Version 3.6 | Global Service / External Platform App Marketplace
Notice Date: April 30, 2026
Effective Date: June 1, 2026
Catenoid Inc. (the “Company”) treats the personal information of users of the Charlla service as a priority and has adopted the technical and organizational measures and contractual arrangements necessary to comply with the Personal Information Protection Act (“PIPA”) of the Republic of Korea as well as with global data-protection laws, including the EU GDPR, the U.S. CCPA/CPRA, the Japanese APPI, and the UK GDPR.
The Company collects and uses the minimum personal information necessary to provide the Service, as follows.
| Category Collected | Purpose of Use | Retention Period |
|---|---|---|
| Name, e-mail, contact | Sign-up, identity verification, service notices, prevention of abuse | 30 days after termination of service; however, account-identifying information (sign-up e-mail) is retained for 5 years under the Act on the Consumer Protection in Electronic Commerce for contract-record preservation and abuse prevention |
| Business registration no., company name, contact person | Issuance of tax invoices, contract management | As required by applicable law |
| Payment-method information (processed via PG) | Billing and payment | 5 years after payment is completed |
| Service-use logs, access logs, IP address | Service improvement, prevention of abuse | 3 months |
| Store-visitor access information (load events, etc.) | Load Count measurement and service-provision analytics | 90 days |
| Platform store identifiers (e.g., store domain) | Identification of accounts connected via external platforms | 30 days after termination of service |
Personal data is processed on the following legal bases under Article 6 of the EU GDPR.
| Legal Basis (GDPR Art. 6) | Processing Activity |
|---|---|
| Contractual performance (Art. 6(1)(b)) | Service provision, billing, account management, customer support |
| Legitimate interests (Art. 6(1)(f)) | Service security, fraud prevention, service improvement (balancing test satisfied) |
| Consent (Art. 6(1)(a)) | Marketing communications (consent may be withdrawn at any time) |
| Legal obligation (Art. 6(1)(c)) | Compliance with applicable laws and response to requests by competent authorities |
Pursuant to Article 22-2 of PIPA and related laws, the Company does not permit children under the age of 14 to sign up or use the Service. The Company does not collect, use, or provide personal information of children under 14 without the consent of their legal representative, and confirms at sign-up whether the user is under 14.
If, after sign-up, it is confirmed that a member is under 14, the Company will promptly close the account and destroy the collected personal information. Any minimum information required to be retained under applicable law is stored separately and destroyed at the end of the statutory retention period.
For EU/EEA data subjects, pursuant to GDPR Article 8, consent to the offer of information-society services is valid only with parental/legal-representative consent for children under 16 (EU Member States may set the age between 13 and 16). For UK data subjects, the equivalent age threshold is 13. For California residents (CCPA/CPRA), the personal information of children under 13 is not collected, sold, or shared without verifiable parental consent (opt-in). For Japanese residents (APPI), parental consent is required for children under 15 as a general principle. The Company does not, in principle, target children, and will delete any personal information of children immediately upon discovery.
The Company retains personal information until the purpose for collection and use has been achieved, and thereafter destroys it without delay.
Notwithstanding, personal information is retained as follows where required by applicable law: - Records of contracts and cancellations: 5 years (Act on the Consumer Protection in Electronic Commerce) - Records of payment and supply of goods: 5 years (Act on the Consumer Protection in Electronic Commerce) - Records of consumer complaints and dispute resolution: 3 years (Act on the Consumer Protection in Electronic Commerce) - Records of website visits: 3 months (Protection of Communications Secrets Act) - E-mail, to prevent duplicate free trials: 6 months after withdrawal of membership
The Company may, under its own dormancy policy, destroy personal information or separate and store it after prior notice to Customers that have not used the Service for a prolonged period.
For Customers that use the Service through an external platform, the deletion procedure set forth in Article 3.5 of the DPA applies in priority to the general retention periods, starting from the time the platform’s app is deactivated or uninstalled. In particular, if a store-deletion request (such as a shop/redact webhook) is received from the platform, the associated data will be deleted within 48 hours after receipt.
| Statute | Retention Period | Retained Items |
|---|---|---|
| Act on the Consumer Protection in Electronic Commerce | 5 years | Contracts, cancellations, payments |
| Protection of Communications Secrets Act | 3 months | Service access logs |
| Framework Act on National Taxes | 5 years | Tax invoice records |
The Company outsources the processing of personal information as follows to provide the Service.
Outsourced vendors and services: Toss Payments Corp. — service-fee payment and payment-fraud prevention (domestic Customers); Stripe, Inc. — service-fee payment (global Customers); Channel Corporation — chat-support system and maintenance; Amazon Web Services (AWS) — server operation and data storage. Retention: until member withdrawal or termination of the outsourcing agreement.
| Sub-Processor / Independent Controller | Scope of Work | Retention |
|---|---|---|
| Toss Payments Corp. [KR only] | Domestic payment processing and payment-method management | Until termination of the outsourcing agreement |
| Channel Corporation [KR only] | Customer-support chat service | Until termination of the outsourcing agreement |
| Amazon Web Services (AWS) | Server operation and data storage (Korea, U.S., Singapore, etc.) | Until termination of the outsourcing agreement |
| Stripe, Inc. (Independent Controller) | International payment processing for overseas Customers (Stripe’s own terms and DPA apply) | Per Stripe’s policies |
| External e-commerce platform operator (Independent Controller) | App-billing processing via the platform (platform’s own terms apply) | Per the platform’s policies |
The Company destroys personal information without delay once the retention period has elapsed or the purpose of processing has been achieved and the information is no longer necessary.
The Company does not provide personal information to third parties without the data subject’s prior consent, except as required by law or as necessary to perform the service agreement.
The Company may transfer personal information internationally or store it on overseas servers to provide the Service, as follows.
| Transfer Recipient | Country | Purpose | Transfer Method | Recipient's Data Protection Contact | Safeguards |
|---|---|---|---|---|---|
| Amazon Web Services (AWS) | Korea (Seoul, primary storage); U.S., Singapore (CDN, etc.) | Server operation and data storage | HTTPS (TLS 1.2+) over public network | AWS Data Protection Officer — aws-EU-privacy@amazon.com (Source: https://aws.amazon.com/compliance/data-privacy-faq/) | EU/UK→Korea: adequacy decisions; Korea→U.S. and others: SCCs |
| Overseas payment processor (Stripe, Inc.) | U.S. | International payment processing | Encrypted transmission over API (TLS 1.2+) | Stripe Data Protection Officer — dpo@stripe.com (Source: https://stripe.com/privacy) | Stripe’s own DPA (Independent Controller) |
| External e-commerce platform operator | Platform’s country | App-billing processing | Per platform's own policy | Per platform's official notice | Platform’s own DPA (Independent Controller) |
Transfers from the EU/EEA to the Republic of Korea rely on the European Commission’s adequacy decision for the Republic of Korea; transfers from the UK to the Republic of Korea rely on the UK’s adequacy regulations for the Republic of Korea. Onward transfers from the Republic of Korea to non-adequate countries (such as the U.S.) are governed by Standard Contractual Clauses (SCCs) or equivalent safeguards.
The Company’s service infrastructure is primarily operated in the AWS Korea (Seoul) region; for service-quality purposes, data may be transiently processed at edge servers located near the user through a global CDN. Payment-related information is transmitted to Stripe, Inc. (U.S.) for payment processing.
The legal basis for each international transfer differs depending on the recipient’s role, as follows.
(a) Amazon Web Services (AWS) — Processing Entrustee (Sub-Processor): The transfer to AWS is conducted in reliance on the exemption under Article 28-8, Paragraph 1, Item 3 of the Korean Personal Information Protection Act (PIPA), under which disclosure of the transfer in this Privacy Policy substitutes for the data subject’s consent. The Company enters into Standard Contractual Clauses (SCCs, including Commission Implementing Decision (EU) 2021/914) with AWS to ensure that personal information is processed with a level of protection equivalent to that guaranteed under PIPA.
(b) Stripe, Inc. — Independent Controller: Stripe processes payment data as an independent data controller pursuant to its own terms and DPA (stripe.com/legal/dpa). The provision of payment-related information from the Company to Stripe is carried out to the extent necessary for the performance of the service agreement (payment processing) and is based on GDPR Art. 6(1)(b) (performance of a contract).
(c) External E-Commerce Platform Operators — Independent Controllers: External platform operators process personal information relating to app-payment processing as independent data controllers pursuant to their own terms and privacy policies.
The Company uses cookies and similar technologies to provide the Service.
(1) Types and purposes of cookies - Essential cookies: required for normal service operation, such as maintaining login sessions. - Functional cookies: store personalization settings, such as language, time zone, and notice-popup confirmations. - Social-media cookies: used to enable social logins (e.g., Naver, Google). - Analytics cookies: used for service-use statistics and quality improvement.
(2) Installation, operation, and refusal - Customers may accept or refuse cookies through their web-browser settings. - Settings path: browser Settings → Privacy & Security → Cookies. - Refusing essential cookies may limit use of the Service. - For EU/EEA/UK data subjects, explicit consent is obtained before non-essential cookies or similar technologies are used; consent is managed through the merchant’s Consent Management Platform (CMP) or through the platform’s own consent mechanism. - The Company will not disclose cookie information to any third party without valid legal process.
For technical identifiers (local storage, session identifiers, and so on) used while the Charlla player operates on an external platform’s storefront (e.g., Shopify), that platform’s cookie policy applies alongside this Policy.
A data subject (Customer) may exercise the following rights in relation to personal information at any time with respect to the Company.
| Right | Description | Response Deadline |
|---|---|---|
| Right to access | Review the list of personal information held and the processing status | Within 10 days (Korea); within 1 month (EU/EEA) |
| Right to rectification | Request correction of inaccurate personal information | Within 10 days |
| Right to erasure (right to be forgotten) | Request deletion of personal information (except where retention is legally required) | Within 10 days |
| Right to restriction of processing | Request temporary suspension of processing | Immediate (during the objection period) |
| Right to withdraw consent | Withdraw consent for consent-based processing such as marketing | Immediate |
| Right to data portability [EU/EEA·UK residents] | Receive data in a structured, machine-readable format (JSON/CSV) or have it transmitted directly to another controller | Within 1 month |
| Right to object to profiling [EU/EEA·UK residents] | Object to decisions based on automated processing or profiling | Within 1 month |
| Right to lodge a complaint with a supervisory authority [Global/EU] | Lodge a complaint directly with the supervisory authority in the data subject’s country of residence | Immediate (per that authority’s procedures) |
Rights may be exercised by contacting privacy@charlla.io or through the Privacy Settings in the Service. Requests are processed after identity verification within the following periods: requests subject to the Korean PIPA — within 10 days of receipt; requests subject to EU/EEA or UK GDPR — within 1 month in principle (extendable by up to 2 additional months for complex or numerous requests, up to a total of 3 months); requests from California residents (CCPA/CPRA) — within 45 days (extendable once by 45 days); requests from Japan residents (APPI) — within a reasonable period; and for other countries, within the period prescribed by the applicable local law.
This Article applies to Platform Customers (merchants) that use the Service through an external e-commerce platform’s app marketplace.
| Party | Role | Principal Responsibilities |
|---|---|---|
| Catenoid (Charlla) | Data Processor | Processes end-user data upon instructions from the Platform Customer; complies with applicable laws and platform policies |
| Platform Customer (merchant) | Data Controller | Determines the purposes and means of processing in relation to end-users; notifies end-users of the use of the Charlla service in its own Privacy Policy |
| Store visitor (end-user) | Data Subject | Exercises rights primarily vis-à-vis the Platform Customer (Controller); may also contact Charlla directly |
The Charlla service automatically collects the following data solely for service-provision purposes (video Load Count measurement, playback analytics): access logs (IP address, browser type/version, access time, page URL), player events (load, play start/end, playback duration), and platform store identifiers (such as store domain).
Collected end-user data is not used to train AI/ML models or for advertising or marketing directed at other customers, and is processed subject to the data-minimization principle.
Details of the data-processing outsourcing relationship between the Company and the Platform Customer (merchant) are governed by a separate Data Processing Agreement (DPA).
Where the Service is used through an external platform’s app marketplace, rights may be exercised through the data-management functions provided by that platform.
Where the external platform offers functions for processing access or deletion requests (for example, a platform’s own data-management API or webhooks), the Company will act upon such requests as soon as they are received.
| Request Type | Processing Method | Processing Deadline |
|---|---|---|
| Access request | Via the platform’s data-management function or by direct request to privacy@charlla.io | Data list provided within 30 days |
| Deletion request | Via the platform’s data-management function or by direct request to privacy@charlla.io | Stored data deleted within 30 days (excluding data subject to legal retention obligations) |
| Upon uninstallation of the platform app | After a period specified by the platform following uninstallation, all data associated with the store is deleted | Within 48 hours (per the platform’s policy) |
Where a platform does not provide separate personal-information-handling functions, requests may be made directly to privacy@charlla.io and will be handled in the same manner.
For information for which the Company acts as Controller (merchant-account data), the Company will notify the relevant competent supervisory authority(ies) in the affected data subjects’ jurisdiction(s) within 72 hours of becoming aware of a breach. The Company does not maintain a “main establishment” in the EU within the meaning of GDPR Art. 4(16); accordingly, the one-stop-shop mechanism under GDPR Art. 56 does not apply, and the Company will cooperate independently with each competent supervisory authority. For information for which the Company acts as Processor (end-user access data at a merchant’s store), the Company will notify the Controller (merchant) without undue delay (within 48 hours) to support the Controller’s legal notification obligations.
Where a breach is likely to result in a high risk to data subjects’ rights and freedoms, the Company will, for data for which it is the Controller, notify the affected data subjects directly without undue delay and will, for data for which it is the Processor, support the Controller’s notifications.
For breaches affecting UK data subjects for which the Company is the Controller, the Company will notify the Information Commissioner’s Office (ICO) within 72 hours. Where the Company acts as Processor, the Company will notify the Controller (merchant) without undue delay (within 48 hours).
California consumers have the following rights under the CCPA and CPRA:
Exercise of rights: requests to privacy@charlla.io are processed within 45 days after identity verification (extendable once by 45 days).
UK data subjects have rights equivalent to those under the EU GDPR, as provided by the UK GDPR. The supervisory authority for the processing of personal information of UK residents is the Information Commissioner’s Office (ICO, www.ico.org.uk). Complaints may be lodged with the ICO.
Personal information of Japan residents is processed in accordance with Japan’s Act on the Protection of Personal Information (APPI). Japan residents have the right to be notified of the utilization purpose, to request disclosure, to request correction/addition/deletion, to request suspension of use or erasure, and to request suspension of provision to third parties.
Where data of Japan residents is transferred to a country outside of Japan, the Company — in accordance with APPI Article 28 — informs the data subject that the Republic of Korea has not been designated by the PPC as providing a level of protection equivalent to that of Japan, and applies contractual safeguards equivalent to the obligations imposed by APPI on domestic handlers.
Singapore residents have rights under the Singapore PDPA, and Australia residents have rights under the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs). For exercise of rights and inquiries, please contact privacy@charlla.io.
Chief Privacy Officer - Name: Youngjun Bang - Contact: privacy@charlla.io - Phone: 1544-4367
Privacy Manager - Name: Hyundeok Yang - Contact: privacy@charlla.io - Phone: 1544-4367
| Item | Information |
|---|---|
| Name | Youngjun Bang |
| Title | Chief Privacy Officer (CPO) |
| privacy@charlla.io | |
| Phone | 1544-4367 |
| EU Representative | Pursuant to GDPR Article 27, the Company designates its wholly-owned EU subsidiary (Spain) as its EU Representative. EU/EEA data subjects may contact either the Company (Catenoid Inc.) or the EU Representative directly to make inquiries or exercise rights regarding personal information. EU Representative: HISPlayer SDK SL (NIF: B44544773) / Address: Calle Poeta Joan Maragall 1, Floor 16, 28020 Madrid, Spain / E-mail: privacy@hisplayer.com (tentative) |
| UK Representative | Pursuant to the exception in UK GDPR Article 27(2)(a), the Company does not designate a UK Representative. UK data subjects may contact privacy@charlla.io directly and may also lodge complaints with the ICO (www.ico.org.uk). For detailed reasoning, see “Basis for No UK Representative” at the end of this Policy. |
| Japan Local Contact | Data subjects residing in Japan may contact the following local entity for personal information inquiries and rights requests. Entity: Catenoid Inc. (株式会社カテノイド) Address: Turm Kanda 7F, 4-9 Kanda-Iwamotocho, Chiyoda-ku, Tokyo 101-0033, Japan Department: Sales & Marketing Email: jp_sales@catenoid.net Hours: Mon–Fri 10:00–18:00 JST (excluding public holidays) |
Domestic agencies for complaints concerning the processing of personal information:
EU/EEA data subjects may file complaints with the data-protection supervisory authority of their country of residence. UK data subjects may file complaints with the ICO (www.ico.org.uk).
The Korean-language version of this Privacy Policy is the authoritative original; an English translation is provided for reference at https://charlla.io/privacy-en. In the event of any discrepancy between the Korean original and the English translation, the Korean original prevails.
| Version | Effective Date | Key Changes |
|---|---|---|
| v3.6 | June 1, 2026 | [Global Compliance & Transparency Enhancement] (1) Complete restructuring: expanded from 9 articles to 15 articles with systematic numbering (2) Added legal bases for processing EU/EEA data subjects' data under GDPR Art. 6 (Art. 1-2) (3) Expanded children's data protection as a standalone article: GDPR (16), UK (13), CCPA (13), APPI (15) age thresholds (Art. 1-3) (4) Reorganized collection items and retention periods in tabular format; explicitly listed auto-collected items (IP, browser, etc.) (Art. 1) (5) Clarified payment data processing structure: Korean customers (Toss Payments) vs. overseas customers (Stripe) (Arts. 1, 3) (6) Restructured processing entrustment: clear separation of sub-processors and independent controllers (Stripe, platform operators) (Art. 3) (7) Added international transfer article with per-recipient legal basis: AWS (processing entrustee), Stripe (independent controller), platforms (independent controller) (Art. 6) (8) Enhanced cookie provisions: added analytics cookies, explicit prior consent (CMP) for EU/EEA/UK non-essential cookies (Art. 8) (9) Expanded data subject rights: data portability, right to object to profiling, right to lodge complaints with supervisory authorities (Art. 9) (10) Added external platform data processing relationship (Controller-Processor roles) and rights exercise procedures (Arts. 10, 11) (11) Added data breach response procedures: 72-hour supervisory authority notification, Controller/Processor-specific procedures (Art. 12) (12) Added jurisdiction-specific rights: CCPA/CPRA, UK GDPR, APPI, Singapore PDPA, Australia Privacy Act (Art. 13) (13) Designated EU Representative (Spanish subsidiary) and documented UK Representative non-designation grounds (Art. 14) (14) Added multilingual policy and accessibility article (Art. 15) (15) Unified as a single standard policy: removed former 'Global Version' distinction (16) Updated CPO contact: privacy@challa.io → privacy@charlla.io |
| Initial | October 10, 2024 | Initial publication at service launch |
This Privacy Policy takes effect on June 1, 2026.
Prior versions of this Policy lose effect as of the effective date of this Policy.
Inquiries regarding this Policy may be directed to privacy@charlla.io.
Pursuant to Article 27 of the EU GDPR, the Company designates its wholly-owned EU subsidiary (Spain) as its EU Representative. EU/EEA data subjects may contact the Company (Catenoid Inc.) or the EU Representative below to make inquiries or exercise rights regarding personal information.
The Company meets the exception requirements of UK GDPR Article 27(2)(a) and therefore does not designate a UK Representative. The reasons are as follows:
B2B SaaS nature: The Charlla service is a B2B SaaS offering provided to merchants (business customers); the Company has no direct contractual relationship or continuous interaction with UK-resident end users.
Minimality of data processed and non-real-time processing: Processing of personal information of UK-resident end users is limited to W3C-standard client information (IP address, browser type/version, access time, page URL, playback event logs, and so on). Such data is passively recorded in server logs upon the end user’s browser request; the Company does not have any procedure for actively collecting or querying personal information. Collected logs are processed in de-identified form at the point of statistical aggregation in accordance with the monthly billing cycle, and the original logs are deleted within a maximum of 90 days.
No continuous monitoring or profiling: The Company does not identify, track, analyze, or profile UK data subjects. No activities are performed during the statistical processing of log data to identify individuals or analyze behavioral patterns. Furthermore, the Company does not process special categories of personal data (including health, religion, or biometric data) or personal data concerning criminal offenses (UK GDPR Articles 9 and 10).
Application of the exception: As described above, the Company’s processing of personal data of UK-resident data subjects (i) is limited to the passive recording of server logs and monthly statistical aggregation, constituting ancillary (occasional) processing; (ii) does not include large-scale processing of special categories of data or personal data relating to criminal convictions and offenses; and (iii) is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope, and purposes of the processing. Accordingly, it satisfies the exception requirements of UK GDPR Article 27(2)(a).
UK data subjects may contact privacy@charlla.io directly and may also lodge complaints with the ICO (Information Commissioner’s Office, www.ico.org.uk). The Company will designate a UK Representative immediately and update this Policy if the scope of its services or processing purposes changes such that the exception no longer applies.
This English version is provided for reference only. In the event of any discrepancy between the Korean original and this English translation, the Korean original prevails.