Privacy Policy

Overview of Privacy Policy

This Privacy Policy (hereinafter referred to as "this Policy") is prepared by Icon Casting Co., Ltd. (hereinafter referred to as "Icon Casting" or "the Company") and applies to general customers of the Company, visitors to the Picnic website, users of the Company's apps, and other service users (hereinafter referred to as "Members"). The term "app" in this Policy refers to all apps provided by the Company (including apps provided through third-party stores, marketplaces, or other means), and the term "site" refers to all websites operated or maintained by the Company or on behalf of the Company. However, some services may have their own separate privacy policies. Members are advised to regularly review this Policy as it may be amended or updated from time to time. The term "personal information" used in this Policy has the following meanings:

The term "personal information" used in this Policy refers to personal information as defined in Article 2 of the Personal Information Protection Act of South Korea. For the purposes of the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018, the term "personal information" used in this Policy means any information related to an individual that can identify the individual directly or indirectly, particularly by reference to an identifier such as a name, identification number, location data, or online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual. For the purposes of the California Consumer Privacy Act (CCPA), the term "personal information" used in this Policy includes any information that identifies, relates to, describes, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Article 2: Purpose of Processing Personal Information

The Company processes Members' personal information for the following purposes in accordance with relevant laws and regulations:

• Providing the Company's website, app, products, and services: This includes providing the Company's website, app, products, and services, registering accounts, providing service guidance and consultation, detecting and preventing fraudulent use, providing Picnic service memberships and community activities, conducting statistics and analysis, providing promotional materials (if requested), contacting Members regarding the Company's website, app, or services, and providing and operating event services (including verifying participants, providing and delivering prizes to winners, and handling other grievances), and creating customized products.
• Operating the Company's business: This includes operating and maintaining the Company's website, app, and services, providing content to Members, displaying advertisements and other information to Members, selling and delivering products, authenticating users to detect and prevent duplicate or fraudulent use, communicating with Members about changes to the Company's website, app, or services.
• Communication and marketing: This includes providing news and other information that Members may be interested in via email, app push notifications, or other contact methods, providing customized services based on the Company's website, app, products, and services, retaining and updating Members' contact information when necessary, and recording Members' preferences for receiving or unsubscribing from email communications sent by the Company.
• IT system management: This includes managing and operating the Company's communication, IT, and security systems, conducting related system audits (including security audits), and monitoring the systems.
• Improving the Company's website, app, and services: This includes identifying issues related to the Company's website, app, or services, planning improvements to the Company's website, app, or services, and developing new websites, apps, or services.

Article 3: Personal Information Processing Items

The personal information processed by the Company includes the following:

• Required information: Information necessary to perform the essential functions of the service.
• Optional information: Information collected additionally to provide more specialized services (the service can still be used without entering optional information).

Required Processing Items

Service Name: Picnic Account

• Processing Time: Upon new account registration
  • Processing Items: General Member: ID (email), password, nickname SNS (Google, Twitter, Apple, Kakao, Naver) linked account: ID (email), nickname
  • Retention and Usage Period: 3 months after account withdrawal or as required by related laws

Service Name: Picnic

• Processing Time: Upon service registration
  • Processing Items: User authentication information (linked with Picnic Account)
  • Retention and Usage Period: 3 months after service withdrawal or as required by related laws
• Processing Time: When using individual artist services
  • Processing Items: Nickname, profile image
  • Retention and Usage Period: 3 months after service withdrawal or as required by related laws
• Processing Time: When using paid services
  • Processing Items: Receipt number (for in-app purchases)
  • Retention and Usage Period: 3 months after service withdrawal or as required by related laws
• Processing Time: When requesting customer refunds
  • Processing Items: Picnic Account ID (email), name (first/last name), bank name, account number, address
  • Retention and Usage Period: 5 years after processing the refund as required by related laws
• Processing Time: When reporting illegal recordings
  • Processing Items: Name, mobile phone number (phone number), email
  • Retention and Usage Period: 3 years from the reporting date as required by related laws

Common Processing Items

• Processing Time: During event proceedings
  • Processing Items: Prize delivery: email, delivery information (name, phone number, address)
    • Retention and Usage Period: 1 year after the event ends, but participation information of non-winners is retained for up to 6 months after the announcement of winners
  • Processing Items: Fan meetings, public broadcasts, and on-site performances: email, name, date of birth, phone number Online performances such as video fan meetings: email, name, date of birth, phone number, SNS account (KakaoTalk ID, LINE messenger ID, WhatsApp ID)
    • Retention and Usage Period: 1 year after the event ends, but participation information of non-winners is retained for up to 3 months after the event ends
• Processing Time: When receiving customer inquiries
  • Processing Items: General inquiries: email, inquiry content Purchase-related inquiries: email, inquiry content, phone number
  • Retention and Usage Period: 3 years after the inquiry is registered as required by related laws
• Processing Time: When verifying SMS ownership
  • Processing Items: Country code, mobile phone number
  • Retention and Usage Period: 1 year after account withdrawal or as required by related laws
• Processing Time: When providing marketing and promotional information
  • Processing Items: Email, automatically generated information (app push identifier, device information, etc.)
  • Retention and Usage Period: 3 months after account withdrawal or as required by related laws
• Processing Time: When accessing and using the service, providing reward services
  • Processing Items: Automatically generated information by cookies, service usage records (visit time, IP address, bad usage records, etc.), device information (unique device identifier, OS version), access country
  • Retention and Usage Period: 3 months after service withdrawal or as required by related laws

The Picnic service operated by the Company is not intended for children (under 14 years of age for domestic users, under 16 years of age for foreign users). If the Company becomes aware that personal information has been collected from a child, the Company will delete such information and terminate the account. If you believe the Company has collected information from a child, please contact the contact information in "Article 13".

Article 4: Provision of Personal Information to Third Parties

The Company does not provide personal information to third parties without the Member's consent or unless otherwise required by related laws.

The Company may provide personal information without the Member's consent within the scope reasonably related to the purpose of collection. In such cases, the Company will consider whether the additional use is related to the original purpose, whether it is predictable based on the context of collection or processing practices, whether it unfairly infringes on the Member's interests, and whether safety measures such as pseudonymization or encryption have been taken.

Article 5: Delegation of Personal Information Processing

The Company may delegate personal information processing to professional firms or utilize specialized platforms within the scope disclosed in the privacy policy for the purpose of providing services and fulfilling contracts.

When entering into a delegation contract, the Company will specify in writing the prohibition of personal information processing beyond the delegated purpose, technical and managerial protection measures, restrictions on re-delegation, management and supervision of the delegate, and liability for damages, and will supervise the delegate to ensure safe processing of personal information. If the delegation or delegate changes, the Company will disclose such changes promptly through the privacy policy.

Article 6: Transfer of Personal Information Overseas

All personal information of the Company is stored within the region of the Republic of Korea. The Company may transfer or manage Member information overseas for the purpose of providing services and convenience to Members. The details of overseas personal information transfers will be disclosed in the future.

Members may refuse the transfer of personal information overseas, which may restrict the use of services that require such transfers. If you do not wish for overseas transfers, you can withdraw from the Picnic application or request to suspend the processing of personal information through the Company's personal information protection officer or grievance handling department.

Article 7: Retention Period of Personal Information

The Company retains and uses personal information collected from Members during the service usage period. The Company will promptly destroy personal information that is no longer necessary, such as when the retention period expires or the processing purpose is achieved. Additionally, the Company may retain personal information separately for a certain period as required by related laws or for necessary internal policy reasons.

Article 8: Destruction of Personal Information

The Company will destroy Members' personal information without delay once the purpose of collection and use is achieved, in accordance with internal policies and other legal obligations. Personal information stored electronically will be deleted using technical methods that make the information unrecoverable, and paper-based personal information will be shredded or incinerated.

Article 9: Rights of Information Subjects

Members have the following rights concerning their personal information managed by the Company, in accordance with applicable laws. Members may exercise these rights at any time by contacting the personal information protection officer listed in "Article 13" of this policy.

• The right to refuse to provide personal information to the Company (however, if Members refuse to provide personal information, they may not be able to receive all the benefits of the Company's website, app, or services, and it may be difficult to process their requests without necessary details).
• The right to request information on the attributes, processing, and disclosure of personal information managed by the Company and to request access to or copies of such information.
• The right to request correction of inaccuracies in the personal information managed by the Company.
• The right to request the following actions under legitimate reasons:
  • Deletion of personal information managed by the Company.
  • Suspension of personal information processing by the Company.
• The right to transfer specific personal information to another party in a structured, commonly used, and machine-readable format, to the extent applicable.
• The right to withdraw consent for the processing of personal information by the Company (however, such withdrawal does not affect the lawfulness of processing conducted before the withdrawal notice is received and does not prevent the Company from processing personal information based on other available legal grounds).
• The right to file complaints with data protection authorities regarding the processing of personal information by the Company.

Article 10: Technical and Managerial Measures for Personal Information Protection

The Company takes reasonable measures to ensure the safety of personal information and prevent loss, theft, leakage, alteration, or damage. Technical measures include:

• Personal information is protected by passwords and encrypted information. Members must not disclose or provide their personal information to others and must responsibly manage their personal information to avoid problems caused by their mistakes or the inherent risks of the internet. The Company is not responsible for issues arising from Members' personal mistakes or the basic risks of the internet.
• Personal information is protected by passwords and encrypted information, and important data is protected through additional security functions by encrypting files and transmission data.
• The Company uses antivirus programs to prevent damage caused by computer viruses, and the programs are regularly updated.
• The Company operates intrusion detection and prevention systems to monitor and manage potential external threats such as hacking and viruses 24/7.

The Company recognizes the importance of protecting personal information and limits access to personal information processing staff. The personal information protection officer regularly trains processing staff on personal information protection and strives to ensure compliance with this policy. The Company also regularly inspects the implementation of this policy and takes corrective or improvement measures as necessary.

Article 11: Installation, Operation, and Rejection of Automatic Personal Information Collection Devices

The Company uses cookies to store and retrieve Member information. Cookies are small strings of information sent by the website server to the user's computer browser (e.g., Internet Explorer, Safari, Chrome, Firefox). Cookies identify the user's computer but do not personally identify the user.

The Company uses Google Analytics (privacy policy link) and Firebase (terms link) APIs provided by Google for service provision and statistical analysis. For detailed information, please refer to the Company's cookie policy.

(1) Operation of cookies

• Provide differentiated information according to individual interests
• Analyze access frequency or stay time of Members and non-members to understand Member preferences and use targeted marketing
• Track browsing history to provide personalized services upon next visit
• Analyze customer habits to use as a measure for service improvements

(2) Cookie choices Members can adjust their web browser to accept all cookies, notify when cookies are installed, or reject all cookies. However, if cookies are rejected, some services that require login may not be available. How to specify cookie settings (for Internet Explorer):

• Select [Internet Options] from the [Tools] menu.
• Click the [Privacy] tab.
• In [Privacy Settings], adjust to "Allow all cookies - Low - Medium - Medium high - High - Block all cookies". (3) Cookies expire when the browser is closed or logged out.

Article 12: Criteria for Additional Use and Provision of Personal Information

The Company may use or provide personal information additionally without the Member's consent within the scope of Article 15(3) and Article 17(4) of the Personal Information Protection Act and Article 14-2 of the Enforcement Decree of the Personal Information Protection Act.

Item 1: Nickname, post content

• Purpose of use and provision: Management of artist community operations and sending major announcements
• Retention and use period: 3 months after service withdrawal or as required by related laws

Item 2: (Event winner) email

• Purpose of use and provision: Notification of community event winners and verification of winners
• Retention and use period: 1 year after the event ends

Item 3: Automatically generated information (internal identification key, device information, etc.), service usage records (visit time, IP address, bad usage records, etc.), device information (unique device identifier, OS version), access country

• Purpose of use and provision: Statistics and revenue analysis of platform service usage
• Retention and use period: 3 months after service withdrawal or as required by related laws

Item 4: Email, user identification information for linking Picnic Account

• Purpose of use and provision: Login and service provision for TXT the answer service
• Retention and use period: 90 days after TXT the answer service withdrawal

The Company considered the following factors to additionally use or provide personal information without the Member's consent:

1. Whether the additional use or provision is related to the original purpose of collection.
2. Whether the additional use or provision is predictable based on the context of collection or processing practices.
3. Whether the additional use or provision unfairly infringes on the Member's interests.
4. Whether necessary safety measures such as pseudonymization or encryption have been taken.

Article 13: Personal Information Protection Officer

The Company has appointed the following personal information protection officer to protect Members' personal information and handle related complaints. Members can report any personal information protection-related complaints arising from using the Company's services to the personal information protection officer, and the Company will provide prompt and sufficient responses.

• Personal Information Protection Officer: Jae-geun Hwang
• Grievance Handling Department: CX Team
• Department for Receiving and Processing Requests for Access to Personal Information: CX Team
• 1:1 Inquiry within the Picnic application

Article 14: Remedies for Rights Infringement

The Company operates a customer consultation channel to facilitate communication and resolution of Members' opinions and complaints related to personal information protection. In South Korea, if there is a dispute related to personal information protection or if consultation is needed regarding personal information infringement, Members can contact the Korea Internet & Security Agency Personal Information Infringement Report Center, Cyber Safety Bureau of the National Police Agency, etc. Contact Information:

• Personal Information Infringement Report Center
  • privacy.kisa.or.kr
  • 118
• Personal Information Dispute Mediation Committee
  • kopico.go.kr
  • 1833-6972
• Supreme Prosecutors' Office Cyber Crime Investigation Division
  • spo.go.kr
  • 1303
• Cyber Safety Bureau of the National Police Agency
  • cyber.go.kr
  • 182

Article 15: Changes to the Privacy Policy

This Privacy Policy applies from June 4, 2024, and the previous Privacy Policy can be found below. Privacy Policy Version: Integrated V2.4 Effective Date: June 4, 2024 Previous Privacy Policy Link

Regional Provisions

The following provisions apply to Members based on their location or nationality. In case of conflict between these provisions and the main text of this Privacy Policy, these provisions take precedence.

EEA and UK

For the purposes of this section, the term "personal information" in the main text of this Policy has the same meaning as defined in "Article 1 Overview of the Privacy Policy". The following text is added as the last paragraph of "Article 1 Overview of the Privacy Policy": For the purposes of the GDPR and the UK Data Protection Act 2018, the company primarily responsible for determining how and why Members' personal information is processed and for complying with applicable data protection laws is Icon Casting Co., Ltd.

Article 2 is replaced with the following:

Article 2: Purpose and Legal Basis for Processing Personal Information

The Company processes Members' personal information for the following purposes in accordance with relevant laws and regulations:

• Related Processing Activity 1:
  • Providing the Company's website, app, products, and services: This includes providing the Company's website, app, products, and services, registering accounts, providing service guidance and consultation, detecting and preventing fraudulent use, providing Picnic service memberships and community activities, conducting statistics and analysis, providing promotional materials (if requested), contacting Members regarding the Company's website, app, or services, and providing and operating event services (including verifying participants, providing and delivering prizes to winners, and handling other grievances), and creating customized products.
• Legal Basis:
  • This processing activity is necessary to perform the contract to which the Member is a party or to take steps at the request of the Member prior to entering into a contract, or
  • The Company has a legitimate interest in performing this processing activity for the purpose of providing the Company's website, app, or services to the Member (except where such interests are overridden by the interests, fundamental rights, or freedoms of the Member), or
  • The Company has obtained the Member's consent in advance for this processing activity (provided that this legal basis applies only to processing activities that are entirely voluntary and not mandatory in any way).
• Related Processing Activity 2:
  • Operating the Company's business: This includes operating and maintaining the Company's website, app, and services, providing content to Members, displaying advertisements and other information to Members, selling and delivering products, authenticating users to detect and prevent duplicate or fraudulent use, communicating with Members about changes to the Company's website, app, or services.
• Legal Basis:
  • This processing activity is necessary to perform the contract to which the Member is a party or to take steps at the request of the Member prior to entering into a contract, or
  • The Company has a legitimate interest in performing this processing activity for the purpose of providing the Company's website, app, or services to the Member (except where such interests are overridden by the interests, fundamental rights, or freedoms of the Member), or
  • The Company has obtained the Member's consent in advance for this processing activity (provided that this legal basis applies only to processing activities that are entirely voluntary and not mandatory in any way).
• Related Processing Activity 3:
  • Communication and marketing: This includes providing news and other information that Members may be interested in via email, app push notifications, or other contact methods, providing customized services based on the Company's website, app, products, and services, retaining and updating Members' contact information when necessary, and recording Members' preferences for receiving or unsubscribing from email communications sent by the Company.
• Legal Basis:
  • This processing activity is necessary to perform the contract to which the Member is a party or to take steps at the request of the Member prior to entering into a contract, or
  • The Company has a legitimate interest in performing this processing activity for the purpose of providing the Company's website, app, or services to the Member (except where such interests are overridden by the interests, fundamental rights, or freedoms of the Member), or
  • The Company has obtained the Member's consent in advance for this processing activity (provided that this legal basis applies only to processing activities that are entirely voluntary and not mandatory in any way).
• Related Processing Activity 4:
  • IT system management: This includes managing and operating the Company's communication, IT, and security systems, conducting related system audits (including security audits), and monitoring the systems.
• Legal Basis:
  • This processing activity is necessary to comply with the Company's legal obligations, or
  • The Company has a legitimate interest in performing this processing activity for the purpose of managing and maintaining the Company's communication and IT systems (except where such interests are overridden by the interests, fundamental rights, or freedoms of the Member).
• Related Processing Activity 5:
  • Improving the Company's website, app, and services: This includes identifying issues related to the Company's website, app, or services, planning improvements to the Company's website, app, or services, and developing new websites, apps, or services.
• Legal Basis:
  • The Company has a legitimate interest in performing this processing activity for the purpose of improving the Company's website, app, or services (except where such interests are overridden by the interests, fundamental rights, or freedoms of the Member), or
  • The Company has obtained the Member's consent in advance for this processing activity (provided that this legal basis applies only to processing activities that are entirely voluntary and not mandatory in any way).

Direct Marketing

The Company processes personal information to contact Members via email, phone, direct mail, or other communication methods to provide information about the website, app, or services that Members may be interested in. Additionally, personal information is processed to display content tailored to the Member's use of the Company's website, app, or services. The Company will always obtain the Member's consent in advance through an opt-in process where required by applicable laws. Members can choose to unsubscribe from the Company's promotional email list at any time by clicking the unsubscribe link included in all promotional electronic communications or by unsubscribing online. Please note that it may take up to 2 weeks to process the Member's unsubscribe request, and Members may continue to receive communications during this period. After unsubscribing, the Company will no longer send promotional emails but may still contact Members for purposes related to the requested website, app, or services.