FANS Privacy Policy (v20260311)
FANS Privacy Policy
Blue Garage Co., Ltd. (hereinafter, the “Company”) processes personal data lawfully and manages it securely in compliance with the Personal Information Protection Act and other applicable laws and regulations in order to protect users’ freedoms and rights while providing the FANS service (hereinafter, the “Service”). Accordingly, pursuant to Article 30 of the Personal Information Protection Act, the Company establishes and discloses this Privacy Policy to inform users of the procedures and standards for the processing of personal data and to ensure that related complaints can be handled promptly and smoothly.
Table of Contents
Article 1. Purpose of Processing Personal Data
Article 2. Items of Personal Data Processed
Article 3. Provision of Personal Data to Third Parties
Article 4. Entrustment of Personal Data Processing
Article 5. Matters Concerning Cross-border Transfer of Personal Data
Article 6. Matters Concerning the Processing of Personal Data of Children Under 14
Article 7. Rights and Obligations of Users and Legal Representatives and How to Exercise Them
Article 8. Retention Period of Personal Data
Article 9. Procedures and Methods for Destruction of Personal Data
Article 10. Criteria for Determining Additional Use and Provision of Personal Data
Article 11. Measures to Ensure the Security of Personal Data
Article 12. Installation, Operation, and Refusal of Automatic Personal Data Collection Devices
Article 13. Personal Information Protection Officer and Department in Charge of Handling Complaints
Article 14. Remedies for Infringement of Users’ Rights and Interests
Article 15. Changes to the Privacy Policy
Article 1. Purpose of Processing Personal Data
The Company processes personal data for the following purposes. The personal data being processed will not be used for any purpose other than those listed below. If the purpose of use changes, the Company will take necessary measures, such as obtaining separate consent, in accordance with Article 18 of the Personal Information Protection Act.
1. Membership Registration and Management
Confirmation of intent to register as a member, user identification for providing membership services, prevention of fraudulent use of the Service, analysis and statistical processing of Service usage records, various notices and notifications, customer consultation and complaint handling, and customer satisfaction surveys.
2. Provision of Services
1) Provision of the FANS Community Service
Community registration and activities by artist, provision of artist-related media, event and schedule information, information on fan meetings, public broadcasts, performances and other artist-related information, and operation and management of communities.
2) Verification for FANS Artist Membership Service
Verification of artist membership and provision of membership-only communities and content services.
3) Operation of FANS SHOP
Display of products for sale and provision of product information according to the user’s access country.
4) Sale of Products on FANS SHOP and Shipping Address Management
Product payment and refunds, product shipping and returns, shipping address management, identity verification, order form issuance, customer service consultation (verification of complainant identity, contact/notice for fact-finding, notification of processing results, etc.), and production of customized products and provision of services for members.
5) Identity Verification
Use of community services (posting comments, creating posts, etc.), purchase of products on FANS SHOP, and membership verification.
3. Provision and Operation of Various Event Information
Delivery of event information such as attendance at public broadcasts or streaming verification, event participation and winner management, prize shipment to winners and related customer service, and surveys of event winners.
4. Service Quality Improvement
Identification of issues related to the Company’s services, improvement and enhancement of service quality, and improvement of CS quality.
5. Development and Provision of New Services
Development and provision of the Company’s new services (whether included within the FANS Service or not).
Article 2. Items of Personal Data Processed
In accordance with the Personal Information Protection Act, the Company collects and uses personal data within the minimum scope necessary to provide the Service, and in principle obtains the user’s consent at the time needed before collecting and using personal data. The categories of users’ personal data processed in the course of using the Service are as follows.
1. Personal data processed with the user’s consent
(Legal basis: Article 15(1)1 of the Personal Information Protection Act (consent of the data subject))
2. Personal data processed without the user’s consent
(Legal basis: Article 15(1)4 of the Personal Information Protection Act (performance of a contract))
During the use of the Service, IP address, cookies, Service usage records, app push identifiers, and device information may be generated and collected. In addition, text and image information entered by the user may be collected (stored) during the use of community services.
If a member withdraws membership or a member account is deleted due to false entry of personal data, the collected personal data will be completely deleted so that the Company cannot use it for any purpose.
When a member withdraws membership, all personal data including account information and activity history will be deleted; however, content created by the member within the Service community, comments on posts, and like history will not be deleted.
The following access permissions are used in the course of using the FANS mobile application. Even if access permissions are granted, not all information is collected (transmitted) immediately, and collection only occurs within the permitted scope at the time such access is required during the use of the Service.
Required Access Permission
Device and app history: app version check, error checking, and usability improvement
Optional Access Permissions
Camera: taking photos and videos, QR code scanning
Photos/Media/Files: media upload and download
Microphone: video and voice recording
Location: use of waiting registration service
Notifications: new content and activity notifications
Article 3. Provision of Personal Data to Third Parties
The Company processes users’ personal data only within the scope specified in the purposes of processing personal data and does not provide users’ personal data to third parties unless the user has consented or special provisions exist under law.
1. Where provided with the user’s consent
(Legal basis: Article 17(1)1 of the Personal Information Protection Act (where the data subject has consented))
2. Where personal data is provided without the user’s consent
(Legal basis: Article 17(4) of the Personal Information Protection Act (provision within the scope of the original purpose of collection))
When the Company provides users’ personal data to third parties without consent, it comprehensively considers whether such provision is related to the original purpose of collection, whether such sharing is reasonably foreseeable in light of the circumstances of collection or processing practices, whether it unfairly infringes on members’ interests, and whether safety measures such as pseudonymization or encryption have been taken, in accordance with “Article 10. Criteria for Determining Additional Use and Provision of Personal Data” of this Privacy Policy.
Article 4. Entrustment of Personal Data Processing
The Company entrusts personal data processing tasks for the purpose of providing member services, such as Service use and contract performance. When entering into entrustment contracts, the Company specifies in documents such as contracts matters concerning prohibition of processing personal data for purposes other than entrusted tasks, technical and managerial protection measures, restriction on sub-entrustment, management and supervision of entrusted parties, and liability such as compensation for damages, and supervises entrusted parties so that they safely process personal data.
The Company’s entrusted processors and the details of entrusted tasks are as follows.
1. Status of Entrusted Personal Data Processors
Hyosung ITX (entrusted task: operation of counseling center and customer consultation)
Will & Vision Co., Ltd. (entrusted task: community operation management)
Logis Valley (entrusted task: logistics storage and shipping of ordered products)
Sub-processors: KSE International Logistics (Sagawa, PJ POST), EFS (ZTO, EMS, UPS, DHL)
NHN KCP Co., Ltd. (entrusted task: payment processing for ordered products)
Sub-processors: Toss Payments Co., Ltd., Naver Financial Corp., Kakao Pay Corp., NHN PAYCO Corp.
Eximbay Co., Ltd. (entrusted task: payment processing for ordered products)
Sub-processors: Ant International, Tencent Holdings Ltd., China UnionPay Co., Ltd.
PayPal (entrusted task: payment processing for ordered products)
PortOne Korea Co., Ltd. (entrusted task: payment integration with PG services)
Sound Contents Co., Ltd., Copan Global Co., Ltd., Icons Co., Ltd. (entrusted task: production of membership kits)
2. Status of Specialized Platform Providers
Amazon Web Services, Inc. (processing task: cloud server operation and management)
Zendesk (processing task: customer support handling)
Postmark (processing task: email sending service)
Twilio (processing task: SMS sending)
ZeroBounce (processing task: email domain verification)
Samsung Data Service Co., Ltd. (processing task: SMS and email sending)
NAVER Cloud Platform (processing task: SMS sending for domestic member mobile phone verification)
Google LLC (processing task: analysis of Service usage status)
SendBird (processing task: chat service)
If the details of entrusted tasks or entrusted parties change, the Company will disclose such changes through this Privacy Policy without delay.
Where personal data processing is entrusted overseas, details are provided in “Article 5. Matters Concerning Cross-border Transfer of Personal Data” of this Privacy Policy.
Article 5. Matters Concerning Cross-border Transfer of Personal Data
The Company transfers or entrusts the processing of members’ information overseas as follows for the purpose of providing member services such as Service use and contract performance.
1. Legal basis: Article 28-8(1)3 of the Personal Information Protection Act
(overseas entrustment/storage for contract performance)
Users may refuse the overseas transfer. In such case, use of services that require overseas transfer of personal data may be restricted. If you do not wish your personal data to be transferred overseas, you may request membership withdrawal through the website or customer center, or request suspension of processing of personal data.
If matters concerning overseas transfer change, the Company will disclose such changes through this Privacy Policy without delay.
Article 6. Matters Concerning the Processing of Personal Data of Children Under 14
The services operated by the Company are not intended for children (under 14 years of age for Korean nationals; for foreigners, as defined by the laws of the relevant country). If the Company becomes aware that it has collected personal data from a child, it will delete such information and terminate the relevant member’s account. If you believe that the Company has collected information from a child, please contact us using the contact information in “Article 13.”
Article 7. Rights and Obligations of Users and Legal Representatives and How to Exercise Them
Users may at any time exercise their rights against the Company, including requests for access, correction, deletion, suspension of processing, and withdrawal of consent regarding personal data, as well as refusal of or request for explanation regarding automated decisions (hereinafter, “exercise of rights”).
Users may directly access and correct their own personal data in the Service at [MY FANS > My Info]. Users may also terminate the service agreement at any time within the Service, and upon termination, all of the user’s personal data will be deleted. However, where other laws require retention for a certain period, such data may be retained for that period.
Where a user requests correction, deletion, or suspension of processing of their personal data, the Company will confirm the user’s identity and take necessary measures without delay. In addition, if the user falls under reasons for restricted use as set forth in the Terms of Service, the Company may destroy personal data, including deleting the member account, at the discretion of the Personal Information Protection Officer.
If a user requests correction of an error in personal data, the Company will not use or provide the relevant personal data until the correction is completed. If incorrect personal data has already been provided to a third party, the Company will notify the third party of the correction results so that the correction can be made.
If a member has questions about this Privacy Policy or wishes to exercise rights related to personal data, the member may contact us as follows:
Contact the Personal Information Protection Officer by email at privacy_help@jype.com or by phone at 1577-9486, and we will respond to the exercise of rights promptly.
Rights may also be exercised through a user’s legal representative or an authorized agent. In such cases, a power of attorney in the form set forth in Appendix Form No. 11 of the “Public Notice on Personal Data Processing Methods (No. 2023-12)” must be submitted.
Article 8. Retention Period of Personal Data
The Company processes and retains personal data within the retention/use period required by laws or within the retention/use period consented to by the user at the time of collection.
Please refer to “Article 2” of this Privacy Policy for matters related to the processing of personal data.
1. Where retention is required by law
Records on contracts or withdrawal of subscription: retained for 5 years (E-commerce Act)
Records on payment and supply of goods, etc.: retained for 5 years (E-commerce Act)
Records on consumer complaints or dispute resolution: retained for 3 years (E-commerce Act)
Records on labeling/advertising: retained for 6 months (E-commerce Act)
Website visit records and Service usage logs: retained for 3 months (Protection of Communications Secrets Act)
2. Where retention is required under the Company’s internal policies
Records related to prevention of fraudulent use to prevent damage through exclusion of abnormal Service use: 3 months
Records related to blocking unfair or improper receipt of economic benefits such as event benefits and identity theft: 1 year
Article 9. Procedures and Methods for Destruction of Personal Data
The Company destroys the relevant personal data without delay when personal data becomes unnecessary, such as upon expiration of the retention period or achievement of the processing purpose.
Where the retention period consented to by the user has expired or the processing purpose has been achieved, but personal data must continue to be preserved under other laws, the relevant personal data will be transferred to a separate database (DB) or preserved in a different storage location.
1. Destruction Procedure
In principle, information entered by users for membership registration, etc. is destroyed without delay upon approval by the Personal Information Protection Officer once the purpose of collection and use of personal data has been achieved.
2. Destruction Method
Personal data recorded and stored in electronic file form is destroyed in a manner that prevents the records from being reproduced. If destruction by such means is significantly difficult due to technical characteristics, the information will be anonymized so that the data subject can no longer be identified. Personal data recorded and stored in paper documents is destroyed by shredding or incineration.
Article 10. Criteria for Determining Additional Use and Provision of Personal Data
Pursuant to Article 15(3) or Article 17(4) of the Personal Information Protection Act, the Company may additionally use or provide personal data without the user’s consent after considering the matters set forth in Article 14-2 of the Enforcement Decree of the Personal Information Protection Act.
Based on the above criteria, the Company may use members’ personal data collected under Article 2 of this Privacy Policy for service development related to CS, such as after-sales support consultations.
In making such additional use or provision without the user’s consent, the Company has considered the following:
1. Whether the purpose of additional use/provision is related to the original purpose of collection
The additional use/provision of personal data by the Company is related to the original purposes of collection, namely “service provision” and “customer consultation and satisfaction surveys in member management.”
2. Whether the additional use/provision is foreseeable in light of the circumstances of collection or processing practices
In the course of using the Service, members can foresee that additional use/provision of personal data may occur to improve customer satisfaction, such as customized consultation, given the nature of services including artist communities and ordering related products.
3. Whether the additional use/provision unfairly infringes the interests of the data subject
The purpose of improving CS is fundamentally to enhance customer satisfaction. The Company additionally uses/provides personal data only within a scope reasonably related to the original purposes of collection, such as service provision and customer consultation, and therefore does not unfairly infringe members’ interests.
4. Whether necessary safety measures such as pseudonymization or encryption have been taken
The Company is taking the best possible measures necessary to ensure security, including de-identification measures, in order to minimize exposure of members’ personal data in cases of additional use/provision.
Article 11. Measures to Ensure the Security of Personal Data
The Company is taking the following technical, administrative, and physical measures to ensure that personal data is not lost, stolen, leaked, altered, or damaged.
1. Technical Measures
The Company makes every effort to prevent users’ personal data from being leaked or damaged by hacking or computer viruses. The Company frequently backs up data in preparation for damage to personal data, uses the latest antivirus programs to prevent users’ personal data or materials from being leaked or damaged, ensures safe transmission of personal data over networks through encrypted communication, controls unauthorized access from outside using intrusion prevention systems, and strives to equip all possible technical devices to systematically ensure security.
2. Administrative Measures
The Company limits employees handling personal data to those in charge only, grants separate passwords for this purpose and updates them regularly, and always emphasizes compliance with the Privacy Policy through occasional training for the personnel in charge.
The Company appoints a Personal Information Protection Officer to continuously check the implementation of the Privacy Policy and strives to immediately correct and rectify any issues found. However, the Company is not responsible for any problems caused by leakage of personal data due to the user’s own negligence or problems on the Internet.
3. Physical Measures
The Company maintains an access control system for computer rooms, data storage rooms, and other facilities to ensure the security of personal data.
Article 12. Installation, Operation, and Refusal of Automatic Personal Data Collection Devices
The Company uses cookies that store and retrieve usage information from time to time in order to provide users with individualized services and convenience.
Cookies are small pieces of information sent by the server (HTTP) used to operate the website to the user’s browser and stored on the user’s PC or mobile device.
Users may set options to allow or block cookies through their web browser settings. However, if cookie storage is refused, there may be difficulties in using customized services.
For service provision and statistical analysis purposes, the Company uses Google Analytics, Firebase API, and Sentry API provided by Google.
1. Allowing/Blocking Cookies in Web Browsers
Chrome: Select the “⋮” icon at the top right of the browser > New Incognito Window (shortcut: Ctrl+Shift+N)
Edge: Select the “...” icon at the top right of the browser > New InPrivate Window (shortcut: Ctrl+Shift+N)
2. Allowing/Blocking Cookies in Mobile Browsers
Chrome: Select the “⋮” icon at the top right of the mobile browser > New Incognito Tab
Safari: Mobile device Settings > Safari > Advanced > Block All Cookies
Samsung Internet: Select the “Tabs” icon at the bottom of the mobile browser > Turn on Secret Mode > Start
Matters Concerning the Collection, Use, Provision, and Refusal of Behavioral Information
In the course of using the Service, the Company collects and uses behavioral information in an identifiable form through cookies in order to provide users with optimized customized services and benefits, and online personalized advertising.
The Company collects behavioral information on the website it operates as follows:
The Company collects only the minimum behavioral information necessary for optimized customized services and benefits, and does not collect sensitive behavioral information that may infringe on an individual’s rights, interests, or privacy, such as ideology, beliefs, educational background, or medical history.
Article 13. Personal Information Protection Officer and Department in Charge of Handling Complaints
The Company is responsible for overall personal data processing and has designated the following Personal Information Protection Officer in order to handle complaints and provide remedies for damages related to personal data processing.
1. Personal Information Protection Officer (CPO)
Name: Choi Woon-gu (Information Security Team)
Contact: privacy_help@jype.com (Phone: 1577-9486)
2. Department in Charge of Personal Information Protection
Department: Information Security Team
Contact: privacy_help@jype.com (Phone: 1577-9486)
Users may contact the Personal Information Protection Officer and the responsible department regarding all inquiries, complaint handling, and remedies related to personal data protection arising while using the Company’s services. The Company will respond to and handle users’ inquiries promptly and sincerely.
Article 14. Remedies for Infringement of Users’ Rights and Interests
Users may apply for dispute resolution or consultation to the Personal Information Dispute Mediation Committee, the Personal Information Infringement Report Center of the Korea Internet & Security Agency, etc. to seek relief for personal data infringement. For other reports or consultations regarding personal data infringement, please contact the following institutions:
1.
Personal Information Dispute Mediation Committee: 1833-6972 (without area code) (www.kopico.go.kr)
2.
Personal Information Infringement Report Center: 118 (without area code) (privacy.kisa.or.kr)
3.
Supreme Prosecutors’ Office: 1301 (without area code) (www.spo.go.kr)
4.
National Police Agency: 182 (without area code) (ecrm.cyber.go.kr)
The Company strives to guarantee users’ right to self-determination over personal data and to provide consultation and remedies for damages caused by personal data infringement. If you need to make a report or seek consultation, please contact the department below.
Article 15. Changes to the Privacy Policy
This Privacy Policy shall take effect on March 11, 2026. Previous versions of the Privacy Policy may be found in the History tab.