Privacy Policy

YW Lab (the "Developer") values the personal information of users in providing the mobile game "Dear My Frog" (the "Service"), and has established and published this Privacy Policy in order to comply with the Personal Information Protection Act, the Telecommunications Network Act, the EU General Data Protection Regulation (GDPR), and other applicable laws and regulations.

1. Personal Information Collected

1-1. Required Information (Automatically Generated Upon Service Use)

1-2. Optional Information (When Using Google Sign-In)

• Google Sign-In is optional; the game may be played without registering.
• Additional items such as profile photo or date of birth are not collected.

1-3. Advertising Identifiers (Automatically Collected)

• Users may reset their Advertising ID or opt out of personalized ads in device settings (Android: Settings → Google → Ads).

1-4. Payment Information

• In-app purchases are processed through the Google Play payment system; payment details such as card or account numbers are not collected or stored by the Developer.
• The Developer receives only the payment receipt (order ID, product ID, purchase time) from Google, which is used solely to verify Diamond delivery.

1-5. Marketing Communications (Distinct from Operational Notifications)

Pursuant to Article 50 of the Telecommunications Network Act, the Developer obtains separate prior consent before sending commercial advertising messages. The following notifications are operational service notifications, not marketing communications, and may be sent without the User's consent:

• Push notifications of support or wishes sent by other users (a core service feature)
• Gameplay notifications such as dispatch completion, booster expiry, and daily mission reset
• Required notices such as Terms or Policy updates, maintenance announcements, and service termination notices

The operational notifications above may be disabled in the in-game settings or device settings. Should marketing communications become necessary in the future, a separate consent process will be provided.

2. Purposes of Collection and Use of Personal Information

3. Retention and Use Period of Personal Information

• Game data: retained until account deletion or 1 year after last access, then deleted
• Payment receipt information: retained for 5 years pursuant to the E-Commerce Act
• Log data (access and error): retained for 3 months, then deleted
• Ad reward verification logs: retained for 6 months, then deleted
• Content moderation logs (records of reports and blocks of wishes/support messages): retained for 90 days, then deleted (for purposes of identifying repeat violators and addressing disputes)

Upon receipt of an account deletion request, all data except items subject to the above retention periods is immediately destroyed.

4. Disclosure of Personal Information to Third Parties

The Developer does not disclose Users' personal information to third parties beyond what is stated in this Policy, except in the following cases:

• Where the User has given prior consent
• Where a lawful request is made by an investigative authority pursuant to applicable law and following proper procedures
• Where data is provided in a form that does not identify specific individuals, for purposes such as statistical analysis or academic research

5. Outsourcing of Personal Information Processing

The Developer outsources personal information processing as follows for service operation:

• The Supabase database is located in the Seoul Region of the Republic of Korea, so game data, account information, and wish text are not transferred overseas.
• Google and Firebase processing (authentication, payments, advertising, push notifications, crash logs) uses Google's global infrastructure and may be transferred to the United States or other countries. For details, please refer to Google's Privacy Policy.
• Upon implementation of AI content moderation, portions of wish/support text written by Users (up to 500 characters) may be transmitted to OpenAI, L.L.C. (United States) for policy violation review. Implementation timing, scope of transmission, and related details will be communicated via in-Service notice or an update to this Policy.
• The operator and location of the IP geolocation API are subject to change; the Developer does not transmit personally identifiable information (names, accounts, etc.) to such APIs.

5-1. Separate Notice of Overseas Data Transfer (Personal Information Protection Act Art. 28-8)

The use of Supabase, Inc. (headquartered in the United States) and Google LLC/Firebase global infrastructure among the above processors constitutes overseas transfer of personal information under Article 28-8 of the Personal Information Protection Act. The items transferred are the game data, device identifiers, and log data described in Section 1 of this Policy, and the recipients are the processors identified in the table above. By agreeing to this Privacy Policy, Users are deemed to have consented to the overseas transfers described herein. Refusing consent will restrict Users' ability to use the cloud synchronization, authentication, push notification, and payment verification features of the Service.

5-2. Lawful Basis for Processing — EU/EEA Users (GDPR Article 13)

The lawful basis for processing personal information of EU/EEA residents is as follows, pursuant to Article 6 of the GDPR:

• (a) GDPR Article 6(1)(a) — Consent: Processing based on the User's consent to this Privacy Policy and upon entering the game.
• (b) GDPR Article 6(1)(b) — Performance of a Contract: Processing necessary to deliver the game service (in-game currency, accounts, social features, cloud synchronization).
• (c) GDPR Article 6(1)(f) — Legitimate Interests: Processing for the purpose of preventing fraud and maintaining service security (ad abuse verification, security logs, moderation). Such processing is carried out only to the extent that it does not override the rights and freedoms of Users.

Where consent is the lawful basis, Users may withdraw their consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

6. Rights and Obligations of Data Subjects and How to Exercise Them

Users may exercise the following rights at any time:

1. Right of Access: The right to access the categories of personal information being processed and the status of such processing
2. Right to Rectification and Erasure: The right to request correction of inaccurate information or deletion of personal information
3. Right to Restriction of Processing: The right to request that the processing of personal information be restricted
4. Account Deletion (Right to Erasure): The right to request permanent deletion of all personal information and game data (compatible with GDPR Article 17 "Right to Erasure")
5. Right to Data Portability: The right to receive one's data in a standard format (such as JSON) (GDPR Article 20)

Rights may be exercised by contacting the Developer via the email address listed in "10. Personal Information Protection Officer" below. The Developer will respond within 30 days of receiving a request.

7. Measures to Ensure Security of Personal Information

• Encryption: Sensitive information such as passwords is stored using Supabase Auth's one-way hash (bcrypt).
• Access Control: Supabase Row Level Security (RLS) policies ensure that Users can only access their own data.
• HTTPS Communication: All communication between client and server is encrypted using TLS 1.2 or higher.
• OAuth Security: State parameter verification is applied to prevent CSRF attacks during Google Sign-In.
• Log Minimization: In production builds, logs that may contain personal information (such as user IDs and OAuth URLs) are disabled.

8. Automated Data Collection (Cookies and Advertising Identifiers)

• This Service does not use web cookies.
• The AdMob SDK automatically collects the Advertising ID (GAID). Users may opt out by selecting "Reset Advertising ID" or "Opt out of Ads Personalization" in device settings. Opting out will continue to display ads, but they will be non-personalized.
• For users on iOS 14.5 or later, an App Tracking Transparency (ATT) permission prompt will appear upon first launch. The Identifier for Advertisers (IDFA) is collected only if the User grants permission. Declining will not restrict game access.

9. Personal Information of Children Under Age 14

• The Service is available to users aged 13 or older (per Google Play policy).
• Children under age 14 residing in the Republic of Korea require the consent of a legal guardian pursuant to Article 22(6) of the Personal Information Protection Act, and therefore may not consent to account registration (Google Sign-In) or the collection and use of personal information, and may not use the cloud data storage feature.
• If it is confirmed that a child under age 14 has registered, the account will be immediately deleted and all personal information will be destroyed.
• Children under age 13 residing in the United States may not use this Service pursuant to the Children's Online Privacy Protection Act (COPPA), and account registration is blocked by Google Play's age-13-and-older policy. If such a child is confirmed to have registered, their information will be immediately destroyed.

10. Personal Information Protection Officer

The Developer has designated a Personal Information Protection Officer pursuant to Article 30 of the Personal Information Protection Act to take overall responsibility for personal information processing and to handle complaints and remedy harm for data subjects:

• Name: Kim Soonhak
• Title: Representative
• Email: tnsgkr.dev@gmail.com
• Response time: Within 7 business days

Business information required under the E-Commerce Act — including the company name, business registration number, business address, and mail-order business registration number — is available on the Google Play Store page and within the game settings menu under "Business Information."

11. Remedies for Infringement of Rights

Users may apply for dispute resolution or consultation with the following agencies to seek remedy for personal information infringement:

• Personal Information Dispute Mediation Committee: 1833-6972 (no area code) / www.kopico.go.kr (opens in new tab)
• Personal Information Infringement Reporting Center: 118 (no area code) / privacy.kisa.or.kr (opens in new tab)
• Supreme Prosecutors' Office Cyber Investigation Division: 1301 (no area code) / www.spo.go.kr (opens in new tab)
• National Police Agency Cyber Investigation Bureau: 182 (no area code) / ecrm.cyber.go.kr (opens in new tab)

EU residents have the right to lodge a complaint with the supervisory authority in their country of residence pursuant to the EU GDPR.

California residents may exercise the following rights under the California Consumer Privacy Act (CCPA/CPRA):

• Right to Know what personal information is being processed
• Right to Delete personal information
• Right to Opt-Out of the sale or sharing of personal information — This Service does not sell Users' personal information to third parties.
• Right to Non-Discrimination for exercising rights

Rights may be exercised by contacting the Personal Information Protection Officer via email listed in "10." above.

12. Changes to This Privacy Policy

Any additions, deletions, or modifications to this Privacy Policy due to changes in law, policy, or security technology will be communicated via in-Service notice 7 days before the effective date (30 days in advance for changes unfavorable to Users).