Privacy Policy

Sandbox Network Inc. Privacy Policy

Sandbox Network Inc. (hereinafter referred to as the “Company”) values the protection of users’ personal information and complies with applicable laws such as the Personal Information Protection Act. The Company discloses this Privacy Policy through its official community and online customer center to ensure that users can easily access it.

Article 1 (Purpose of Processing Personal Information)
The Company does not disclose collected personal information without prior consent from the user, and collected information shall not be used for purposes other than the following:

① Membership registration and management (“Membership Services”)

• Identity verification and personal identification for membership-based services
• Prevention of fraudulent use and unauthorized access by delinquent users
• Confirmation of intent to register
• Age verification and restriction of registration frequency
• Verification of legal guardian consent for processing personal information of children under the age of 14
• Record retention for dispute resolution, complaint handling, and delivery of notices

② Execution of contracts related to service provision and settlement of fees (“Service Provision”)

• Provision of content and customized services
• Purchase and payment processing, refunds, notification of event winners, delivery of goods and invoices
• Identity and age verification, debt collection

③ Development of new services, marketing, and statistical analysis (“Marketing”)

• Development and specialization of new services
• Delivery of promotional information such as events and provision of opportunities to participate
• Provision of services and advertisements tailored to demographic characteristics
• Analysis of access frequency or usage statistics for services
• Verification of service effectiveness
• Provision of promotions and event services

Article 2 (Processing, Retention, and Use Period of Personal Information)
① Membership Services and Service Provision
The Company shall retain and use personal information while the Member’s status is maintained. In the case of withdrawal of membership, personal information shall be retained for up to 30 days after processing to address issues such as unintended withdrawal, and shall then be destroyed. However, in the following cases, information shall be processed and retained until the relevant reason ends:

1. Where investigations are in progress due to violations of laws or regulations: until the end of the investigation
2. Where there are outstanding debts or credits arising from the use of the website: until settlement is completed
3. Where retention is required under relevant laws, as follows:
   • Communications Secrets Protection Act
     • Records related to login: 3 months
   • Act on the Consumer Protection in Electronic Commerce
     • Records related to display/advertising: 6 months
     • Records related to contracts or withdrawal of subscription: 5 years
     • Records related to payment and supply of goods: 5 years
     • Records related to complaints or dispute resolution: 3 years
   • Framework Act on National Taxes
     • Books and supporting documents of all transactions prescribed by tax law: 5 years
4. Other cases separately notified by the Company in accordance with relevant laws

② Marketing
Personal information collected for events or promotions shall be retained and used for up to one (1) year. The retention period may differ depending on the specific event or promotion, and the period specified in the individual event or promotion shall take precedence.

③ In accordance with Article 15(3) and Article 17(4) of the Personal Information Protection Act and Article 14-2 of its Enforcement Decree, the Company may additionally use or provide personal information without user consent, taking into account specified factors.

Article 3 (Items of Personal Information Processed)
① The Company processes the following categories of personal information:

1. For Membership Services and Service Provision:
   • Google Account: Member identifier information
   • Apple Account: Member identifier information
   • Sandbox Account: Member identifier information
   • When using Google or Apple accounts for gameplay, these accounts may be automatically linked to a Sandbox account. Other than the identifier numbers provided by the social networks, no additional information is collected or stored.
2. For Service Provision and Marketing:
   • Member identifier information, game and service usage records, nickname, event participation records, suspension records, access logs, IP addresses, payment records, game version, device information (model name, OS version), advertising ID, store information, cookies
3. For additional services, with separate consent:
   • Customer support: email address, mobile device name, OS version, payment date/time, payment account, order number, product name, payment amount, name, phone number, IP address, browser information, etc.
   • Event/promotion participation: name, phone number, etc.
   • Event/promotion prize delivery: name, resident registration number, address, postal code, contact details, copy of ID card, etc.

② Methods of Collection

1. Collection during mobile app installation and service use (some data such as cookies, nickname, event participation records, suspension records, access logs, IP addresses, payment records, game version, device information, advertising ID, and other internet log files are automatically collected upon prior consent via web browser or mobile app)
2. Collection via separate consent procedure for promotions and events
3. Automatic collection of identifier numbers through platforms partnered with the Company for service provision
4. Collection through voluntary provision by users or by request when necessary during payment and customer support interactions

③ Refusal of Collection and Use of Personal Information
Users may refuse the collection and use of personal information. However, refusal may result in limited or restricted access to some or all Services.

Article 4 (Processing of Unique Identifiers)
For marketing purposes, the Company may collect and process resident registration numbers with separate consent. Retention and use shall continue until obligations under relevant laws are fulfilled.

• Reporting and payment of taxes for winners of physical prizes (pursuant to Article 24-2(1)(1) of the Personal Information Protection Act and Article 145 of the Income Tax Act).

Article 5 (Procedures and Methods for Destruction of Personal Information)
When personal information becomes unnecessary due to the expiration of the retention period or achievement of its processing purpose, the Company shall destroy the information without delay. If retention is required under other laws despite expiration or achievement of purpose, the information shall be transferred to a separate database (DB) or stored in a different location.

① Destruction Procedures
Personal information subject to destruction shall be selected and destroyed with the approval of the Company’s Personal Information Protection Officer.

② Destruction Methods

1. Personal information stored in electronic file format shall be deleted using technical methods that render the records irrecoverable.
2. Personal information printed on paper shall be shredded or incinerated.

③ Inactive Accounts
Notwithstanding the above, pursuant to the Personal Information Protection Act and its Enforcement Decree, if a user does not access the Services for one (1) year, the Company may classify the account as inactive and either destroy or separately store such personal information. The Company shall notify the user in advance of the destruction or separate storage of information.

Article 6 (Provision of Personal Information to Third Parties)
The Company may provide personal information to third parties only with the user’s consent. However, the following cases are exceptions:

① Where special provisions exist in laws such as the Real Name Financial Transactions and Guarantee of Secrecy Act, Use and Protection of Credit Information Act, Framework Act on Telecommunications, Telecommunications Business Act, Local Tax Act, Consumer Protection Act, Bank of Korea Act, Criminal Procedure Act, and where requests are made by courts, investigative agencies, or other administrative bodies for investigative purposes pursuant to the procedures and methods prescribed by law.

② Where provision is permitted without consent under other laws.

Article 7 (Rights of Users and Legal Guardians and Methods of Exercise)
① Users may at any time exercise their rights to request access, correction, deletion, or suspension of processing of their personal information.
※ For children under the age of 14, such requests must be made directly by the legal guardian. For minors aged 14 or older, rights related to personal information may be exercised either directly by the minor or through their legal guardian.

② Rights may be exercised by submitting a request to the Company via written document, email, or fax, pursuant to Article 41(1) of the Enforcement Decree of the Personal Information Protection Act. The Company shall take prompt action accordingly.

③ Rights may also be exercised through a legal guardian or authorized representative. In such cases, a power of attorney form prescribed by law or regulation must be submitted.

④ Requests for access or suspension of processing may be restricted under Articles 35(4) and 37(2) of the Personal Information Protection Act.

⑤ Requests for correction or deletion cannot be accepted if the personal information is specified as a collection target under other laws.

⑥ When handling requests for access, correction, deletion, or suspension of processing, the Company shall verify whether the requester is the information subject or a legitimate representative.

Article 8 (Installation, Operation, and Refusal of Automated Personal Information Collection Devices)
① The Company collects user information entered into the mobile application for the purpose of providing Services. Users may refuse such collection, but in such cases, membership registration or provision of Services may be impossible.

② To provide customized services, the Company uses cookies that store and retrieve user information. Cookies are small text files sent by the service server to the user’s device and stored there. When the user accesses the Services, the server reads the stored cookie data to verify user information and provide customized services.

③ Users have the option to accept or reject the installation of cookies and may delete them at any time through device settings. However, refusal to allow cookies may cause difficulties in using Services that require login. Cookie settings can be managed as follows:

• Internet Explorer: [Tools] → [Internet Options] → [Privacy] → [Advanced]
• Chrome: [⋮] (top-right) → [Settings] → [Show Advanced Settings] → [Privacy] → [Content Settings]

Article 9 (Collection, Use, and Refusal of Behavioral Information)
① To provide customized services, the Company permits online advertising businesses to collect behavioral information as follows:

• Advertisers collecting and processing behavioral information: Google, Facebook, Twitter
• Collection method: automatic collection when users visit websites or launch applications
• Items collected: web/app access logs, search history, purchase history, advertising ID, IP, etc.
• Retention and usage period: 90 days

② Users may opt out of online customized advertising as follows:

• Android: Go to Privacy Settings → select Opt-out of Interest-based Ads
• iOS: Go to Privacy Settings → select Limit Ad Tracking

Article 10 (Measures to Ensure Security of Personal Information)
The Company implements the following technical, administrative, and physical measures to prevent loss, theft, leakage, alteration, or damage of personal information. However, the Company shall not be responsible for any issues arising from the user’s negligence (e.g., device loss) or incidents outside the Company’s control, even if security obligations are fulfilled.

① Technical measures: Access control such as password settings for personal information systems (or computers storing such information), installation of security programs such as antivirus software, encryption of files containing personal information, etc.
② Administrative measures: Establishment and implementation of internal management plans, restriction and strict management of employees handling data, regular training, etc.
③ Physical measures: Installation of access control systems, locks, CCTV, and other security devices at storage locations of personal information.

Article 11 (Inquiries and Consultation Regarding Personal Information)
① The Company designates a Personal Information Protection Officer responsible for protecting users’ personal information and handling related complaints as follows:

• Personal Information Protection Officer
  • Name: Jang-Kyeom Han
  • Affiliation: Sandbox Network Inc.
  • Email: support_game@sandboxnetwork.net

② For inquiries or complaints regarding personal information or to seek remedies for rights violations, users may also contact the following agencies:

1. Personal Information Infringement Report Center (privacy.kisa.or.kr / 118 without area code)
2. Supreme Prosecutors’ Office Cyber Investigation Division (spo.go.kr / +82-2-3480-3573)
3. National Police Agency Cyber Bureau (cyberbureau.police.go.kr / 182 without area code)
4. Personal Information Dispute Mediation Committee (kopico.go.kr / 1833-6972 without area code)

Article 12 (Linked Sites)
This Privacy Policy does not apply to personal information collection by third-party sites linked through the Services provided by the Company. Users should review the privacy policies of such sites when visiting them.

Article 13 (Duty of Notification)
This Privacy Policy may be revised due to changes in laws, guidelines, or the Company’s internal policies. In the event of changes, the Company shall notify users through its official community, customer center, open market store, or other appropriate channels.

Supplementary Provision
This Privacy Policy shall take effect on August 27, 2025.