Effective June 10, 2026

Privacy Policy

OrangeTour Co., Ltd. protects users' personal information and explains how information is collected, used, retained, destroyed, entrusted, and managed while providing the service.

Company: OrangeTour Co., Ltd. Service Privacy Notice User Rights Included
This Privacy Policy may be changed according to laws, notifications, terms, or internal policies. Changes will be posted on the service screen or notified to users.

OrangeTour Co., Ltd. (hereinafter referred to as the "Company") complies with the privacy protection regulations under relevant laws and regulations that the Company must follow regarding personal information, such as the Communications Privacy Protection Act, Telecommunications Business Act, Act on Promotion of Information and Communications Network Utilization and Information Protection, and Personal Information Protection Act.

We are committed to protecting users' rights by establishing a Privacy Policy in accordance with relevant laws. The Company's Privacy Policy contains the following information.

1

Collected Personal Information Items and Collection Method

Information collected for membership and service provision

  1. Name, ID, Nickname, E-mail, Mobile Carrier, Mobile Phone Number, SMS Verification, Gender, Age, Date of Birth, Country, Language, Profile Image, Profile Introduction, Host Registration Information, Fan Club Membership Information
  2. As a service that can only be used by adults aged 20 or older, the Company does not intentionally collect personal information from users under the age of 20.
  3. When logging in with Google, Apple, Firebase, or similar authentication providers: provider account identifier, Firebase UID, email address, display name, profile image, authentication token or session identifier, and other information provided by the authentication provider according to the user's consent and provider settings.
  4. Information about User Content: The Company may process photos, videos, audio, voice messages, chat messages, fan club messages, live chat messages, profile media, host gallery media, introduction videos, posts, reports, and other content uploaded, created, sent, or shared by users (hereinafter "User Content"). In doing so, the Company may collect images, videos, audio, and text that are part of the User Content.
  5. Video call, live, and communication information: call request status, call connection status, call duration, channel or room identifier, participant identifiers, coin charge information, gift records, translation request records, and related service logs. Camera and microphone streams are processed to provide video call, voice call, live, and chat functions and are not stored as call recordings by the Company unless the user separately uploads or records content through a service feature.
  6. Payment and settlement information: product ID, purchase token, purchase ID, purchase date, coin and VIP purchase records, payment status, refund or cancellation records, host settlement information, and transaction records received from App Store, Google Play, or other payment processing channels.

The Company may collect information related to the user's use of this service, including information on how the user participates in the service. The Company promotes the user's content to other users and processes information related to the user's relationships with other users, blocks, and likes.

When users use the service, the Company creates and stores log data including device information such as the type of device, IP address, OS type information, specific electronic IDs automatically provided by the user's device, cookie data, advertising partner information, mobile application ID, push notification token, app version, language and country settings, access time, service screen history, crash or error information, and security verification information such as Firebase App Check. This information is used to prevent unauthorized or fraudulent service use or abuse and to provide services optimized for the user's device. Advertising identifiers may be linked to a user's account through the Company's internal ID, which is a random unique value.

Information collected during service use or business handling

  1. User's mobile phone type and OS
  2. Service use records, access logs, cookies, access IP information, payment records, bad use records, report and block records, customer support records, event participation records, and safety review records
  3. Device permission information needed for service functions, including camera, microphone, photo library or media access, notifications, network state, and similar permissions. These permissions are requested only when needed for the relevant feature or according to the device operating system.

Collection method

The Company collects personal information through applications, websites, written forms, customer support, email, event entries, Firebase authentication, Google login, Apple login, SMS verification, app stores, payment processors, Agora video call infrastructure, push notification services, translation services, partners, and similar channels.

2

Purpose of Collection and Use of Personal Information

The Company processes collected personal information for the following purposes. Personal information collected, used, and processed by the Company will not be used for purposes other than the following. If the purpose of use changes, necessary measures such as obtaining separate consent will be taken in accordance with Article 18 of the Personal Information Protection Act.

  1. Provision of service and fee settlement: Provision of matching, chat, fan club, live, video call, voice call, gift, paid feed, translation, content, coin, VIP, host registration, host settlement, and related service functions; delivery of goods or invoices; identity verification; purchase and payment; fee collection; and payment of fees and prices
  2. Member management: Identity verification, personal identification value, prevention of fraudulent or unauthorized use by bad members, confirmation of intention to join, age verification, record preservation for dispute mediation, complaint handling and civil petitions, and delivery of notices
  3. Safety, moderation, and service integrity: Detection and prevention of abuse, fraud, unauthorized access, spam, harmful conduct, child safety violations, illegal content, policy violations, payment abuse, and abnormal use patterns; operation of reporting, blocking, account restriction, and safety review processes.
  4. New service development, marketing, and advertising: New service development, customized services, services and advertising according to demographic characteristics, confirmation of service validity, event and advertising information, access frequency identification, service-use statistics, and delivery of advertising information such as events
  5. Partnership services: To activate the service, the Company may share information such as the user's ID, nickname, feed content, comments, and reply content with third parties providing partnership services to the Company through legal procedures.
  6. Performing other tasks related to the provision of tangible or intangible product information, sales services, and additional services linked with the Company using a minimum range of information.

For users using additional services other than common functions among service features, the Company may provide a separate Privacy Policy or appendix for additional services.

3

Processing and Retention Period of Personal Information

In principle, users' personal information is destroyed without delay after the purpose of collection and use is achieved. However, the following information is preserved for the periods specified below when required by relevant laws.

Records preserved Contracts, subscription withdrawal, and similar records Preservation basis Act on Consumer Protection in Electronic Commerce, etc. Preservation period 5 years
Records preserved Payment, purchase, and supply records Preservation basis Act on Consumer Protection in Electronic Commerce, etc. Preservation period 5 years
Records preserved Consumer complaint and dispute handling records Preservation basis Act on Consumer Protection in Electronic Commerce, etc. Preservation period 3 years
Records preserved Login, access, and communication fact records Preservation basis Communications Privacy Protection Act Preservation period 3 months
Records preserved Electronic financial transaction records Preservation basis Electronic Financial Transactions Act Preservation period 5 years
Records preserved Abuse prevention, restriction, report, and block records Preservation basis Legitimate service operation and dispute prevention Preservation period As long as reasonably necessary under internal policy or applicable law
4

Personal Information Destruction Procedure and Method

In principle, the Company destroys the information without delay after the purpose of personal information collection and use is achieved.

If personal information must be continuously preserved in accordance with other laws, the personal information or personal information file is moved to a separate database or preserved in a different storage location.

  1. Personal information output as documents is destroyed by shredding with a shredder or through incineration.
  2. Personal information stored in electronic file format is deleted using technical methods that cannot reproduce the records.
  3. Information entered by users for membership registration is moved to a separate database after the purpose is achieved and stored for a certain period according to internal policies and relevant laws, then destroyed.
5

Provision of Personal Information to Third Parties

In principle, the Company processes users' personal information within the range specified for the purpose of collection and use. Except in the following cases, the Company does not process it beyond the scope of the original purpose or provide it to a third party without the user's prior consent.

  1. When separate consent is obtained from the information subject
  2. When there are special provisions in other laws or it is unavoidable to comply with legal obligations
  3. When the information subject or legal representative is unable to express their intention or their address is unknown, and it is clearly recognized as necessary for the urgent benefit of the life, body, or property of the information subject or a third party
  4. When it is impossible to perform tasks assigned by other laws unless personal information is used for purposes other than the intended purpose or provided to a third party, and it has undergone deliberation and resolution by the Personal Information Protection Committee under Article 7 of the Personal Information Protection Act
  5. When necessary for provision to a foreign government or international organization to fulfill a treaty or other international agreement
  6. When necessary for criminal investigation and filing and maintaining public prosecution
  7. When necessary for the court's performance of judicial duties
  8. When necessary for the execution of sentences, custody, and protective disposition

For payment, login, app store, video call, live, push notification, translation, safety, and customer support features, the Company may transmit the minimum necessary information to service providers or platform operators only within the scope necessary to provide the requested feature, verify a transaction, maintain security, or comply with applicable law.

6

Entrustment of Personal Information Processing

The Company may entrust personal information processing to a third party for smooth personal information business processing and service improvement. In this case, the Company must notify the personal information entrustment processing agency and details of the entrusted work.

Trustee Details of Entrusted Work Processed Information
ITS Co., Ltd. Processing tasks such as member information management, collection, and use for service operation Member information, service use records, customer support records, and other information necessary for service operation
Google LLC / Firebase / Google Cloud Authentication, Firebase UID management, App Check, security verification, push messaging, cloud service operation, translation, and related infrastructure Authentication identifiers, email, display name, device identifiers, push token, app integrity data, translated text or audio when using translation features, logs, and service use records
Apple Inc. Apple login, App Store in-app purchase processing, purchase verification, refund or cancellation processing, and platform services Apple account identifier, email when provided by Apple, purchase ID, product ID, receipt, transaction status, and related payment records
Google Play Android in-app purchase processing, purchase verification, refund or cancellation processing, and platform services Google account or purchase identifier, purchase token, product ID, transaction status, and related payment records
Agora, Inc. Real-time video call, voice call, live streaming, media transmission, channel connection, and call quality support Channel identifier, participant identifier, device and network information, audio and video streams during real-time communication, connection logs, and call quality data
App store and payment platform operators Coin, VIP, paid content, and other digital item purchase processing, payment verification, refund, cancellation, and dispute handling Purchase token, purchase ID, product ID, purchase date, transaction status, payment records, and account identifiers required by the platform

Some entrusted processing may be performed outside the user's country depending on the location of the provider's servers and infrastructure. The Company uses these providers only for the purposes described above and manages entrusted processing so that personal information is processed safely and only for the required period.

7

Rights of Information Subjects and Legal Representatives

  1. Information subjects may request inquiry, access, correction, deletion, or suspension of processing of their personal information at any time, and may request withdrawal from membership.
  2. For inquiry and modification of personal information, the "Change Personal Information" or "Modify Member Information" function within the app or web service can be used. For withdrawal from membership, users can proceed directly after identity verification through the "Withdrawal from Membership" or account deletion procedure.
  3. Information subjects may contact the Company's personal information management officer in writing, by phone, or by email to exercise the rights above.
  4. If an information subject requests correction for errors in personal information, the personal information will not be used or provided until the correction is completed. If incorrect personal information has already been provided to a third party, the correction result will be notified to the third party without delay so that correction can be made.
  5. Personal information deleted or corrected by the Company at the request of the information subject or legal representative is processed in accordance with Article 3 of this policy and is processed so that it cannot be accessed or used for other purposes.
  6. As a method of verifying the identity of a user claiming that personal information has been stolen, the resident registration card authenticity verification service implemented by the digital government or the driver's license authenticity verification service implemented by the National Police Agency can be used.
  7. Some information may be restricted from deletion or suspension of processing for a legally required retention period, for settlement, dispute handling, fraud prevention, safety review, or compliance with applicable law.
8

Automatic Personal Information Collection Devices

The Company uses cookies that store and periodically retrieve user information to provide specialized customized services to users. A cookie is a small amount of information sent by the server used to operate the website to the user's browser and is sometimes stored on the hard disk of the user's PC.

  1. Purpose of cookie use: The Company uses cookies to analyze each service and use pattern of the Company used by users and to provide membership services.
  2. Installation, operation, and refusal of cookies: Users may allow all cookies, go through verification whenever a cookie is stored, or refuse storage of all cookies by setting options in the web browser.
  3. To provide suitable and more useful services and advertising services, including customized advertisements, the user's advertising identifier may be automatically collected if the advertising-related function is activated in the smartphone and tablet OS settings owned by the user.
  4. The web service may use necessary cookies for login sessions, OAuth state verification, security, fraud prevention, and service preference storage. If users block necessary cookies, some login or service functions may not operate correctly.

Blocking Personalized Advertisements

  • Android: Settings > Google > Privacy > Ads, then uncheck "Opt out of Ads Personalization"
  • iOS: Settings > Privacy > Apple Advertising, then uncheck "Personalized Ads"
9

Personal Information Protection and Management Officer

The Company has designated a personal information management officer and person in charge of collecting opinions and handling complaints regarding personal information.

Personal Information Protection and Management Officer

Name: Shin Dong-yoon
Department: Privacy and Safety Team
Email: ogam2026@gmail.com

Information subjects may report all complaints related to personal information protection occurring while using the Company's services to the personal information management officer or the department in charge. The Company will provide prompt and sufficient answers to users' reports.

External report and consultation institutions

  • Personal Information Infringement Report Center: privacy.kisa.or.kr / 118 without area code
  • Supreme Prosecutors' Office Cyber Investigation Division: www.spo.go.kr / 1301 without area code
  • National Police Agency Cyber Bureau: cyberbureau.police.go.kr / 182 without area code
10

Measures to Ensure the Safety of Personal Information

Technical measures

  • The Company safely protects users' personal information through security functions in accordance with relevant laws and internal policies.
  • The Company takes measures to prevent damage from computer viruses by using anti-virus programs. Anti-virus programs are updated periodically, and when a sudden virus appears, it is applied as soon as the vaccine is available to prevent personal information from being infringed.
  • The Company encrypts, stores, and manages users' passwords and adopts security devices that can safely transmit personal information on the network.
  • The Company uses authentication token verification, app integrity checks, access control, log monitoring, and permission controls to help protect accounts and service data.

Administrative measures

The Company limits access rights to users' personal information to a minimum number of personnel, including:

  • Personnel performing marketing, events, customer support, and service operation tasks directly dealing with users
  • Personnel performing personal information management tasks such as personal information management officers
  • Personnel whose handling of personal information is unavoidable for other business reasons

Reports related to child safety, illegal content, abuse, payment abuse, or serious service violations may be reviewed promptly, and relevant records may be preserved or provided to competent authorities when required or permitted by law.

The Company strives to correct problems immediately if discovered by checking compliance with the Privacy Policy and internal regulations in the department dedicated to personal information protection tasks.

The Company is not responsible for problems caused by leakage of personal information such as names and passwords due to the user's own negligence or problems on the internet.

11

Duty of Notification

In case of amendment of the Privacy Policy, the Company will notify users through notices within the app, pop-ups, or push notifications 7 days in advance.

12

Addendum

  1. In case of change in this Privacy Policy, the Company will specify the reason for change and application date and notify it on the service screen from 10 days before the application date to the day before the application along with the current Privacy Policy. However, if there is a change in important content regarding the user's rights or obligations, it will be notified at least 30 days in advance.
  2. If a user does not explicitly express refusal even though the Company has notified that it will be deemed as an expression of intent if refusal is not expressed by the application date while notifying the change according to paragraph 1, the user is deemed to have agreed to the change.
  3. Notwithstanding paragraph 2, if the Company additionally collects personal information from a user or provides it to a third party, it undergoes a separate consent procedure from the user themselves.

Date of Enforcement: June 10, 2026