NanaChan AI Privacy Policy

Hexpy Games (hereinafter referred to as "Company," "we," "us," or "our") is committed to protecting the freedom and rights of data subjects by complying with the Personal Information Protection Act and related laws and regulations to lawfully process and securely manage personal information. In accordance with Article 30 of the Personal Information Protection Act, we establish and disclose this Privacy Policy to inform data subjects about the procedures and standards for processing personal information and to promptly and smoothly handle related grievances.

This policy applies to all users worldwide, and users in certain regions may be provided with additional rights.

Purpose of Processing Personal Information
Personal Information We Collect
Processing of Personal Information of Children Under 14
Retention and Use Period of Personal Information
Destruction Procedures and Methods
Consignment of Personal Information Processing
International Transfer of Personal Information
Security Measures
Installation and Operation of Automatic Collection Devices
Rights and Obligations of Data Subjects
Privacy Officer
Remedies for Infringement of Rights
Third-Party Services
Additional Information for EEA Users
Additional Information for California Users
Changes to This Privacy Policy

1. Purpose of Processing Personal Information

We process personal information for the following purposes. The personal information we process will not be used for purposes other than those stated below, and if the purpose of use changes, we will take necessary measures such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act.

1) Membership Registration and Management

User identification and authentication for membership services
Maintenance and management of membership status
Prevention of fraudulent use of services
Various notices and notifications
Handling complaints and grievances

2) Service Provision

Provision of AI image generation services
Processing in-app purchases and credit management
Customer support and inquiry response
Sending push notifications

3) Service Improvement

Analysis and statistics of service usage
Service quality improvement and error correction
Development of new services

2. Personal Information We Collect

We collect and process the following personal information:

Legal Basis	Collection Purpose	Items Collected	Retention Period
Personal Information Protection Act Article 15(1)(4) (Contract Performance)	Membership registration and service provision	Email address, Name	Until membership withdrawal (30-day recovery period after withdrawal)
Personal Information Protection Act Article 15(1)(4) (Contract Performance)	In-app purchase processing	Transaction identification information (provided by Apple/Google)	5 years (E-Commerce Act)

2) Automatically Collected Information

Items Collected	Collection Purpose	Collection Method	Retention Period
Device information (OS, device model, unique identifier)	Service provision and error analysis	Automatic collection via Sentry	90 days
App usage logs (error information, crash reports)	Service quality improvement	Automatic collection via Sentry	90 days
Advertising identifier (IDFA/GAID)	Ad serving	Google AdMob	According to ad platform policy

3) Information We Do NOT Collect

Social Security Numbers or National ID numbers
Precise location information (GPS)
Biometric information
Health information
Device contacts

4) Image Processing

Uploaded Images: Transmitted directly from your device to Google Gemini API and are not stored on our servers.
Generated Images: Stored on your device and are not stored on our servers.

3. Processing of Personal Information of Children Under 14

We restrict the processing of personal information of children under 14 years of age.

Age restrictions (13/14 years) are set on the Apple App Store and Google Play Store.
If we become aware that a child under 14 has used the service, we will immediately delete the relevant account.
Parents or legal guardians may contact us at yeonwoo.jo@hexpy.games regarding their child's personal information.

4. Retention and Use Period of Personal Information

We retain and use personal information within the retention and use period prescribed by law.

Category	Items Retained	Retention Period	Legal Basis
Member information	Email, Name	Until membership withdrawal	Service provision
Withdrawn member information	Email, Name	30 days	Account recovery support
Transaction records	In-app purchase information	5 years	E-Commerce Act Article 6
Log data	Error logs, device information	90 days	Service quality improvement

5. Destruction Procedures and Methods

We destroy personal information without delay when it becomes unnecessary due to the expiration of the retention period or achievement of the processing purpose.

1) Destruction Procedure

We select personal information that has a reason for destruction and destroy it with the approval of the Privacy Officer.

2) Destruction Method

Electronic Files: Permanently deleted in a manner that makes recovery impossible
Paper Documents: Shredded or incinerated

3) Exception to Destruction

If personal information must be retained in accordance with other laws, we separate and store such personal information in a separate database.

6. Consignment of Personal Information Processing

We consign personal information processing tasks as follows for smooth business operations:

Consignee	Consigned Tasks
Supabase, Inc.	Member authentication and data storage
Functional Software, Inc. (Sentry)	Error tracking and performance monitoring
Google LLC (AdMob)	Ad serving

When entering into consignment contracts, we specify and document matters such as prohibition of personal information processing beyond the consignment purpose, technical and administrative protection measures, restrictions on re-consignment, management and supervision of consignees, and liability for damages in accordance with Article 26 of the Personal Information Protection Act, and supervise whether consignees safely process personal information.

If the content of consigned tasks or consignees change, we will disclose such changes through this Privacy Policy without delay.

7. International Transfer of Personal Information

We transfer personal information internationally as follows to provide services:

1) AI Image Generation Service

Item	Details
Legal Basis	Personal Information Protection Act Article 28-8(1)(3) (Processing consignment)
Items Transferred	Uploaded images (temporary processing)
Country of Transfer	United States (Google Cloud servers)
Transfer Timing and Method	Immediately upon image generation request, transmission via encrypted network
Recipient	Google LLC (Gemini API)
Purpose of Use	AI image generation processing
Retention and Use Period	Immediately deleted upon processing completion (according to Google policy)

2) Data Storage and Authentication

Item	Details
Legal Basis	Personal Information Protection Act Article 28-8(1)(3) (Processing consignment)
Items Transferred	Email address, Name
Country of Transfer	United States (Supabase servers)
Transfer Timing and Method	Upon membership registration, transmission via encrypted network
Recipient	Supabase, Inc.
Purpose of Use	Member authentication and data storage
Retention and Use Period	Until 30 days after membership withdrawal

3) Error Tracking

Item	Details
Legal Basis	Personal Information Protection Act Article 28-8(1)(3) (Processing consignment)
Items Transferred	Device information, error logs
Country of Transfer	United States (Sentry servers)
Transfer Timing and Method	Immediately upon error occurrence, transmission via encrypted network
Recipient	Functional Software, Inc. (Sentry)
Purpose of Use	Service error correction and quality improvement
Retention and Use Period	90 days

4) How to Refuse International Transfer

If you do not wish for international transfer, you can proceed with membership withdrawal through the app's settings menu. However, since international transfer is essential for service provision, the service will be unavailable if you refuse.

8. Security Measures

We take the following measures to ensure the security of personal information:

1) Administrative Measures

Establishment and implementation of internal management plans
Minimization of staff handling personal information

2) Technical Measures

Encryption of personal information (in transit and at rest)
Access control and management
Installation and updating of security programs
Retention and inspection of access logs

3) Physical Measures

Access control to personal information processing systems
Verification of security certifications of cloud service providers

Despite our best efforts, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

9. Installation and Operation of Automatic Collection Devices

1) Collection of Advertising Identifiers

We collect advertising identifiers as follows to provide personalized advertising:

Item	Details
Items Collected	Advertising identifier (iOS: IDFA, Android: GAID)
Collection Method	Automatic collection via Google AdMob SDK
Collection Purpose	Serving personalized ads
Retention Period	According to Google AdMob policy

2) How to Block Advertising Identifiers

iOS:

Settings → Privacy & Security
Tracking → Disable 'Allow Apps to Request to Track'

Android:

Settings → Security & Privacy
Privacy → More Privacy Settings → Ads
Select 'Delete advertising ID'

Even if you refuse the collection of advertising identifiers, there will be no restrictions on service use, but general ads may be displayed instead of personalized ads.

10. Rights and Obligations of Data Subjects

Data subjects may exercise the following privacy-related rights against the Company at any time:

1) Exercisable Rights

Right to request access to personal information
Right to request correction of personal information
Right to request deletion of personal information
Right to request suspension of personal information processing

2) How to Exercise Rights

In-App: Settings → Account Management → Membership Withdrawal
Email: yeonwoo.jo@hexpy.games
Response Period: Within 10 days from the date of request

3) Notes on Exercising Rights

Legal guardians may exercise rights on behalf of children under 14.
You may not request deletion if the personal information is specified as a subject of collection in other laws.

11. Privacy Officer

We have designated the following Privacy Officer to oversee matters related to personal information processing and to handle complaints and remedies for data subjects:

Privacy Officer

Name: Yeonwoo Jo
Position: CEO
Email: yeonwoo.jo@hexpy.games
Address: 49-6, Maenami-gil, Salmi-myeon, Chungju-si, Chungcheongbuk-do, Republic of Korea

Data subjects may contact the Privacy Officer regarding any inquiries, complaints, or remedy requests related to privacy while using our services. We will respond to and handle your inquiries without delay.

12. Remedies for Infringement of Rights

Data subjects may apply for dispute resolution or counseling to the following organizations to receive remedies for personal information infringement:

Korea

Personal Information Dispute Mediation Committee: 1833-6972 (without area code) (www.kopico.go.kr)
Privacy Infringement Report Center: 118 (without area code) (privacy.kisa.or.kr)
Supreme Prosecutors' Office: 1301 (without area code) (www.spo.go.kr)
Korean National Police Agency: 182 (without area code) (ecrm.police.go.kr)

European Union (EU/EEA)

You may file a complaint with the Supervisory Authority in your member state.

United States (California)

California Attorney General's Office

13. Third-Party Services

Our app integrates with third-party services that have their own privacy policies:

Google Services (Gemini API, AdMob): https://policies.google.com/privacy
Apple Sign-In: https://www.apple.com/legal/privacy/
Supabase: https://supabase.com/privacy
Sentry: https://sentry.io/privacy/

Please review these third-party privacy policies. We are not responsible for the privacy practices of third parties.

14. Additional Information for EEA Users

If you reside in the European Economic Area (EEA), United Kingdom, or Switzerland, you are provided with the following additional rights and information under the General Data Protection Regulation (GDPR).

1) Legal Basis for Processing Personal Information

Processing Activity	Legal Basis	GDPR Article
Membership registration and service provision	Contract performance	Article 6(1)(b)
In-app purchase processing	Contract performance	Article 6(1)(b)
Service improvement and analysis	Legitimate interests	Article 6(1)(f)
Ad serving	Consent	Article 6(1)(a)
Legal obligation compliance	Legal obligation	Article 6(1)(c)

Legitimate Interests: Our legitimate interests are service quality improvement, security maintenance, and fraud prevention.

In addition to the rights in Section 10, you have the following rights:

Right to Restriction of Processing (GDPR Article 18): Right to restrict processing of personal information in certain circumstances
Right to Data Portability (GDPR Article 20): Right to receive personal information in a structured, machine-readable format
Right to Object to Automated Decision-Making (GDPR Article 22): Right to object to decisions based solely on automated processing
Right to Withdraw Consent: Right to withdraw consent at any time for consent-based processing (without affecting the lawfulness of processing before withdrawal)

3) Objection to Processing Based on Legitimate Interests

Under GDPR Article 21, you have the right to object to processing of personal information based on legitimate interests. In such cases, we will cease processing the personal information unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

4) Filing Complaints with Supervisory Authority

You have the right to file a complaint with the data protection supervisory authority in your country of residence regarding the processing of personal information.

5) International Data Transfers

Transfers of personal information outside the EEA are protected through appropriate safeguards such as:

Standard Contractual Clauses approved by the EU Commission
Appropriate privacy certifications of recipients

6) Data Protection Officer

For GDPR-related inquiries, please contact us at yeonwoo.jo@hexpy.games.

15. Additional Information for California Users

California residents have the following additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

1) Rights Under CCPA/CPRA

Right to Know: Right to know the categories and specific pieces of personal information collected, sources, purposes of use, and parties with whom information is shared
Right to Delete: Right to request deletion of collected personal information, subject to certain exceptions
Right to Correct: Right to request correction of inaccurate personal information
Right to Non-Discrimination: Right not to be discriminated against for exercising privacy rights

2) Categories of Personal Information Collected

We have collected the following categories of personal information in the past 12 months:

Category	Examples	Collected
Identifiers	Name, email address	✅ Yes
Commercial information	Purchase records	✅ Yes
Internet activity	App usage logs	✅ Yes
Biometric information	Fingerprints, facial recognition	❌ No
Geolocation data	GPS coordinates	❌ No

We do NOT sell personal information as defined by the CCPA.

We may share the following categories of personal information with third parties for advertising purposes:

Advertising identifiers (IDFA/GAID)
App usage information

4) Sensitive Personal Information

We do not collect sensitive personal information as defined by the CCPA.

5) California "Shine the Light" Law

Under California Civil Code Section 1798.83, you may request information about personal information disclosed to third parties for marketing purposes once per year, free of charge.

6) How to Exercise Rights

You may exercise your rights by sending an email to yeonwoo.jo@hexpy.games or through the app's settings.

We may request additional information to verify your identity when exercising rights, and requests through authorized agents are also possible.

16. Changes to This Privacy Policy

1) Effective Date

This Privacy Policy is effective from October 11, 2025.

2) Notice of Changes

If there are additions, deletions, or modifications to the content of this Privacy Policy, we will announce them through in-app notifications at least 7 days before the implementation of the changes.

However, if there are significant changes that affect data subject rights, such as changes to the items of personal information collected or purposes of use, we will notify at least 30 days in advance and obtain consent again if necessary.

3) Continued Use After Changes

Continued use of the service after the effective date of the revised Privacy Policy will be considered as consent to the revised Privacy Policy.

4) Revision History

October 11, 2025: Initial creation and implementation

Contact Us

If you have any questions about this Privacy Policy or the processing of personal information, please contact us:

Email: yeonwoo.jo@hexpy.games

Company Name: Hexpy Games

Representative: Yeonwoo Jo

Address: 49-6, Maenami-gil, Salmi-myeon, Chungju-si, Chungcheongbuk-do, Republic of Korea

Response Time: Within 5 business days

Effective Date: October 11, 2025

Last Updated: October 11, 2025

Version: 1.0