified above, and ensures that the information is not accessed or used for other purposes.

Processing of Personal Information of Children Under the Age of 14

a. When collecting personal information of children under the age of 14, the Company obtains the consent of the legal guardian and collects only the minimum personal information necessary for providing the service.
i. Required items: Legal guardian’s name, relationship, contact information
b. Additionally, if collecting personal information of children for purposes such as service management, service development, provision, improvement, or the creation of a safe internet environment, the Company will obtain separate consent from the legal guardian.
c. When collecting personal information from children under 14, the Company may request the minimum necessary information, such as the legal guardian's name and contact information, and verify the legal guardian's consent through one of the following methods:
i. Displaying the consent form on a website and verifying the consent through a text message sent to the legal guardian's phone
ii. Requesting credit card or debit card information from the legal guardian to verify consent through a website
iii. Verifying consent by authenticating the legal guardian through mobile phone identification or similar methods
iv. Issuing a written consent form to the legal guardian in person or via mail/fax, with the guardian returning the signed form
v. Sending the consent form via email and receiving a reply email indicating the guardian's consent
vi. Calling the guardian to inform them of the consent content and verifying consent through a follow-up call or providing a web address where the guardian can review the consent details
vii. Using methods equivalent to the above to inform and confirm the guardian's consent

7. Technical and Managerial Measures for the Protection of Personal Information

Technical Measures

a. The Company installs security programs to prevent personal information from being leaked or damaged due to hacking or computer viruses, and updates and inspects them regularly. Systems are installed in zones restricted from external access, and technical/physical monitoring and blocking are implemented.
b. Users’ passwords are encrypted and stored, allowing only the user to know them. Important data is encrypted or protected using file-locking functions for added security.
c. The Company stores and manages access records to the personal information processing system for at least one year. If the Company processes the personal information of more than 50,000 data subjects or handles unique identifiers or sensitive information, it retains access records for at least two years. Additionally, security features are used to prevent access records from being tampered with, stolen, or lost.
d. Access rights are restricted for unauthorized IP addresses, and access to the Company’s servers from outside the internal network is blocked. Measures such as port restriction are in place to ensure system security.

Managerial Measures

a. The Company designates employees responsible for handling personal information and limits access to only those responsible, ensuring personal information management.
b. Regular internal and external training is conducted for employees handling personal information on new security technologies and obligations related to personal information protection.
c. The Company takes necessary actions to control access to personal information by granting, changing, or removing access rights to the database system that processes personal information, and unauthorized access is blocked by a firewall.
d. The transfer of work involving personal information is carried out under strict security measures, and accountability for personal information incidents after an employee’s resignation or termination is clearly established.
e. Documents and auxiliary storage devices containing personal information are stored securely in a locked location.

8. Personal Information Protection Officer and Contact Information