Privacy Policy

Privacy Policy

ARCOOKIE Co., Ltd. (hereinafter referred to as the “Company”) values the personal information of users and complies with applicable laws and regulations, including the Personal Information Protection Act of the Republic of Korea. Through this Privacy Policy, the Company informs users of what personal information the Company processes, for what purposes it is processed, how it is protected, and what rights users may exercise.

Article 1. Purposes of Processing Personal Information

The Company processes personal information for the following purposes. Personal information processed by the Company will not be used for any purpose other than the following purposes. If the purpose of use is changed, the Company will take necessary measures in accordance with applicable laws and regulations.

1. Membership Registration and Member Management

User identification, identity verification, account management, membership grade management, prevention of unauthorized use, delivery of notices, and response to inquiries.

2. Provision and Operation of Services

Registration, management, and viewing of AR content; upload of 3D assets; creation of AR exhibitions; provision of exhibition codes and experience codes; management of registered devices such as Meta Quest and other AR/MR/XR goggles and smart glasses that may be supported in the future; management of download and execution history; and operation of services for schools, institutions, and companies.

3. Provision of Paid Services and Payment Processing

Subscriptions, point top-ups, use of AI generation features, AR ART exhibition licenses, in-app purchase verification, payment history management, refunds, settlements, and issuance of receipts.

4. Content Rights Management and Dispute Response

Verification of copyright and license information of user content, receipt of rights infringement reports, takedown processing, handling of objections, and response to disputes.

5. Customer Support and Complaint Handling

Receipt of inquiries, identity verification, notification of processing results, response to service failures, and service improvement.

6. Service Improvement and Statistical Analysis

Analysis of access and usage volume, error analysis, feature improvement, user experience improvement, and security enhancement.

7. Marketing and Advertising

Provision of information on new services, events, promotions, and newsletters. This applies only to users who have given optional consent.

Article 2. Categories of Personal Information Processed

The Company processes the minimum personal information necessary to provide its services.

1. Membership Registration and Account Management

Items processed: name or nickname, ID, email address, password, mobile phone number, membership grade, date of registration, and login history.

2. School, Institution, and Corporate Members

Items processed: name of person in charge, affiliated institution or company name, position, contact information, email address, business registration information or institutional identification information, and service contract information.

3. Use by Children Under the Age of 14

Items processed: child’s membership information, name and contact information of the legal representative, and information confirming consent.

4. Paid Services and Payments

Items processed: payment amount, payment date and time, product name, order number, payment method, payment status, refund information, purchase token, or receipt information.

Sensitive payment information such as full credit card numbers is, in principle, processed by the payment gateway provider or app market.

5. Points and Passes

Items processed: point top-up, use and refund history, number of AI generation uses, subscription status, and expiration date of passes.

6. Content Registration and Exhibition Operation

Items processed: uploaded file names, content titles, descriptions, categories, disclosure scope, copyright holder/source/license information, 3D model/image/video/audio files, thumbnails, metadata, exhibition codes, experience codes, and registration/modification/deletion history.

7. Device Registration and AR Usage Logs

Items processed: device name, device type, manufacturer, model name, OS/browser information, app version, device identification information, date and time of registration, registered/administrator information, affiliated institution or exhibition information, access IP address, access date and time, number of downloads and executions, error logs, AR content usage history, and pass assignment/retrieval history.

8. AI Generation and Automatic Conversion

Items processed: prompts, original images, reference materials, 3D files, textures, generation request information, generated outputs, error logs, and processing status.

9. Inquiries and Reports

Items processed: name, email address, contact information, inquiry details, attachments, processing history, rights infringement reports, and explanatory materials.

10. Automatically Collected Information

Items processed: IP address, cookies, access logs, service usage records, payment/authentication logs, and unauthorized use records.

11. Optional Marketing

Items processed: email address, mobile phone number, consent status for receiving marketing communications, and event participation information.

Users must take care not to upload images, audio, videos, 3D assets, descriptions, or other materials containing personal information while using the service. If personal information of another person, such as face, voice, real name, or school name, is inevitably included, the user must obtain the necessary consent.

If the Company supports devices equipped with advanced sensors, such as smart glasses with cameras, microphones, spatial recognition, or eye-tracking functions, the Company will process only the minimum information necessary to provide the service. If the Company provides functions that collect, store, or analyze highly sensitive information such as spatial maps, location information, biometric information, eye-tracking information, or voice information, the Company will separately notify users of the relevant items, purposes, retention periods, third-party provision or outsourcing status, and will obtain the necessary consent.

Article 3. Processing and Retention Period of Personal Information

When the purpose of processing personal information has been achieved or when a user requests membership withdrawal, the Company will destroy the relevant personal information without delay. However, if retention is required under applicable laws and regulations, the Company will retain the information for the following periods.

1. Records on Contracts or Withdrawal of Offers

Retention period: 5 years
Legal basis and purpose: Act on the Consumer Protection in Electronic Commerce, etc.

2. Records on Payment and Supply of Goods or Services

Retention period: 5 years
Legal basis and purpose: Act on the Consumer Protection in Electronic Commerce, etc.

3. Records on Consumer Complaints or Dispute Resolution

Retention period: 3 years
Legal basis and purpose: Act on the Consumer Protection in Electronic Commerce, etc.

4. Communication Confirmation Data Such as Access Logs

Retention period: 3 months
Legal basis and purpose: Protection of Communications Secrets Act

5. Rights Infringement Reports and Dispute Response Materials

Retention period: Period necessary after the dispute has been resolved
Legal basis and purpose: Protection of rights and response to legal disputes

6. Records of Restrictions Due to Unauthorized Use

Retention period: Period necessary after the restriction ends
Legal basis and purpose: Prevention of unauthorized registration, rights infringement, and payment abuse

Content uploaded by members is, in principle, deleted when the member directly deletes the content or withdraws from membership. However, if public or exhibition-public content is already related to exhibitions, experience codes, shared links, backups, or dispute response, it may be retained for a certain period to the extent necessary for service operation and legal response.

Article 4. Provision of Personal Information to Third Parties

The Company does not, in principle, provide users’ personal information to third parties. However, exceptions may apply in the following cases:

  1. Where the user has given prior consent;
  2. Where there is a special provision under applicable laws and regulations, or where an investigative agency or other relevant authority requests the information in accordance with procedures and methods prescribed by law;
  3. Where provision is necessary for business purposes within the scope required for service provision, such as payment, delivery, identity verification, or processing of rights infringement reports; or
  4. Where information is provided in a form that cannot identify individuals for statistical compilation, research, or service improvement.

If the Company provides personal information to a third party, the Company will notify users in advance of the recipient, purpose of provision, items provided, and retention and use period, and will obtain the necessary consent.

Article 5. Outsourcing of Personal Information Processing

The Company may outsource part of its personal information processing operations to external service providers for smooth service provision. When entering into outsourcing contracts, the Company stipulates matters necessary to ensure the safe processing of personal information and manages and supervises the outsourced service providers.

1. NICE Payments

Outsourced service: Payment processing, including credit card payments, account transfers, and simple payments.

2. NHN Cloud Corporation

Outsourced service: Service server operation, data storage, backup, and content file storage.

3. Google Cloud

Outsourced service: Sending text messages and emails, notifications, identity verification, notices, and responses to inquiries.

4. Apple Inc. / Google LLC or Relevant App Market Providers

Outsourced service: In-app purchases, subscription payments, and purchase history verification.
Note: In-app purchases are currently under preparation.

5. External AI Generation Service Providers, Including Meshy

Outsourced service: AI-based 3D generation, image/3D conversion, assistance in AR content creation, and processing of generation requests.

If outsourced service providers change, the Company will notify users through this Privacy Policy or a notice.

Article 6. Cross-Border Transfer of Personal Information

For service provision, the Company may use app markets, in-app payment services, cloud services, email delivery services, analytics tools, and external AI generation services provided by overseas business operators. In this process, personal information may be transferred overseas or processed and stored overseas. If personal information is transferred overseas, the Company will disclose the recipient, country of transfer, date and method of transfer, transferred items, purpose of use, retention and use period, and method of refusal in this Privacy Policy in accordance with the Personal Information Protection Act and other applicable laws and regulations, or will obtain separate consent where necessary.

The items currently identified by the Company as potentially subject to overseas transfer or overseas processing are as follows.

1. Google LLC or Google Cloud-Related Service Providers

Country of transfer: United States and other countries where Google services are provided
Transferred items: Email address, notification recipient information, sending history, and information necessary to respond to inquiries
Purpose of transfer: Sending text messages and emails, notifications, identity verification, notices, and responses to inquiries
Date and method of transfer: Transmission via network when the service is used or when a sending request is made
Retention and use period: Until the outsourcing purpose is achieved or until the contract between the Company and the service provider terminates

2. Apple Inc. or App Store In-App Purchase-Related Service Providers

Country of transfer: United States and other countries where Apple services are provided
Transferred items: Purchase receipts, transaction numbers, product IDs, purchase date and time, subscription status, app account identifiers, and information necessary for payment verification
Purpose of transfer: Apple in-app purchases, purchase verification, subscription status confirmation, and response to refunds or erroneous payments
Date and method of transfer: Transmission via network when a user makes an in-app purchase and when server verification is requested
Retention and use period: During the period necessary for payment verification and the retention period required by applicable laws and regulations

3. Google LLC or Google Play In-App Purchase-Related Service Providers

Country of transfer: United States and other countries where Google services are provided
Transferred items: Purchase tokens, order numbers, product IDs, purchase date and time, subscription status, app account identifiers, and information necessary for payment verification
Purpose of transfer: Google Play in-app purchases, purchase verification, subscription status confirmation, and response to refunds or erroneous payments
Date and method of transfer: Transmission via network when a user makes an in-app purchase and when server verification is requested
Retention and use period: During the period necessary for payment verification and the retention period required by applicable laws and regulations

4. External AI Generation Service Providers, Including Meshy

Country of transfer: Countries where the relevant external service provider’s servers are located
Transferred items: Prompts, original images, reference materials, 3D files, textures, generation request information, generated outputs, and error logs
Purpose of transfer: AI-based 3D generation, image/3D conversion, assistance in AR content creation, and response to generation failures and errors
Date and method of transfer: Transmission via network when the user requests AI generation or conversion
Retention and use period: Period necessary for generation processing and error response, or the period specified in the policy of the external service provider

Apple/Google in-app purchases are currently under preparation. Before actual implementation, the Company will confirm the contracting entity, receiving corporation, countries of transfer, and processing items in App Store Connect and Google Play Console, and finalize the above table accordingly. Users may refuse overseas transfer; however, if users refuse overseas transfer that is essential for in-app payment verification and provision of paid services, use of the relevant payment method or paid service may be restricted.

Article 7. Destruction of Personal Information

When personal information becomes unnecessary due to the expiration of the retention period, achievement of the processing purpose, membership withdrawal, or other reasons, the Company will destroy the relevant personal information without delay.

Personal information in electronic file format will be deleted in a secure manner so that it cannot be restored or reproduced.

Personal information recorded in paper documents will be shredded or incinerated.

Personal information that must be retained under applicable laws and regulations will be stored in a separate database or separate storage location and will not be used for any purpose other than the purpose of retention.

Article 8. Rights of Users and Legal Representatives and How to Exercise Them

Users may request access to, correction of, deletion of, suspension of processing of, or withdrawal of consent regarding their personal information at any time.

Legal representatives of children under the age of 14 may request access to, correction of, deletion of, suspension of processing of, or withdrawal of consent regarding the child’s personal information.

Rights may be exercised through member information management within the service, customer support, email, written request, or other available methods.

The Company will take action without delay in response to users’ requests to exercise their rights. However, information that must be retained under applicable laws and regulations may be stored for the relevant retention period.

The Company may request information necessary to verify whether the person exercising the rights is the user or a legitimate representative.

Article 9. Protection of Children’s Personal Information

If the Company needs to process personal information of a child under the age of 14, the Company will obtain consent from the child’s legal representative.

If children use the service for classes, experiences, or exhibitions through schools or institutions, the Company will cooperate with the teacher or institutional representative in charge to ensure that necessary consent and notices are provided.

The Company does not request unnecessary personal information from children and provides guidance to ensure that content uploaded by children does not include personal information such as face, voice, real name, contact information, or location information.

Article 10. Use of Cookies and Automatic Collection Tools

The Company may use cookies to maintain login status, save service settings, ensure security, analyze usage statistics, and provide customized services.

Users may refuse or delete cookies through browser settings.

If users refuse to store cookies, login maintenance, customized features, and use of certain services may be restricted.

If the Company uses advertising identifiers, behavior-based advertising, or external analytics tools, the Company will separately provide information on the name of the tool, collected items, and opt-out method.

Article 11. Measures to Ensure the Security of Personal Information

The Company implements the following measures to ensure the security of personal information and registered device information:

  1. Minimization of access authority to personal information and access control;
  2. Encryption or secure storage of authentication information such as passwords;
  3. Encryption of transmission sections for personal information;
  4. Security measures to prevent hacking, malware, and unauthorized access;
  5. Retention of access records and prevention of alteration or falsification;
  6. Minimization and training of personnel who process personal information;
  7. Access restrictions on uploaded files, inquiry attachments, and rights infringement report materials that may contain personal information;
  8. Processing of payment information, in principle, through payment gateway providers or app markets, while the Company processes only the minimum payment information necessary for service provision; and
  9. Separation of administrator authority for registered device information, management of device registration and deregistration history, and access restriction measures in the event of loss, theft, or contract termination.

Article 12. Personal Information Protection Officer

The Company designates a Personal Information Protection Officer to oversee personal information processing operations and handle complaints and remedies related to personal information.

Personal Information Protection Officer: Youngjoo Hwang
Position: Director
Contact: 070-7757-7018
Email: info@arcookie.com

Users may contact the Personal Information Protection Officer for any inquiries, complaint handling, or remedy requests related to personal information protection that arise while using the service.

Article 13. Remedies for Infringement of Rights

Users may contact the following institutions if they need to report or consult on personal information infringement:

Personal Information Infringement Report Center: 118 without area code
Personal Information Dispute Mediation Committee: 1833-6972
Cyber Investigation-related Department of the Supreme Prosecutors’ Office: 1301 without area code
Cyber Investigation-related Department of the National Police Agency: 182 without area code

Article 14. Amendments to this Privacy Policy

This Privacy Policy applies from its effective date.

The Company may amend this Privacy Policy if laws and regulations, service structure, personal information processing items, outsourced service providers, or Company policies change.

If there are material changes, the Company will notify users at least seven (7) days before the effective date. Changes that materially affect users’ rights will be notified at least thirty (30) days in advance to the extent possible.

Addendum

Effective date of Privacy Policy: May 12, 2026
Date of amendment of Privacy Policy: May 5, 2026