Legal

Privacy Policy

craystream (“we”, “us”, or “the Company”) establishes and discloses this Privacy Policy pursuant to Article 30 of the Personal Information Protection Act (PIPA) of the Republic of Korea, to protect the personal data of data subjects and to handle related concerns promptly and smoothly. This policy applies to our website (craystream.com) and to the games and related services we provide (collectively, the “Services”).

1. Purposes of Processing Personal Data

We process personal data for the purposes below. The personal data processed will not be used for any purpose other than the following, and where the purpose of use changes, we will take necessary measures such as obtaining separate consent under Article 18 of PIPA.

Inquiries and support — receiving and responding to inquiries (partnerships, press, recruiting, etc.) by email, identity verification, and maintaining a communication channel
Providing the Services (games) — delivering game content and features, providing a ranking (leaderboard) service via device identification, and storing user settings and progress
Operating and improving the Services — usage analytics, error and incident handling, quality improvement, and new feature development
Marketing and advertising — serving in-game ads, and providing personalized ads and event information (where separately consented)

2. Personal Data We Process

We process the minimum personal data necessary to provide the Services, as follows.

Category	Items collected	Method
Website inquiries	Email address, information contained in the inquiry	When you send an email
Game usage	Advertising identifier (Android ADID / iOS IDFA), device information (OS, version, model), gameplay records	Automatically generated/collected during use
Ranking (leaderboard)	Device unique identifier (device UUID), nickname (if you enter one), game score and records	When you use the ranking feature
Automatically collected	IP address, cookies, access timestamps, service usage logs, records of misuse	Automatically generated/collected during use

※ These items may change when a game launches or a feature is added; we will update and disclose this policy accordingly.

3. Children Under 14

Our Services are intended for users aged 14 and older, and we do not collect the personal data of children under 14 without the consent of their legal guardian. Where consent is required to collect, use, or provide the personal data of a child under 14, we obtain the legal guardian’s consent and may request the minimum information necessary to verify it.

4. Processing and Retention Period

We process and retain personal data within the period required by law or the period consented to at the time of collection, as follows.

Inquiry-related data — 3 years after the inquiry is resolved (to address potential disputes)
Game usage data — until the collection purpose is achieved or the service terminates (or the period required by applicable law, if any)
Ranking (leaderboard) data — until the service terminates or you request deletion
Automatically collected data (access logs, etc.) — 3 months, under the Protection of Communications Secrets Act

Where other laws require retention for a specified period, we retain the data for the period prescribed by those laws.

5. Destruction of Personal Data

When personal data becomes unnecessary — for example, when the retention period expires or the processing purpose is achieved — we destroy it without delay (within 5 days, absent justifiable cause).

Procedure — we identify the data for which a destruction reason has arisen and destroy it with the approval of the Data Protection Officer.
Method — electronic files are permanently deleted by a method that prevents recovery; paper documents are shredded or incinerated.

6. Provision to Third Parties

We process personal data only within the scope of the purposes stated in Section 1, and provide personal data to third parties only where it falls under Articles 17 and 18 of PIPA, such as with the data subject’s consent or under specific legal provisions. We do not currently provide personal data to third parties; should this become necessary, we will update this policy in advance and obtain any required consent.

7. Outsourcing of Processing

We may outsource personal data processing tasks as follows to provide the Services smoothly.

Contractor	Outsourced task
Cloudflare, Inc.	Website hosting, content delivery (CDN), and storage/processing of ranking data
Unity Technologies / ironSource Ltd. (LevelPlay)	In-game ad serving (mediation) and ad performance measurement

※ Under Article 26 of PIPA, our contracts specify the prohibition of processing beyond the outsourced purpose, security measures, restrictions on re-outsourcing, and we supervise the contractors. We will disclose any changes to the outsourced tasks or contractors through this policy.

8. Transfer of Personal Data Overseas

In the course of using overseas providers for website hosting, advertising, and analytics, personal data may be transferred overseas. We take the measures necessary for a safe transfer pursuant to Article 28-8 of PIPA.

Recipient	Country	Items / Purpose	Retention period
Cloudflare, Inc.	United States, etc. (global infrastructure)	Access data, device UUID and ranking data / website hosting and delivery, ranking data storage	Until the outsourcing contract ends
Unity Technologies / ironSource Ltd. (LevelPlay)	United States, Israel, etc.	Advertising identifier, device info, IP, ad usage records / in-game ad serving and measurement	Per the ad SDK provider’s retention policy

※ The ad SDK (LevelPlay) mediates multiple ad networks, and personal data may be transferred overseas to each mediated network as well. For details on the ad SDK provider’s data processing, see https://unity.com/legal/game-growth/privacy-policy.

9. Security Measures

We take the following measures to ensure the security of personal data.

Administrative — establishing and implementing an internal management plan, minimizing and training personnel who handle personal data
Technical — access-rights management for the processing system, access control, encryption of data in transit (HTTPS), and installation and inspection of security programs
Physical — access control to systems where personal data is stored

10. Cookies and How to Refuse Them

We may use cookies to provide tailored services. A cookie is a small piece of information that the website server sends to your browser and stores on your device.

You can refuse or delete cookies through your browser settings. However, refusing cookies may make some services harder to use.

Chrome — Settings > Privacy and security > Cookies and other site data
Edge — Settings > Cookies and site permissions > Manage and delete cookies and site data
Safari — Preferences > Privacy > Cookies and website data

11. Behavioral / Advertising Data and Opt-Out

To serve in-game ads, we use the ad mediation SDK LevelPlay (Unity Technologies / ironSource Ltd. (LevelPlay)). In this process, LevelPlay and the ad networks it mediates (e.g., Google AdMob, Unity Ads, AppLovin, Meta Audience Network) are permitted to collect behavioral data to deliver personalized advertising.

Behavioral data collected — advertising identifier (ADID/IDFA), app/service usage history, ad impression and click records
Method — automatically collected while you use the Services
Purpose — delivering personalized advertising based on your interests

You can opt out of personalized ads or reset your advertising identifier in your device settings.

Android — Settings > Privacy > Ads > Delete advertising ID (or opt out of personalized ads)
iOS — Settings > Privacy & Security > Tracking > turn off “Allow Apps to Request to Track”

12. Your Rights and How to Exercise Them

You may at any time request access to, correction, deletion, or suspension of processing of your personal data, and withdraw consent. You can exercise these rights by contacting the Data Protection Officer in writing or by email, and we will act without delay.

If you request correction or deletion of an error in your personal data, we will not use or provide that data until the correction or deletion is complete. For children under 14, the legal guardian may exercise these rights on the child’s behalf.

Data deletion requests — the Services can be used without any sign-up or login. You may request deletion of your personal data (including ranking records) by emailing [email protected]; we will delete it without delay, except for data we are legally required to retain. You can stop the collection of your advertising identifier yourself via the device settings described in Section 11.

13. Data Protection Officer

We have designated a Data Protection Officer who is responsible for overseeing personal data processing and for handling data subjects’ inquiries, complaints, and remedies.

Data Protection Officer
Name: 김동범
Title: 대표
Email: [email protected]

You may direct any questions, complaints, or remedy requests regarding personal data arising from your use of the Services to the Data Protection Officer, and we will respond and act without delay.

14. Remedies for Rights Infringement

To seek dispute resolution, counseling, or other remedies for personal data infringement, you may contact the following Korean agencies.

Personal Information Dispute Mediation Committee — 1833-6972 (www.kopico.go.kr)
Privacy Infringement Report Center (KISA) — 118 (privacy.kisa.or.kr)
Supreme Prosecutors’ Office, Cybercrime — 1301 (www.spo.go.kr)
National Police Agency, Cyber Bureau — 182 (ecrm.police.go.kr)

15. Changes to This Policy

This Privacy Policy is effective as of the date below. Any additions, deletions, or corrections required by law or policy will be announced on this page before they take effect.

Effective date: 2026-06-20