Face Wallet Privacy Policy

[220923~230605] Face Wallet Privacy Policy

Chapter 1 General Provisions

Article 1 (Basic Principles)

(1) HAECHI LABS Co., Ltd. (“Company”) complies with the data privacy regulations and relevant laws and regulations that apply to information and communications service providers. Company is committed to protecting the interests of its users (“Users”) by establishing this privacy policy in accordance with relevant laws and regulations.

(2) Company further complies with the Personal Information Protection Act (“PIPA”) and the Act on Promotion of Information and Communications Network Utilization and Information Protection in so far as it processes personal information.

Chapter 2 Items of Personal Information Collected and Methods of Collection

Article 2 (Items Collected)

Company collects the following items of personal information from Users in order to provide various services.

1. Service Account Registration and Management
   Required fields: Email, name, processed pin code value, mobile phone number, verification code, single sign-on token

Optional fields: nationality, date of birth, residential address

2. Services
   Required fields: records of use of services, wallet address, payment information, access log, cookie, token, transaction and payment-related records, and other records of activities in the services (e.g., game)
   Optional fields: name, nationality, sex, date of birth, residential address

Article 3 (Additional Information Collected during Use of Services)

When Users use the Services, information such as (i) IP address, (ii) Cookies, (iii) the type and language of browser, and (iv) usage log may be collected by Company.

Article 4 (Prohibited Collection of Sensitive Personal Information)

Company does not collect Sensitive Personal Information (as defined below) that may infringe on the basic human rights of Users.

“Sensitive Personal Information” refers to the following.

Personal information about an individual’s race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership (or non-membership), genetic data and biometric data (where used to identify an individual), and information concerning an individual’s health, sex life or sexual orientation; and

Personal information about (i) the commission or alleged commission of an offence by an individual, or (ii) proceedings for an offence committed or alleged to have been committed by an individual, the disposal of such proceedings or the sentence of a court in such proceedings.

Article 5 (How to Collect Personal Information)

Company collects personal information by the following methods:

1. Collection through voluntary disclosure by Users
2. Automatic collection through the use of Company’s services and from the technology which Users use to access Company’s services

Chapter 3 Purpose of Collection and Use of Personal Information

Article 6 (Purpose of Collection and Use of Personal Information)

(1) Company processes personal information for the following purposes. The personal information is not used for any other purposes, and in the event of change of the purposes of use, Company will obtain a separate consent or otherwise take measures as required.

1. Service Account Registration and Management: confirmation of intent to register, verification of identification of account holder, maintenance and management of account status, prevention of unauthorized use of services, confirmation of parental consent for children under the age 14, various disclosures and notices, and grievance handling
2. Processing of complaints: verification of identification of complainant, confirmation of details of complaint, contact and notice for investigation of facts, delivery of results
3. Offering of services: offering of services, delivery of contract and/or invoice, offering of contents, verification of identification, verification of age, payment and/or settlement of fees, debt collection
4. Improvement of service performance and algorithm: strict management and protection of technology for protection of personal information, service performance enhancement and algorithm improvement, identification of records of unauthorized use for service improvement
5. Marketing and advertising: development of new services and offering of customized services, offering of event and promotional information and opportunities for participation, offering of services and advertisements by demographic characteristics, verification of validity of services, understanding of frequency of access and use of services by account holders, and measures for de-identification of personal information
6. Offering of customized services: analysis of records of service use and access frequency and offering of customized services according to service use statistics
7. Establishment and exercise of legal claims: ensuring that Company may defend any legal claims made against it by Users and/or a third party and/or enforce any of its applicable rights against such persons
8. Development of new services: research and development of new business models in the blockchain industry

(2) Company may additionally use and provide personal information without the consent of the data subject to the extent such use and provision reasonably relates to the original purpose of collection of the personal information in consideration of the provisions under Article 14-2 of the Enforcement Decree of PIPA pursuant to Article 15(3) and Article 17(4) of the PIPA to. For this purpose, Company should consider the following matters.

1. Whether the purpose for additionally using and providing personal information is related to the original purpose of collection of the personal information
2. Whether additional use or provision may be expected in view of the circumstances of collecting personal information or the practices of processing personal information
3. Whether additional use or provision improperly infringes interests of the data subject
4. Whether measures required for securing safety such as pseudonymization or encryption have been taken

Chapter 4 Sharing and Providing Personal Information

Article 7 (Provision of Personal Information to Third Party)

(1) Company processes the personal information of Users within the scope stated in Article 6 (Purpose of Collection and Use of Personal Information) and provides the personal information of Users to a third party only in the case subject under Article 17 and Article 18 of the PIPA such as consent of User or special provisions under the law. Company does not otherwise provide the personal information of Users to a third party.

(2) Company provides the personal information of Users to a third party as provided in the following link:

Current Terms of Provision of Personal Information to Third Parties

Chapter 5 Entrustment of Handling Personal Information

Article 8 (Entrustment of Processing Personal Information)

(1) Company entrusts processing of personal information of Users to third parties as follows:

1. Name of third-party processor: Amazon Web Services, Inc.
2. Task of third-party processor: storage of collected personal information
3. Items of personal information to be transferred: all personal information collected by Company
4. Period of use and storage by recipient: until change of the cloud services being used by Company

(2) AWS engages in physical management of the relevant server only and may not access Users’ personal information. Company expressly provides for the prevention of processing of personal information for any purposes other than performance of the entrusted activities, technical and managerial safeguards of personal information, management and supervision of the third-party processor, and indemnification pursuant to Article 26 of the PIPA in the relevant agreement and other documents when entering into the entrustment agreement. Company further supervises whether the third-party provider safely processes the personal information.

Chapter 6 Retention and Use Period of Personal Information

Article 9 (Basic Principles of Personal Information Retention and Usage Period)

In principle, personal information of Users are destroyed without delay when the purpose of collecting and using personal information is achieved. However, personal information may be safely stored if the data subject provides separate consent for the retention period of the personal information or an obligation for storing information for a certain period of time is imposed by law.

Article 10 (Retention of Personal Information under Company’s Internal Policy)

Notwithstanding Article 9, in order to prevent disputes related to the Services, Company shall transfer information related to Users management in a separate DB (in the case of information recorded on paper to a separate document) in accordance with the internal policy of Company and keep it for the following period, and use it only within the scope of its purpose.

1. If an investigation is underway for a violation of the relevant laws by Users: until the end of investigation
2. If there remains a creditor/debtor relationship between Company and Users: until the settlement of the relevant debt
3. If there are records of unauthorized use such as unauthorized registration or records of corrective actions: until the end of 6 months
4. If there are unauthorized transactions in violation of the applicable laws or Terms of Use such as payment theft: until the end of 3 years

Article 11 (Retention of Personal Information by Relevant Laws and Regulations)

Notwithstanding Article 9 and Article 10, Company shall transfer information related to the User management in a separate DB (in the case of information recorded on paper to a separate document) in accordance with the relevant laws and regulations and keep it for the required period, and use it only within the scope of its purpose.

Chapter 7 Destruction of Personal Information

Article 12 (Procedures and Methods of Destroying Personal Information)

(1) Company will destroy the personal information within (i) 5 days from the date of termination of the personal information retention period under Article 9 to Article 11 or (ii) 5 days from the day when the processing of personal information is deemed unnecessary if the personal information becomes unnecessary (including completion of the processing of personal information, abolition of service, termination of business) in accordance with Paragraph 3 below.
(2) Company shall identify personal information that has a reason to be destroyed, and destroy the personal information with the approval of the Personal Information Protection Manager.
(3) Company will destroy personal information in the following ways:
Personal information recorded and stored on paper: destruction by shredding or incinerating
Personal information stored in electronic file format: destruction by using a technical method such as low-level format so that the record cannot be restored

Chapter 8 Users’ Rights

Article 13 (Data Protection Rights)

(1) The following is a list of the rights that all Users have under data protection laws. They do not apply in all circumstances. If Users wish to use any of them, Company will explain at that time if they are engaged or not.

1. Right to be informed about the processing of your personal information
2. Right to have your personal information corrected if it is inaccurate and to have incomplete personal information completed
3. Right to object to processing of your personal information
4. Right to restrict processing of your personal information
5. Right to have your personal information erased
6. Right to request access to your personal information and to obtain information about how Company processes it
7. Right to move, copy or transfer your personal information (data portability)
8. Rights in relation to automated decision making which has a legal effect or otherwise significantly affects you

(2) Users are informed that some of the above rights may only apply in certain cases. For example, some rights only apply where our lawful ground of processing is Users’ consent, or where Company has a contract with the User.

Article 14 (Withdrawal of Consent to the Collection, Use and Disclosure of Personal Information)

(1) Users may withdraw consent to the collection, use and disclosure of personal information at any time.
(2) Withdrawal of the consent may result in restrictions on the use of the service.

Article 15 (Requests to View, Verify, and Correct Personal Information)

(1) If the User requests to view, correct, delete, or suspend processing of personal information, Company shall (i) not use or provide such personal information until completion thereof, (ii) respond sincerely to the request of the User, (iii) take necessary measures without delay if it is deemed necessary to correct or delete the personal information (including if there is an error in the personal information or if the retention period of the personal information has lapsed).

(2) The rights of the data subject to the request to view and/or suspend processing of personal information may be limited pursuant to Article 35(4) and 37(2) of the PIPA.

(3) The request to correct or delete personal information may not be allowed if such personal information is expressly provided as subject to be collected under the law.

(4) When User requests to view or verify through wire or written communication, Company shall confirm whether the request is true to the person’s intention by requiring a copy of the requesting party’s ID.

Article 16 (Restrictions on Accessing and Viewing Personal Information)

(1) The personal information that has been canceled or deleted at the request of the User is processed as specified in Articles 9 through 11 and is processed so that it cannot be viewed or used for any other purpose.

(2) Users may view or modify registered personal information at any time and may request termination of his or her membership.

Article 17 (How to Exercise Rights)

Users may exercise the rights of this Chapter by means of written communication, mail or fax to Company.

Article 18 (Exercising the Rights of Agents)

Users may exercise the rights of this Chapter through their legal representatives or their authorized representatives. In this case, Users must submit the power of attorney to Company in accordance with the PIPA.

Chapter 9 Matters on Installation / Operation and Rejection of Automatic Collection Device of Personal Information

Article 19 (Use of Cookies)

(1) Company uses cookies or similar technologies (“Cookies”) that store and access Users’ access information from time to time. Cookies are a small amount of information stored on the device when the User visits a platform, and store the information that can be read when the User returns.

(2) Company uses Cookies for the following purposes:

1. Maintain the User’s connection session and distinguish users and sessions, as well as recall whether the User has agreed (or otherwise) to the use/storage of Cookies;
2. Service visit and usage behavior analysis;
3. Security access;
4. Improving the speed of the services when the User accesses the services;
5. Showing the traffic source or campaign that explains how the User has accessed the services; and
6. Storing any User preferences permitted by the websites.

(3) The installation of Cookies is at the option of Users. The installation of Cookies will be executed pursuant to the browser settings set by Users which may accept all Cookies, request consent for installation each time Cookies are saved, or reject installation of all Cookies. Please note that if Users refuse to install the Cookies, Users may experience inconveniences in using the website and may experience difficulties in using some of the services that require Users to log in.

(4) Most browsers are initially set to accept Cookies. Users may set the browser to refuse Cookies and control and/or delete Cookies as Users wish. Users may delete all Cookies that are already on the device and Users may set most browsers to prevent them from being placed. Users should be aware that they may have to manually adjust some preferences at each visit of the website and some services and functionalities may not work if Users do not accept the Cookies.

Chapter 10 Technological/Administrative Protection Measures of Personal Information

Article 20 (Minimizing and Educating Processing Staff)

In principle, the personal information processing staff of Company is the Personal Information Protection Manager as set forth in Article 24 only, and a separate password is assigned to that person, which is updated regularly. Through regular training for the Personal Information Protection Manager, Company always emphasizes compliance with the personal information processing policy. In certain cases personal information processing may be carried out by persons other than the Personal Information Protection Manager, and this shall be restricted only to those staff on a need-to-know basis who shall have restricted access only to such information as is necessary to carry out or fulfill the duties of Company owed to such User to whom such data relates.

Article 21 (Establishment and Enforcement of Internal Management Plan)

Company has established an internal management plan for the safe processing of personal information. Company uses technical, administrative and physical procedures designed to protect all information from loss, theft, misuse and accidental, unlawful or unauthorised access, disclosure, alteration, use and/or destruction.

Article 22 (Encryption of Personal Information)

The personal information of Users is encrypted prior to it being stored and managed. Only Company and the User to whom such data relates can access it. All personal information is encrypted by encrypting the file and transmission data or using the file security function.

Article 23 (Restrict Access to Personal Information)

Company takes necessary measures to control access to personal information through the granting, modification and cancellation of access to the database system handling personal information and controls unauthorized access from outside by using an intrusion prevention system.

Article 24 (Personal Information Protection Manager)

Users may report any privacy complaints that may arise as a result of using Company’s services to the following person. The Personal Information Protection Manager bears all responsibilities in the event of an incident in breach of the matters notified to Users in protecting personal information. However, the Personal Information Protection Manager is not responsible for any disputes arising out of damages to information due to unexpected accidents caused by basic network risks such as hacking or the posts submitted by visitors if such damages or posts occur despite having implemented technical supplementary measures.

Personal Information Protection Manager

• Name: Geon-gi Mun
• Position: CEO
• Phone: +82-70-7721-0918
• E-mail: [email protected]

Chapter 11 Miscellaneous

Article 25 (Notice of Personal Information Processing Policy and Notification Method)

(1) In case of addition, deletion or modification of the current personal information processing policy, Company will notify the reason and contents of the change through the Notice section of the website managed and operated by Company at least 7 days before the amendment. However, if there is any significant change in Users’ rights in the collection and utilization of personal information, Users will be notified at least 30 days in advance.

(2) If Company wishes to use the personal information of Users beyond the agreement of Users or obtain the additional consent of Users to entrust the handling to a third party, Company shall individually notify Users in advance.

(3) If Company entrusts the collection, storage, processing, use, provision, management or destruction of personal information to a third party, Company will notify Users through the Terms of Use and Privacy Policy.

Article 26 (Blockchain and Personal Information)

(1) Blockchain technology, also known as distributed ledger technology is at the core of our business. Blockchains are decentralized and made up of digitally recorded data in a chain of packages called blocks. The manner in which these blocks are linked is chronological, meaning that the data is very difficult to alter once recorded. Since the ledger may be distributed all over the world across several nodes which replicate the ledger, this means there is no single person making decisions or otherwise administering the system (such as an operator of a cloud computing system), and that there is no centralized place where it is located either. Accordingly, by design, a blockchain’s records cannot be changed or deleted and is said to be immutable. This may affect Users’ exercise of rights such as the right to erasure (the right to be forgotten), the right to rectification of the data or the rights to object to or restrict processing of the personal information. Data on the blockchain cannot generally be erased or changed, although some smart contracts may be able to revoke certain access rights, and some content may be made invisible to others, however it is not deleted.

(2) In certain circumstances, Company may need to write certain information, such as the cryptographic signatures on the blockchain; to provide the services. This is done through a smart contract and requires the signature using the private key of the wallet of the User. In most cases ultimate decisions to (i) transact on the blockchain using cryptocurrency wallet address and/or (ii) share the public key relating to cryptocurrency wallet address with anyone (including Company) rests with the User.

(3) If the User intends to ensure that the User’s privacy rights are not affected in any way, the User should not transact on blockchains or use the services provided by Company. In case of such transaction or use of the services, the rights may be restricted by the User or Company. In particular, the blockchain is available to the public and any personal information shared on the blockchain will become publicly available.

(4) The following information may be recorded in the blockchain in the process Users use the services of Company.

1. Cryptographic wallet address from which you submitted the transaction;
2. Amount of the cryptocurrency which you send as payment; and
3. Cryptographic wallet address to which you initiated the transaction.

Article 27 (Remedies for Infringement of Rights of Data Subject)

The data subject may apply to Personal Information Dispute Mediation Committee or Personal Information Infringement Report Center of Korea Internet & Security Agency for dispute resolution or counseling for remedies from infringement of personal information. For other reporting or counseling of infringement of personal information, please contact the following agencies. A person who is infringed of rights or interests owing to disposition or failure of disposition by the head of a government agency in response to a request under Article 35 (Access to Personal Information), Article 36 (Rectification or Erasure of Personal Information), or Article 37 (Suspension of Processing of Personal Information) of the PIPA may claim for an administrative action pursuant to the Administrative Appeals Act.

1. Personal Information Dispute Mediation Committee: 1833-6972 (kopico.go.kr)
2. Personal Information Infringement Report Center of Korea Internet & Security Agency: 118 (privacy.kisa.or.kr)
3. Prosecution Service: 1301 (spo.go.kr)
4. Korean National Police Agency: 182 (ecrm.cyber.go.kr)

This Privacy Policy shall be effective as of June 5, 2023.