2023-03-30
General provision
This personal information processing policy notifies the method/purpose of using the user’s personal information that is collected during service use (operational program, website, etc.),
as well as the measures being taken for protection of personal information, and includes the following details.
This policy was created in accordance with Korea’s Personal Information Protection Act, and puts maximum effort to provide service while adhering to international standards.
Article 1. Personal information collected and method of collection
To smoothly provide service, the company is collecting the minimum, necessary personal information with the user’s consent.
1. Items of personal information collected
1) The following information is collected upon registration.
- Google: User identification information
- Apple: User identification information
- Facebook: User identification information
- Steam: User identification information
- Huawei: User identification information
* When using the game through linkage with Google ID, Apple ID, Facebook, Huawei ID, or if linking with the official community, no further collection or save is done other than the information provided by each social platform.
2) The following information can be collected during the service use process.
- IP information, game and service use log, access log, transaction record, use restriction history, game version
- Mobile device information: Model name, mobile carrier information, OS information, language and country information, device serial number, advertisement ID, cookie
- PC: CPU, Memory, Storage, VGA, MAC information
3) The company can collect additional information when the following user-related services are used and can perform personal information collection and gain user agreement according to legislation.
- Customer service: Server name, guild name, mobile device name, OS version, transaction date, transaction account, order number, item name, transaction amount, IP address, web browser information
- Event and promotion participation: Server name, nickname, guild name, contacts
- Event and promotion win: Name, contacts, personal identification number
Article 2. Method of collecting personal information
1) Collected during company service registration through a consent process
2) Collected when participating in or entering events and promotions through a separate consent process
3) Voluntarily provided during customer service or collected upon request if necessary
4) Collected through cooperating companies, and partnership platforms
Article 3. Purpose of collection and use of personal information
The company does not disclose the collected personal information without the user’s consent, and the collected personal information is utilized for the following purposes.
1. Contract execution and fee settlement related to providing the service
- Providing contents, purchase and payment, refund, item delivery, self-verification, fee collection
2. User management
- User identification, preventing unjust use and unapproved use by bad users, confirming registration intent, limiting registration and registration count, preserving records for dispute mediation, customer service such as complaint processing, delivering notification
3. Used for development of new services, marketing, and statistic analysis
- Delivering promotional information and providing participation opportunities such as new service development, events, etc., providing service and publishing advertisements based on demographic characteristics, identifying the access frequency and statistical analysis on the user’s service use, providing events and promotional services
Article 4. Period of retention and use of collected personal information
In principle, if the collection and use purpose of personal information is achieved, the information is destroyed without delay. However, to resolve consumer complaints and disputes when withdrawing from the game, and to resolve unwanted withdrawals, etc. from illegal use of personal information, the personal information is retained for 15 days after withdrawal is requested.
Also, if there is a need to preserve the information after the collection and use purpose is achieved due to relevant legislation, the company stores the user’s information for a designated period of time determined by relevant regulations as follows.
1. Retaining information due to company interior policies
1) Selecting event and promotion winners
- Information collected for events and promotions: 6 Months
* However, the duration can differ depending on the events and promotions, and the period posted on individual events and promotion pages are applied with priority.
2. Retaining information due to relevant legislation
1) Act on the Consumer Protection in Electronic Commerce, Etc.
- Records related to labeling/advertisement: 6 Months
- Records related to agreements or subscription withdrawal: 5 Years
- Records related to payments, supply of commodities: 5 Years
- Records related to consumer’s complaints or settlement of disputes: 3 Years
2) Protection of Communications Secrets Act
- Records on website visit: 3 Months
3) Framework Act on National Taxes
- Books and evidential documents related to all transactions as defined by tax law: 5 Years
Article 5. Procedure and Method of Destruction of Personal Information
In principle, after the collection and use purpose of personal information is achieved, the information is destroyed without delay. The disposal procedure and method are as follows.
1. Disposal Procedure
For information entered by the user for user registration, service signup, etc., after the collection and use purpose of personal information is achieved, based on interior policies and information protection reasons in accordance with legislation(refer to ‘Article 4. Period of retention and use of collected personal information’), it is retained for a certain period of time before being disposed.
2. Disposal Method
1) Personal information preserved in electronic file formats is to be deleted using technical means which makes the information irrecoverable.
2) Personal information printed on paper is to be destroyed through shredding or incineration.
Article 6. Separate saving and management of long-term unused account personal information
In accordance with 「Act on Promotion of Information and Communications Network Utilization and Information Protection」 and enforcement decree, to protect the personal information of users that have not used the service during the recent year, the account is transitioned into a dormant account, with appropriate measures taken such as the personal information separately saved and managed or disposed.
At the point it reaches 1 year since the service was last used, the company notifies measures related to dormant accounts.
Article 7. Provision of information
The company uses the user’s personal information within the range notified in ‘Article 3. Purpose of collection and use of personal information’, and is gaining consent in accordance with legislation if the personal information must be provided to a third party. However, this does not apply in the following cases.
- When required for the settlement of Service provision
- In accordance with the legislation, or if there is a request made by an investigative authority through process and method determined by legislation for investigation purposes
- When specially specified in the laws and regulations
Article 8. Collection of minority information
The company does not collect personal information of those aged 15 or less as determined by legislation, and those aged 15 or less cannot use the company’s services.
If it is confirmed that a minor’s personal information has been collected, the company will take legal measures to immediately delete the information.
Article 9. California Consumer Privacy Act
The company abides by the California Consumer Privacy Act
1. Personal information collected/shared for duty purposes
The company can collect/share the following categories of information that can directly/indirectly identify the user or their device, or information that can be reasonably connected to the user or their device("personal information") for business purposes.
Identifiers - Nickname, unique identifier, online ID, IP, email address, account name or other similar ID
Commercial information.- purchased/obtained/collected item or service, other records on purchase, consumption history or tendency
Geolocation data.- Geographic location data such as country of residence
2. Purpose of collection
The personal information above is used/shared for purposes such as enhancing service quality, providing service, maintaining account, customer response service, customer confirmation, advertisement, and user pattern analysis as follows.
Resolving technical issues and enhancing quality of company service
Individual user identification to provide company service
Technical protection against use of unauthorized programs related to the company service
Preventing inappropriate gameplay that can negatively affect other users of the company service
Providing customer support on the company service through customer inquiry collection and response
Provide forum service on the company website
Provide information on company events and surveys, provide opportunities to participate in company events and surveys, provide company advertisement and use for other company marketing and promotional purposes
Track usage pattern, user trend analysis, calculate company service use statistics
3. Ban of personal information sale
The company does not “sell” the information of customers that use the company’s service for monetary benefit or specific benefits for the company.
4. Ban discrimination.
While some features of the service provided by the company can be saved or no longer provided, the company does not discriminate users that exercise their rights in accordance with CCPA.
5. California Consumer Protection Act
1) California residents have the right to receive explanations on the identification information of company or duty consignment company that has utilized their personal information for marketing purposes, and the category of utilized personal information.
After receiving information reveal request that fits the requirements, the company provides the following information.
- Personal information items of the requester collected by the company over the last 12 months.
- Category of sources from which the personal information was collected over the last 12 months.
- Personal information items that the company shares with duty consignment company.
- The company’s business/commercial purpose of collecting and sharing the select personal information
- Specific user personal information that the company collected over the last 12 months.
- If the user’s personal information was disclosed for business purposes, explanation on what categories of personal information were collected and used by the recipient through what means
2) If the user is a California resident, the user has the right to request deleting the personal information collected and owned by the user in accordance with a specific exception.
After the company receives and confirms the user’s request, if it is not an exception in accordance with CCPA, the user’s personal information is deleted.
Article 10. Lawful processing of personal information under GDPR
Processing personal information by the Company shall be lawful only if and to the extent that at least one of the following applies.
• A user has given consent to the processing of his or her personal information.
• Processing is necessary for the performance of a contract to which a user is party or in order to take steps at the request of a user prior to entering into a contract:
- Member management, identification, etc.
- Performance of a contract in relation to providing the services required by users, payment and settlement of fees, etc.
• Processing is necessary for compliance with a legal obligation to which the Company is subject
- Compliance with relevant law, regulations, legal proceedings, requests by the government
• Processing is necessary in order to protect the vital interests of users, or other natural persons
- Detection of, prevention of, and response to fraud, abuse, security risks, and technical issues that may harm users or other natural persons
• Processing is necessary for the performance of a task carried out in the public interest or in the excise of official authority vested in the Company
• Processing is necessary for the purposes of the legitimate interests pursued by the Company or by a third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child).
User’s right when applying GDPR
The users or their legal representatives, as main agents of the information, may exercise the rights regarding the collection, use and sharing of personal information by the Company.
Details can be found in "Article 12. rights and exercise method of user and legal guardian”, and for requests for rights, please contact to 'Article 16. Personal Information Protection Manager’.
Article 11. Rights and exercise method of user and legal guardian
The user and legal guardian can always retract consent of providing personal information (withdrawal). To retract personal information providing consent, click “game withdrawal” in the service to proceed with withdrawal. However, if the personal information of the user is disposed from the withdrawal, the relevant information that has been created/accumulated while the user used the company’s service can also be deleted.
Contact the personal information protection manager in writing or email (
stormgames@stormgames.co.kr) for personal information search, modification, etc. so that necessary measures can be taken. However, the company can reject opening or modifying some or part of the user’s personal information if there is justifiable cause, and at this time notify the rejection to the user and justify with reasoning.
When the user has requested correction of personal information error, the select personal information is not used or provided until the correction is complete. Also, if incorrect information has already been provided to a third party, the correction processing is notified to the third party without delay.
Personal information disabled or deleted by the company upon the user or legal representative’s request is processed in accordance with ‘Article 3. Period of retention and use of collected personal information’ and it cannot be opened or used for any other purposes.
Users have the right to lodge a complaints with the supervisory authority, in particular in the EU Member State of users habitual residence, place of work or place of the alleged infringment if the data subject considers that the processing of personal data relating to user.
Article 12. Installation, operation and rejection of personal information automatic collection device
1. The company utilizes ‘cookie’ that saves and finds user information on demand. Cookie is a small text file that the server that operates the company’s website sends to the user’s device and browser, and is saved on the user’s device or computer hard drive. When the user uses the service, the server reads the contents of the cookie saved in the user’s device or hard disk to check the user information, and provide customized services.
2. The user has the right to select regarding installing cookies. The user can decide in the device settings whether to allow cookies, and also delete them. However, when not allowing use of cookies, there can be problems when using services required for login.
3. Cookie setting method
- Internet Explorer: At the top of the web browser, [Tools] → [Internet Options] → [Personal Information] → [Advanced]
- Chrome: At the top right of the web browser, [⋮] → [Settings] → [Personal Information and Security] → [Cookie and other site data]
Article 14. Items related to measures to acquire stability of personal information
To acquire stability and prevent loss, theft, leak, alteration or damages to the user’s personal information, the company is taking the following personal information stability acquiring measures.
However, despite all personal information protection duties fulfilled by the company, if the user’s carelessness such as losing the device, or if accidents that occur in areas that are not under the company’s management cause leaking of important personal information and subsequent problems, the company does not assume any responsibility.
1. Technical measures
1) The personal information of the account linked by the user is protected by he password set by the user, which is only known to the user themselves. Also, checking and changing personal information is only possible by the user who is aware of the password.
2) Out of the user’s personal information, the company is encrypting and storing items that are designated by relevant legislation, and checking/changing personal information is only possible after self-verification upon the user’s request.
3) Important data that includes personal information has the file or transmission data encrypted or is protected using security features such as file lock function, etc.
4) The company is monitoring at all times to prevent leaking or damage of the user’s personal information via hacking, computer virus, etc. Also, in response to potential situations, the system, data, and personal information are regularly backed up, and the vaccine program is regularly managed to prevent violation of personal information.
5) The company is taking all measures necessary for a systematic database system to process personal information.
2. Management measures
1) The company is limiting access authorization to the user’s personal information to a minimum, and this includes the following personnel.
- Those that directly perform marketing, events, customer service, and delivery duties for the user (including employees of consignment, partner companies)
- Those in charge of personal information protection duty including personal information protection manager
- Others inevitably having to process personal information as required by the tasks
2) The company is performing regular training for personal information treatment personnel and consignment companies on personal information protection duties, etc.
3) The company has a department that is in charge of personal information protection duties establish and manage personal information processing guidelines. Also, interior regulation abidance status is regularly checked and is attempting to immediately correct issues upon discovery.
4) The task takeover for personal information protection manager and personal information related processing personnel is thoroughly performed within the company with security maintained, and clearly states responsibilities regarding personal information accidents after joining or quitting the company.
5) The company does not take responsibility for personal information leakage that occurs from the user’s individual mistake or due to the Internet’s fundamental risks. The user must appropriately manage their account and password to protect their personal information, and take responsibility accordingly.
3. Physical measures
1) The company has a separate physical storage space for the personal information system that stores the personal information, and is establishing and operating an access control process.
2) Documents and supplementary storage media that includes personal information are stored in safe spaces with lock devices.
Article 15. Change in personal information processing policy
This personal information processing policy can be changed at all times with changes in relevant legislation, guideline, or interior company policy, and if there is such change in the policy this is notified through the official community or connecting screen within the game.
Article 16. Personal Information Protection Manager
The company is designating a personal information protection manager as follows to protect the customer’s personal information and process relevant complaints.
Position : Personal Information Protection Manager
Mail :
stormgames@stormgames.co.kr