Vrew Privacy Policy

VoyagerX Inc. (the "Company", "we", "us"), while providing the Vrew service (the "Service"), takes the protection of users' personal information very seriously. The Company has established and discloses this Privacy Policy (this "Policy") in accordance with the Personal Information Protection Act and other relevant laws.

1. Items of personal information collected, purposes of processing, and retention periods

The Company processes only the minimum personal information necessary to provide the Service, does not use personal information for purposes other than those notified, and where the purpose changes the Company implements necessary measures including obtaining consent in accordance with Article 18 of the Personal Information Protection Act.

The Company processes the following items of personal information without the consent of the data subject.
- Legal basis: Article 15, Paragraph 1, Item 4 of the Personal Information Protection Act

Purpose of processing	Items processed	Processing and retention period
Account creation, email verification	Name, email	1 year from the date of termination of the use agreement
Processing of paid payments, verification of subscription products	User Unique Identifier (UID), contact information (email, mobile phone)	1 year from the date of termination of the use agreement
Service use, user behavior analysis and service improvement	User Unique Identifier (UID), webpage visit history, device and browser information, OS type and version, in-service feature usage history	1 year from the date of termination of the use agreement
Identifying and responding to user inquiries	Name, contact information (email, mobile phone), consultation details, error information and related data	Destroyed without delay upon achievement of the purpose
Provision of personal cloud service*	Vrew project files, photos, videos, audio and other content within projects	Retained for 120 days from the date of termination of the use agreement, then deleted**

* With respect to photos, videos, audio data uploaded by the user to the cloud and any personal information of third parties contained therein, the Company only performs technical measures for safe storage as a cloud infrastructure provider. The Company does not use project files or the content contained in projects for training, does not arbitrarily access or analyze the content of such files without the user's consent, and ensures that even with consent only the minimum necessary personnel can access such content.

** The data is retained for 120 days after termination of the use agreement to maintain the user's access rights to the project data. The data will be deleted immediately upon the user's request through in-service chat support or similar means.

Legal basis: Article 15, Paragraph 1, Item 2 of the Personal Information Protection Act

Purpose of processing	Items processed	Processing and retention period
Verification of legal representative's consent when a user under the age of 14 creates an account	Legal representative's name, legal representative's email	1 year from the date of withdrawal or termination of the use agreement

The Company processes the following items of personal information based on the consent of the data subject, pursuant to Article 15, Paragraph 1, Item 1 of the Personal Information Protection Act.

Purpose of processing	Items processed	Processing and retention period
Provision of speech analysis function	Voice information files	24 hours after the completion of speech analysis and subtitle file creation
Provision of AI My Voice function	User's voice data*	1 week after upload
User behavior analysis, service improvement	Service usage records, OS type and version, connection logs, advertisement identification information	1 year from the date of termination of the use agreement
Provision of Vrew Agent function	Prompts entered into the Vrew Agent and work history	1 year from the date of termination of the use agreement
Verification of payment location	IP address	Destroyed at the time of termination of the use agreement

* The Company does not use the user's voice data as training data for improving the performance of the Company's AI engines.

The Company destroys the user's personal information without delay once the purposes of collection and use have been achieved or the retention period has elapsed. However, in accordance with the Company's internal policy, when the use agreement is terminated, personal information will be retained for one year from the date of withdrawal or termination of the use agreement to prepare for disputes related to the Service and requests for investigation cooperation by investigation agencies.
Notwithstanding Paragraphs 1 through 3, where it is necessary to preserve personal information pursuant to the Protection of Communications Secrets Act, the Act on the Consumer Protection in Electronic Commerce, or other relevant laws, the Company will preserve the personal information specified in such laws for the period required, and the information so preserved shall be used only for the purpose of preservation.
- Records of contracts or withdrawal of subscription: 5 years
- Records of payment and supply of goods, etc.: 5 years
- Records of consumer complaints or dispute resolution: 3 years
- Records of display and advertisement: 6 months
- Internet log records: 3 months

2. How We Collect Personal Information

The Company collects the personal information specified in Article 1 of this Policy in the following ways to provide smooth services:

Information entered directly by the user during the account creation process
Information collected during the installation and use of the Service
Information collected through generated-information collection tools (including cookies)
Information collected through voluntary provision by users during the use of the Service, etc.

3. Consignment of Processing of Personal Information and Overseas Transfer

In order to improve services, the Company obtains the consent of the user in accordance with the relevant laws or discloses or notifies the relevant matters, and entrusts the personal information of members to external parties for processing. In accordance with Article 26 of the Personal Information Protection Act, the Company specifies and manages matters such as prohibition of processing personal information beyond the purpose of the consigned work, technical and administrative protection measures, restrictions on re-consignment, supervision of the consignee, and liability for damages. Currently, the consignees of users' personal information processing and their tasks are as follows:

Consignee	Consigned tasks
Channel Corporation Co., Ltd.	Service consultation and user inquiry response
NAVER Corp.	Text-to-Speech (TTS) API integration and processing
Humelo Inc.	Text-to-Speech (TTS) API integration and processing
Korea PortOne Co., Ltd.	Payment agency for paid services (Republic of Korea)
Danal Co., Ltd.	Mobile payment agency system (Republic of Korea)
NHN KCP	Credit card payment agency (PG) system operation and approval processing (Republic of Korea)
NAVER Financial Corp.	Simple payment agency (Republic of Korea)
Solapi Co., Ltd.	Sending notice and information text messages

The Company does not provide personal information to other operators outside of the country. However, for the fulfillment of contracts regarding the provision of information and communication services and the convenience of users, the Company consigns personal information processing overseas as follows, based on Article 28-8, Paragraph 1, Items 1 and 3 of the Personal Information Protection Act. For all overseas-consigned personal information below, the information is transferred electronically at the time of collection, and the common retention and usage period is until the termination of the user's service use agreement or until the termination of the personal information processing consignment agreement.

Consignee (Country)	Items of personal information transferred	Transfer purpose	Contact information
Google LLC (USA)	Name, email, profile picture (if any)	Social login integration system operation, user behavior analysis, speech analysis	support@google.com
Amazon Web Services, Inc. (USA)	Name, email	Data storage and service infrastructure provision, speech analysis	aws-korea-privacy@amazon.com
XL8 Inc. (USA)	User-input text	Caption translation	contact+legal@xl8.ai
OpenAI (USA)	User-input prompts	Text generation and summarization, Image generation	info@openai.com
Stability AI Ltd (UK)	User-input prompts	Image generation	info@stability.ai
Byteplus Pte. Ltd (Singapore)	User-input prompts	Image generation	privacy@byteplus.com
Replicate, LLC (USA)	User-input prompts	Image generation	privacy@replicate.com
Amplitude Inc. (USA)	User behavior information	User behavior analysis	privacy@amplitude.com
Anthropic PBC (USA)	User-input text	Text analysis	privacy@anthropic.com
Paymentwall, Inc. (USA)	Credit card information, personally identifiable information	Overseas credit card payment	support@paymentwall.com
Twilio Inc (USA)	Name, email	Sending notice and information emails	privacy@twilio.com

Statistical information, installation information, non-personally identifiable information, and personal information collected with the user's consent in connection with the use of the Service are transmitted to, processed and stored in programs such as Google Cloud Platform and Firebase provided by Google LLC and Amazon Web Services (AWS) provided by Amazon Web Services, Inc.
Statistical information, installation information, non-personally identifiable information, and personal information collected with the user's consent are analyzed by Google Analytics (GA) and Amplitude.
The user's contact information (email address or phone number) is explicitly collected from the user and stored so that the user can be notified quickly when the operator responds through Channel Corporation used for responding to user inquiries.
We use the STT API provided by Google LLC and Amazon Web Services, Inc. to provide the speech analysis function.
We use the translation API provided by Google LLC and XL8 Inc. to provide the caption translation function.
We use the payment system provided by Korea PortOne Co., Ltd. to provide payment functions for paid services.
We use the APIs provided by Google LLC, NAVER Corp., Amazon Web Services, Inc., and Humelo Inc. to provide the speech synthesis function.
We use the ChatGPT API provided by OpenAI to provide the phrase generation function. OpenAI does not store or train on the user's data used during the provision of the service.
We use the Stable Diffusion API provided by Stability AI Ltd, the OpenAI API provided by OpenAI, the Seedream API provided by Byteplus Pte. Ltd, and the Flux API by Black Forest Labs provided by Replicate, LLC to provide the image generation function. Stability AI, OpenAI, Byteplus, and Replicate do not store or train on user data, and Replicate provides the API under a contract with Black Forest Labs that prohibits the use of data for training purposes.
We use the text analysis engine provided by Anthropic PBC to support the Vrew Agent function. Anthropic PBC does not store or train on the user's data used during the provision of the service.
We use the SendGrid API provided by Twilio Inc. to send notice and information emails related to the Service.
The user may refuse the overseas transfer of personal information through the Company's Chief Privacy Officer and customer service. However, since the core functions of the Vrew Service (speech analysis, AI generation, etc.) are provided based on overseas cloud infrastructure and AI engines, refusal of the transfer may result in restrictions on or impossibility of service use.

4. Provision of Personal Information to a Third Party

The Company uses the user's personal information within the scope notified by Article 1 and does not use it beyond that scope or provide it to other companies or organizations. However, exceptions are made in the following cases.
1. When investigation agencies request the provision of personal information according to the procedure and method prescribed by relevant law for investigation purposes
2. When it is provided to advertisers, business partners or research groups in a form by which an individual cannot be identified, for statistical purposes, academic research or market research
3. When there is a request in accordance with the provisions of other relevant laws
In addition, where it is necessary to provide personal information to a third party, such information may be provided to the third party with the user's consent by notifying the items provided, the recipient, the purpose of provision, and the retention and usage period.

5. Procedure and Method of Destruction of Personal Information

The Company destroys the relevant personal information without delay once the purpose of processing has been achieved or the retention period has elapsed. Where personal information must continue to be preserved in accordance with other laws even after the retention period has elapsed or the purpose of processing has been achieved, the relevant personal information shall be moved to a separate database (DB) and preserved.

Procedure of destruction

The Vrew privacy officer in charge selects the personal information for which grounds for destruction have arisen and destroys it in accordance with procedures approved by the Company's Chief Privacy Officer.

Methods of destruction
1. Personal information printed on paper is shredded with a shredder or destroyed through incineration.
2. Personal information stored in electronic file format is deleted using technical methods that do not allow the reproduction of the records.

6. Rights and Obligations of the User and Legal Representative and Methods of Exercise

The user (through a legal representative if under the age of 14) has the right at any time to request the access, correction, deletion, suspension of processing, etc. of personal information from the Company, or to withdraw consent to processing. The user has the right to request the transmission of his/her personal information to himself/herself or to another personal information controller (right to request transmission).
The user may exercise his/her rights by terminating the use agreement or by notifying the Company in writing or by email, and the Company will take necessary measures in response to the user's exercise of rights without delay. However, the email address entered at the time of account creation is linked to the account and cannot be corrected or modified.
The exercise of rights under Paragraphs 1 and 2 may also be made through a legal representative or a designated agent, in which case a power of attorney in the form prescribed by Annex Form No. 11 of the "Notification on Methods for Processing Personal Information (No. 2025-5)" must be submitted.
The user's right to request access and suspension of processing of personal information may be restricted in accordance with Article 35, Paragraph 4, Article 37, Paragraph 2, and other provisions of the Personal Information Protection Act. In addition, where the relevant personal information is specified as a subject of collection in other laws, the user cannot request deletion of such personal information.
The Company verifies whether the person exercising the rights is the user himself/herself or a legitimate agent.
The user has the duty to protect his/her own personal information and not to infringe on the personal information of others. Please be careful not to leak personal information such as email addresses and not to infringe on the personal information of others. The user shall keep his/her personal information up to date at all times, and is responsible for any problems caused by inaccurate information entered by the user.
The user may exercise rights with the following department. The Company will respond within 10 days (without delay in the case of a request for transmission) from the date of receipt of the request for the exercise of rights.

Department in charge	Contact
VoyagerX Inc. Privacy Protection Group	privacy@voyagerx.com

7. Matters Concerning Automated Decisions

Some of the Company's services (AI caption generation, AI TTS generation, etc.) are processed by fully automated systems applying artificial intelligence technology. In accordance with Article 37-2 of the Personal Information Protection Act, users have the following rights.

Where an automated decision has a significant impact on the user's rights or obligations, the user may request an explanation of the criteria and procedures of the decision and the manner in which personal information is processed. Unless there is justifiable reason, the Company shall notify the user of the explanation or review result without delay.
Where an automated decision has a significant impact on the user's rights or obligations, the user may refuse the decision. Upon refusal, the Company will either not apply the automated decision or perform reprocessing through human intervention. However, where the decision is essential for the conclusion or performance of a contract or based on law, refusal may be restricted.
Where the user wishes to refuse an automated decision or request an explanation or review, the user may do so in accordance with the following methods and procedures.

Department in charge	Contact
VoyagerX Inc. Privacy Protection Group	privacy@voyagerx.com

Method: Submit a request for refusal of, explanation of, or review (through submission of opinions on) the automated decision to the relevant department.
Procedure: Receipt of request > Review of request > Notification of action result
- If the request is determined to constitute grounds for refusal, response within 10 days from the date of receipt of the request
- Where necessary measures are taken in response to the request, response within 30 days (separate notice if extended)

8. Installation, Operation and Refusal of Automatic Personal Information Collection Devices

The Company operates "cookies" to identify the browser in use and store and retrieve usage information from time to time in order to provide useful and convenient services to users, such as usage pattern analysis. A cookie is a small piece of information sent by the server operating a website to the user's browser and stored on the user's computer or mobile device, and is automatically transmitted from the user's browser to the server upon access. For the behavioral information collected by the Company through cookies, please refer to Article 1 of this Privacy Policy.
The user has the right of option regarding the installation and use of cookies. Through option settings in the web browser, the user can permit the saving of all cookies, verify each time whether cookies are saved, or refuse the storage of all cookies. However, refusal to store cookies may result in restrictions on the use of the Service.

Allowing/blocking cookies in web browsers
- Chrome: Select '⋮' in the upper right of the web browser > New Incognito window (shortcut: Ctrl+Shift+N)
- Edge: Select '…' in the upper right of the web browser > New InPrivate window (shortcut: Ctrl+Shift+N)
Allowing/blocking cookies in mobile browsers
- Chrome: Select '⋮' in the upper right of the mobile browser > New Incognito tab
- Safari: Mobile device Settings > Safari > Advanced > Block All Cookies / Samsung Internet: Select 'Tabs' icon at the bottom of the mobile browser > Turn on Secret mode > Start

Information on Google Analytics and Customized Advertising
1. In order to provide better services to customers, the Company uses Google Analytics, a web analytics service provided by Google, Inc. ("Google"), to analyze and evaluate how customers use the Company's services and to understand customer needs, thereby improving and customizing services and products to provide efficient services.
2. Google Analytics analyzes how users use the service using "cookies", which are text files stored on mobile or desktop devices. If you wish to refuse Google's external analytics tools and customized advertising service, you can download and install the add-on for your current web browser at tools.google.com/dlpage/gaoptout to refuse Google's information processing.
3. Google transmits "cookie" information without personal identification possibility to Google servers in the United States for the analysis of cookie information. For more information about Google's processing of information, please visit www.google.com/analytics/learn/privacy.html.

9. Technical, Administrative, and Physical Protection Measures for Personal Information

The Company has prepared the following administrative, physical, and technical measures to ensure that personal information is not lost, stolen, leaked, tampered with or damaged while processing it.

Administrative protection measures
1. The Company's personal information processing tasks are limited to designated personnel, and through periodic training, the Company always emphasizes compliance with the privacy policy.
2. The implementation of the personal information protection policy and the compliance of personnel are regularly checked, and where problems are detected, the Company strives to immediately correct and rectify them.
Physical protection measures

The Company grants access to security areas such as server rooms only to authorized personnel and performs physical access controls such as storing documents and auxiliary storage media in secure locations with locking devices.

Technical protection measures
1. To prevent leakage or damage to users' personal information by hacking or computer viruses, the Company enables secure transmission of personal information over the network through encrypted communication.
2. The Company uses firewalls to prevent unauthorized external access and strives to install all possible technical devices to ensure systematic security.
3. The Company double-stores the information collected when users create accounts in the databases of AWS and Firebase.

10. Protection of Personal Information for Overseas Users

The Company's service is provided and operated in accordance with the laws of the Republic of Korea, and this Privacy Policy is based on the Privacy Policy written in Korean as the original. This Policy may be translated and provided in English, Japanese, etc., and in the event of any conflict between the translated version and the Korean version, the Korean version shall prevail. The Company complies with the personal information protection regulations and laws of each country applicable to the user's jurisdiction.

11. Chief Privacy Officer

In order to take overall responsibility for personal information processing and to handle complaints and remedies of data subjects regarding personal information processing, the Company designates a Chief Privacy Officer as follows.

Item	Information
Name	Sedong Nam
Company / Position	VoyagerX Inc. / CEO, CPO
E-mail	privacy@voyagerx.com
Tel.	+82 (02) 2161-5189

12. Remedies for Infringement of Rights and Interests

Data subjects may apply for dispute resolution or counseling to the Personal Information Dispute Mediation Committee, the Korea Internet & Security Agency's Personal Information Infringement Report Center, etc. for relief from personal information infringement. For other reports or consultations regarding personal information infringement, please contact the following organizations.

Personal Information Dispute Mediation Committee: (without area code) 1833-6972 (www.kopico.go.kr)
Personal Information Infringement Report Center (privacy.kisa.or.kr / without area code 118)
Korean National Police Agency Cyber Bureau (cyberbureau.police.go.kr / without area code 182)

13. Changes to the Privacy Policy

This Privacy Policy is effective from May 28, 2026.
The Company's Privacy Policy may be revised due to changes in laws and guidelines or changes in the Company's internal operation policy. If you have any questions about this Policy, you may provide your opinion through the customer inquiry channel on the Service homepage and the Company website.