SHIFT UP Corporation (the “Company” or “SHIFT UP”) takes the protection of users’ personal information seriously and complies with applicable laws and regulations, such as the Personal Information Protection Act and the Act on Promotion of Information and Communications Network Utilization and Information Protection. Through this Privacy Policy (this “Policy”), the Company hereby informs users of the purposes and methods of its use of the personal information provided by users and the measures taken to protect such personal information.

The Company discloses this Policy on the homepage of SHIFT UP website (https://shiftup.co.kr) to ensure that users can easily access it at any time.

This Policy may be amended due to changes in applicable laws and regulations and guidelines, or changes in the Company’s internal policies.

Article 1 (Items of Personal Information to be Collected and Used and Method of Collection)

1. When users use the Company’s game services, the Company receives the following personal information of users from third parties. When users use certain additional services, the Company notifies the users of such fact and obtain additional consent from them.

Provider	Personal Information to be Provided
Sony Interactive Entertainment	PlayStation™ Network Account ID	Purchase history and playtime records for the Complete Edition of Stellar Blade
Value Corporation	Steam® Account ID
Epic Games, Inc.	Epic Games Account ID

2. If users use customer services to facilitate their use of the Company’s services, the Company collects the following personal information with their consent.
1) If users use customer consulting services:
(Mandatory) Email address, game membership number (or unique number provided by an external platform)

2) If users request a refund:
(Mandatory) Email address, game membership number (or unique number provided by an external platform), (in the case of using Google) Google email ID, purchase history details, user’s real name or certificate of family relations to confirm payment by a party other than the principal
  - In case of a cash refund due to termination of game services:
(Mandatory) Name, mobile phone number, (in the case of using Google Store) payment account, bank name, bank account number, account holder name, email, copy of identification card, copy of bankbook

3) If users participate in events or promotions:
  - In case of participation in events:
(Mandatory) mobile phone number, (if the event is conducted via social media services) social media services account ID
  - In case of delivery of event prizes:
(Mandatory) Name, mobile phone number, address, etc.
  - In case of imposition of taxes and public charges on event winners
(Mandatory) Resident registration number, address, and name

3. In the course of users’ use of the Company’s services, the Company may automatically generate and collect following information for the purposes of complying with laws, protecting users’ accounts and items, preventing fraudulent use by users, and providing stable services:
Information about the user’s mobile device (e.g., model name, OS version, mobile firmware version, device identification number, etc.), IP address, cookies, last access location, location-based service use records, access date and time, service use records, and improper usage records, etc.

4. Methods of collection of personal information
   The Company collects personal information through the following methods:
   - Collection through the consent process during the sign-up for the Company’s services
   - Collection through a separate consent process for promotions and events
   - Automatic collection through platforms with which the Company has a partnership for service provision
   - Collection through the user’s voluntary provision or upon request during customer service interactions for the sign-up and use of services

Article 2 (Purpose of Use of Personal Information)

The Company uses personal information collected from users for the following purposes:
  - To provide services, including identifying users and verifying their identity
  - To respond to customer center inquiries, address complaints, and improve user services
  - To notify users of promotions such as events
  - To confirm users’ intent to participate in events, deliver prizes to event participants, and handle taxes and public charges, etc.
  - To prevent unlawful subscriptions and use
  - To analyze the service use environment through service use records, improve the services, and provide the services based on the characteristics of users

The users’ consent, as the data subject, to the processing as specified in this Policy is the primary legal ground for our processing of the users’ personal information. However, there may be circumstances where the Company may also rely on other valid legal grounds for the processing of the users’ personal information, such as:
 - the users’ request for content, goods or services necessitating steps including processing of the users’ personal information to be taken prior to entering into contract with the users and any processing that is necessary for the performance of such contract; and
 - legitimate interests pursued by the Company as a business, except where such interests are overridden by the users’ interests and fundamental rights. The Company will rely on this legal ground in relation to the processing set out in paragraphs above, in which the Company have a legitimate interest; and
 - compliance with a legal obligation to which the Company are subject, such as, for example, the processing for the purposes set out above.

Article 3 (Provision of Personal Information)

1) In no event will the Company use users’ personal information beyond the scope specified in Article 2 (Purpose of Use of Personal Information) or provide it to any other person, company, organization or institution, except with the consent of the users or in accordance with the provisions of relevant laws and regulations.

2) When providing users’ personal information to a third party—such as when it is necessary to provide limited user information to a business partner or a business operator with which the Company has partnerships for the purpose of providing various services—the Company will inform users of the recipient’s name, the recipient’s main business, the items of personal information to be provided, and the purpose for providing the personal information. User consent will be obtained prior to any such disclosure.

3) In any of the following cases, the Company may provide users’ personal information without the consent from the users in accordance with the relevant laws and regulations:
   (1) Where it is necessary to compile statistics or conduct scientific research, and if the information is processed and provided in a form in which a specific individual cannot be identified;
   (2) Where there is a special provision in the Act on Real Name Financial Transactions and Confidentiality, the Credit Information Use and Protection Act, the Framework Act on Telecommunications, the Telecommunications Business Act, the Local Tax Act, the Consumer Protection Act, the Bank of Korea Act, the Criminal Procedure Act, or any other laws.

Article 4 (Period of Retention and Use of Personal Information)

1) In principle, the Company will destroy personal information immediately after the purpose of collecting and using the personal information has been achieved. The processing and retention periods for personal information in each specific case are outlined below. If a user provides separate consent, their personal information will be retained for the period specified in that consent.
  (1) If users apply for the issuance of an exchange code that can be used in the “GODDESS OF VICTORY: NIKKE.”, "胜利女神：新的希望": One (1) year
  (2) If the Company intends to prevent any fraudulent use: One (1) year

2) If it is necessary to retain the users’ personal information pursuant to the relevant laws and regulations, the Company will retain the users’ personal information for the period set forth in the relevant laws and regulations as follows:
If it is necessary to retain the information pursuant to the relevant laws and regulations
  - Records on labeling and advertisement
    Legal ground for retention: Article 6 of the Act on the Consumer Protection in Electronic Commerce and Article 6 of the Enforcement Decree of the same Act
    Retention period: Six (6) months
  - Records on contract or withdrawal of application, etc.
    Legal ground for retention: Article 6 of the Act on the Consumer Protection in Electronic Commerce and Article 6 of the Enforcement Decree of the same Act
    Retention period: Five (5) years
  - Records on payment and supply of goods, etc.
    Legal ground for retention: Article 6 of the Act on the Consumer Protection in Electronic Commerce and Article 6 of the Enforcement Decree of the same Act
    Retention period: Five (5) years
  - Records on consumer complaints or disputes handling
     Legal ground for retention: Article 6 of the Act on the Consumer Protection in Electronic Commerce and Article 6 of the Enforcement Decree of the same Act
     Retention period: Three (3) years
  - Records on collection, processing, use, etc. of credit information
    Legal ground for retention: Article 20 of the Credit Information Use and Protection Act
    Retention period: Three (3) years
  - Records on access
    Legal ground for retention: Article 15-2 of the Protection of Communications Secrets Act and Article 41 of the Enforcement Decree of the same Act
    Retention period: Three (3) months

3) If users request access to the personal information, etc. retained in accordance with paragraphs 1) and 2) above, the Company will immediately take actions to ensure that the users can access and confirm the details thereof.

Article 5 (Procedures and Methods for Destruction of Personal Information)

In principle, the Company will destroy personal information immediately after the purpose of collecting and using the personal information has been achieved. The procedures and methods for destruction of the personal information are outlined below.

1) After the purpose provided by the user in the course of using the services is achieved, the user’s personal information is transferred to a separate DB and stored for a certain period of time and then destroyed in accordance with the reasons for information protection under applicable laws and regulations (see Article 4 (Period of Retention and Use of Personal Information)). Personal information will not be used for any purpose other than retention unless otherwise required by law.

2) Personal information stored in electronic files is deleted using a technical method that prevents the recovery of records. Personal information printed on paper is destroyed by shredding or incineration.

Article 6 (Rights of Users and Legal Representatives and Method of Exercising such Rights)

1) A user may, at any time, request the Company to provide access to, correct, delete, suspend the processing of, provide portability of, object to or request the restriction of processing of, withdraw his/her consent to the processing of, his/her personal information. If the user is a child under the age of 16, his/her legal representative has the right to request the Company to provide access to, correct, delete, suspend the processing of, or withdraw his/her consent to the processing of, the child’s personal information.

2) Before processing the personal information of a child under the age of 16, the Company shall notify the child of the matters concerning the processing of his/her personal information in an easy-to-understand manner and obtain the consent from his/her legal representatives (parents).

3) If a user requests the correction of an error in his/her personal information, the relevant personal information will not be used or provided to a third party until the correction is completed. In addition, if any incorrect personal information has already been provided to a third party, the correction results will be notified to the third party without delay to ensure that the correction can be made.

4) If a user or his/her legal representative requests the deletion of the user’s personal information, the relevant personal information will be deleted without delay, unless otherwise provided for in other laws and regulations.

Article 7 (Installation, Operation and Refusal of Automatic Collection of Personal Information)

The Company uses cookies to provide users with a convenient website experience, and users have the right to refuse them.

1) What is a cookie?
A cookie is a very small text file that is sent to a user’s computer by the server used to operate the website and is stored on the user’s computer hard disk. As users have the ability to control the installation and collection of cookies, users can refuse their collection. However, if users refuse to store cookies, users may be restricted from using some of the Company’s services.

2) How to refuse cookies in settings
   - For Microsoft Edge:
   Click the icon “…” at the top right of the web browser > Select “Settings” > Click the “Cookies and Site Permissions” tab > Change settings in “Manage and Delete Cookies and Site Data”
   - For Chrome:
   Click the icon “…” at the top right of the web browser > Select “Settings” > Change settings in the “Privacy and Security” tab

Article 8 (Technical and Administrative Measures to Protect Personal Information)

In processing users’ personal information, the Company takes the following technical and administrative measures to ensure safety so that personal information is not lost, stolen, leaked, falsified, altered or damaged.

1) Protection of passwords
The Company does not collect passwords from members on platforms it partners with for service provision.

2) Countermeasures against hacking, etc.
In order to prevent the leakage of users’ personal information due to hacking, etc., the Company installs and operates devices that block external intrusion to prevent attacks, hacking, etc. from the outside. In particular, the Company’s servers that hold users’ personal information are managed separately without direct connection to external Internet lines to maintain the highest level of security.
In addition, the Company has a system in place to back up its systems and data in case of emergency, and takes measures to prevent damage from computer viruses by using vaccine programs. The Company’s vaccine programs are updated on a regular basis, and in the event of a sudden virus outbreak, the Company provides vaccines as soon as they are released to prevent users’ personal information from being infringed.

3) Limitation and training of handling staff
The Company limits the number of personal information handling staff to a minimum and emphasizes compliance with this Policy through frequent training of staff in charge.

4) Operation of the dedicated privacy organization
The Company has inspected the implementation of this Policy and the compliance status of the person-in-charge through an in-house dedicated privacy organization and take immediate corrective measures if any problem is found.
However, the Company will not be held liable for any issues arising from the leakage of personal information, including the user’s account (ID), password, nickname, or email on platforms the Company partners with for service provision if such leakage results from the user’s negligence or Internet-related problems.

Article 9 (Complaint Handling Service for Personal Information Infringement)

For any inquiries regarding users’ personal information, please contact the department in charge of personal information below. The Company will respond to the inquiries in a prompt and sincere manner.

The Company has a personal information protection officer and a department in charge of personal information management as follows:
- Personal Information Protection Officer
- Affiliation and Position: CISO / CISO
- Name: Hyung-Bok Lee
- Tel.: 02-2135-9766
- Email: privacy@shiftup.co.kr

For consultation services regarding personal information infringement issues with organizations other than the Company, please use the contact information provided below.
1) Personal Information Dispute Mediation Committee (https://www.kopico.go.kr, Tel.: 1833-6972)
2) Personal Information Infringement Reporting Center (https://privacy.kisa.or.kr, Tel.: 118)
3) Cybercrime Investigation Department of the Prosecutors’ Office (https://cybercid.spo.go.kr, Tel.: 1301)
4) Cyber Bureau of the Korean National Police Agency (https://cyberbureau.police.go.kr, Tel.: 182)

Article 10 (Miscellaneous)

1) The Company may provide users with links to other companies’ websites or materials. In such case, the Company has no control over the external sites and materials, and therefore cannot be responsible for and does not guarantee the usefulness of any services or materials users receive from other companies.

2) If users click on a link to a service provided by the Company and are transferred to a page on another website, they need to check the privacy policy of the newly visited website as the privacy policy and terms and conditions disclosed on such website are not related to those of the Company.

3) Users are requested to keep the personal information they provide up-to-date and accurate to prevent any unexpected incidents. Users are responsible for any incidents arising from inaccurate information provided, and if the users provide false information, such as information stolen from others, the users’ account may be restricted or deleted.

4) Users have the right to protect their personal information. However, they also have the obligation to protect their own information and not to infringe on information of others. Please be careful not to leak the personal information, including passwords, and be careful not to damage the personal information of others, including posts. If users fail to fulfill such responsibilities and damage the information and dignity of others, they may be punished under applicable laws and regulations.

5) Users are solely responsible for any disadvantages and material damages incurred during the use of services as a result of providing inaccurate or incorrect information when entering personal information.

Article 11 (Amendment to Privacy Policy)

1) This Policy will be effective from September 24, 2025.
2) To access previous policies, click the 'List' button at the bottom of the page.

Privacy Notice for EU or UK residents

Article 1 (Right to Lodge a Complaint)

Users have the right to file a complaint with the appropriate data protection authority if they have concerns about how the Company processes their personal information. Users can lodge a complaint with the data protection authority in their respective EU/UK country or region where the alleged infringement of applicable data protection law has occurred.

Article 2 (International Data Transfer)

If the Company transfer users’ personal information outside the EU/UK to a country not recognized by the European Commission as providing an adequate level of data protection, the Company will implement suitable measures to safeguard the personal information in accordance with applicable data protection and privacy laws. These safeguards may include data transfer agreements implementing the latest standard contractual clauses approved by the European Commission. Users may request a copy of these measures by contacting the Company as outlined in this Policy. Additionally, the Company may transfer personal information with users’ consent, to perform a contract with them, or to fulfill a compelling legitimate interest that does not outweigh users’ rights and freedoms.

Privacy Notice for California Residents

Article 1 (Personal Information which the Company Collects and Processes)

The Company collects and processes the following categories of Personal Information:
- Personal identifiers (such as name, email address),
- Protected classifications (such as resident registration number),
- Customer records (such as bank account number, game membership number),
- Commercial information (such as purchase history),
- Internet or other electronic network activity information (such as access date and time, service use records),
- Geolocation data (such as IP address),
- Audio, electronic, visual and similar information (such as profile photo), and
- Inferences drawn from personal data that could be used to create a profile on the individual (such as improper usage records).

For details about the precise Personal Information the Company collects and processes, and the categories of sources where the Company got that information, please see the Article 1 of the Privacy Policy. The Company collects and processes Personal Information for the business and commercial purposes described in the Article 2 of the Privacy Policy. In the past 12 months, the Company has disclosed Personal Information to the categories of recipients described in the Article 3 of the Privacy Policy.

Article 2 (Sales of Personal Information)

The Company does not sell users’ personal information to third parties for their commercial purposes. In the preceding twelve (12) months, the Company has not sold any Personal Information. Please also note that any third parties who would purchase the Personal Information the Company hold, would be prohibited from reselling it unless you have received explicit notice and an opportunity to opt-out of further sales.

Article 3 (California Privacy Rights)

1) Right to Opt-Out of Sharing: Users can opt-out of the sharing of their personal information to third parties.

2) Right to Non-Discrimination: Users have the right not to receive discriminatory treatment by a business for exercising any of their privacy rights under California Privacy Rights Act.

3) California Eraser Request: If Users are under 18 years old and registered to use the Service, under California’s Online Eraser Law, Users can ask the Company to remove any content or information Users have publicly posted on the Service. To make a request, User should write to the Company at the email address set out in the Article 9 of the Privacy Policy with “California Under 18 Online Eraser Request” in the subject line, and tell the Company what Users want removed. The Company will make reasonable, good faith efforts to remove the content or information from prospective public view, although the Company cannot ensure the complete or comprehensive removal of the content or information and may retain the content or information as necessary to comply with legal obligations of the Company, enforce the Company’s agreements, and resolve disputes.

4) Shine the Light: Under California’s Shine the Light law, Users may request (i) a list of the categories of Personal Information disclosed by the Company to third parties during the immediately preceding calendar year for those third parties’ own direct marketing purposes; and (ii) a list of the categories of third parties to whom the Company disclosed such information. To make a request, Users should write the Company at the email set out in the Article 9 of the Privacy Policy and specify that Users are making a “California Shine the Light Request.” The Company may require additional information from Users to verify Users’ identity and are only required to respond to requests once during any calendar year.

Users or users’ authorized agent may make these requests by contacting the Company According to Article 9 of the Privacy Policy