Privacy Policy

1. Personal Information We Collect

The Company collects only the minimum personal information necessary for registration, providing the Service, and preventing misuse.

A. Information collected when you sign up (by social-login provider)

The Company supports simple sign-in through external identity providers, including Apple, Google, Kakao, and LINE ("Social Login"). The information received through Social Login is the minimum needed to identify your account and provide the Service. It is not used for marketing, advertising, profiling, or any other ancillary purpose. The items collected from each provider are as follows:

• Sign in with Apple — Required: email address (including Apple Private Relay format), Apple identifier (sub). The email is used for account identification and service-related notices (security alerts, changes to the Terms, payment receipts, and similar); it is used for marketing or advertising messages only with your separate prior consent (opt-in).
• Sign in with Google — Required: email address, Google identifier (sub). The email is used for account identification and service-related notices (security alerts, changes to the Terms, payment receipts, and similar); it is used for marketing or advertising messages only with your separate prior consent (opt-in).
• Sign in with Kakao — Required: email address, Kakao identifier (sub). The email is used for account identification and service-related notices (security alerts, changes to the Terms, payment receipts, and similar); it is used for marketing or advertising messages only with your separate prior consent (opt-in).
• Sign in with LINE — Required: LINE identifier (sub). Optional: email address (received only if the user has granted email permission on LINE). The Company uses any email received from LINE for account identification and service-related notices (security alerts, changes to the Terms, payment receipts, and similar), and uses it for marketing or advertising messages only with your separate prior consent (opt-in). The Company will not sell or provide a LINE-received email to any third party under any circumstances.

B. Information collected while using the Service

• Profile information: the display name you enter and the profile image you upload.
• User content: completed packs, exported videos, and other content you create through the Service.
• Service usage records: pack progress, completion events, session length, and feature usage.
• Support and inquiry records: messages and attachments you send to us, including via support@zmsm.io.

C. Information collected automatically

• Device information: device identifiers (such as IDFV), operating-system type and version, app version, language, and time zone.
• Access information: IP address, access timestamps, and access logs.
• Diagnostic information: crash reports and performance metrics.
• Push tokens: tokens issued by APNs or FCM (if you have consented to push notifications).
• Cookies and similar technologies: essential cookies used to operate the website (for example, to remember language and theme settings).

2. Purposes of Processing

The Company processes personal information for the purposes set out below. If the purpose changes, the Company will take the steps required by Article 18 of the Korean Personal Information Protection Act, such as obtaining separate consent.

• Sign-up and identification — creating accounts via Social Login, identifying the same individual across sessions, and preventing fraudulent sign-ups.
• Operating, providing, and maintaining the Service — saving pack progress, delivering completed content, and sending push notifications.
• Improving the Service and developing new features — statistical analysis and feature-usability diagnostics.
• Customer support — responding to inquiries, handling disputes, and delivering announcements.
• Preventing misuse — detecting abnormal access, bots, and automated tools, and responding to violations of the Terms.
• Complying with legal obligations — under the Act on the Consumer Protection in Electronic Commerce, the Protection of Communications Secrets Act, and other applicable laws.
• Sending marketing and advertising messages (only with separate opt-in consent) — announcements about new content, events, and promotions, delivered through channels the Company provides or integrates with (email, in-app push notifications, Kakao Channel messages, LINE official account messages, and similar).

When the Company sends commercial advertising messages, it first obtains your separate prior consent (opt-in) in accordance with Article 50 of the Korean Act on Promotion of Information and Communications Network Utilization and Information Protection. Whether or not you have consented to marketing, the Company will continue to send service-related notices (security alerts, changes to the Terms, payment receipts, and similar). Users who have consented to marketing may withdraw their consent at any time through the in-app settings or by emailing support@zmsm.io, and marketing messages will stop as soon as the withdrawal is processed.

3. Retention and Use Period

The Company processes and retains personal information within the retention and use period required by law or the period you consented to when the information was collected.

• Member information: until you terminate your account. The Company may retain a hashed value of your identifier (email/social sub) for up to 30 days after termination to prevent misuse.
• Service usage records and access logs: 3 months, in accordance with the Protection of Communications Secrets Act.
• E-commerce records (for in-app purchases): in accordance with the Act on the Consumer Protection in Electronic Commerce — records of contracts and withdrawals for 5 years, records of payments and delivery for 5 years, records of consumer complaints and dispute handling for 3 years.
• User content: until you delete the content or terminate your account.
• Support and inquiry records: 3 years after the inquiry is resolved.

Personal information is destroyed without delay when the retention period ends or the purpose of processing is fulfilled.

4. Sharing with Third Parties

The Company processes personal information only within the scope set out in this Policy, and shares personal information with third parties only with your consent or where specifically permitted under Articles 17 and 18 of the Korean Personal Information Protection Act.

The Company does not regularly share personal information with third parties. Where a sharing arrangement becomes necessary, the Company will obtain your prior consent and inform you of (i) the recipient, (ii) the purpose of sharing, (iii) the items shared, and (iv) the recipient’s retention and use period.

5. Processors (Outsourcing)

To provide the Service, the Company engages external processors as set out below. In accordance with Article 26 of the Korean Personal Information Protection Act, processing agreements specify that processors may not use personal information beyond the scope of the entrusted work, and require technical and managerial safeguards, restrictions on sub-processing, supervision, and liability for damages.

• Supabase Inc. (USA) — authentication, database, file storage, and session management.
• Apple Inc. (USA) — Sign in with Apple, and Apple Push Notification service (APNs).
• Google LLC (USA) — Google Sign-In, and Firebase Cloud Messaging (FCM) for push delivery.
• Kakao Corp. (Republic of Korea) — Kakao Login.
• LY Corporation (Japan) — LINE Login.
• Functional Software, Inc. d/b/a Sentry (USA) — error diagnostics and crash reporting.
• Fly.io, Inc. (USA) — backend server hosting.

Any change to the entrusted work or processors will be disclosed through this Policy without delay.

6. Rights of Data Subjects and Legal Representatives

You may exercise the following rights with respect to the Company at any time:

• Request to access your personal information.
• Request to correct or delete your personal information.
• Request to suspend processing.
• Withdraw consent to processing.
• Withdraw your membership (delete your personal information).

You may exercise these rights in writing, by email (support@zmsm.io), or through in-app settings, and the Company will act on your request without delay. If you request correction or deletion of your personal information, the Company will not use or share that information until the correction or deletion is complete.

A legal representative or an authorized agent may exercise these rights on your behalf, in which case the agent must submit a power of attorney in the form prescribed by the Korean Notice on Personal Information Processing Methods (Annex 11).

The Company will not refuse or restrict your exercise of these rights without a legitimate reason, except where the law permits.

7. Children Under 14

In accordance with Article 22-2 of the Korean Personal Information Protection Act and Article 31 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, the Company does not collect personal information from children under 14. The Service is available to users aged 14 and older, and the Company checks the user’s age at sign-up to block accounts for children under 14.

If the Company unintentionally collects personal information from a child under 14, the Company will delete it without delay. If you become aware of any such information, please contact support@zmsm.io.

8. Destruction Procedures and Methods

When personal information is no longer needed — for example, because the retention period has expired or the purpose has been fulfilled — the Company will destroy it without delay.

• Procedure: personal information subject to destruction is identified and destroyed with the approval of the Company’s Data Protection Officer.
• Method: personal information stored in electronic files is securely deleted so that records cannot be reproduced; personal information recorded on paper is shredded or incinerated.

9. Security Measures

In accordance with Article 29 of the Korean Personal Information Protection Act, the Company implements the following technical, managerial, and physical safeguards:

• Managerial: minimizing the number of staff handling personal information and providing regular training, and establishing and operating an internal management plan.
• Technical: access controls for systems that process personal information, an access-control system, one-way encryption of authentication credentials such as passwords, and security software.
• Transport security: HTTPS/TLS encryption for all external communications.
• Physical: access controls for systems that store data.

No method of transmission over the internet or method of electronic storage is 100% secure, and the Company cannot guarantee absolute security.

10. Cookies and Similar Technologies

The getcolle.com website uses cookies and similar technologies to provide a tailored experience. The Company uses essential cookies to operate the website, save preferences (such as language and theme), and measure usage. The Company does not use third-party cookies for advertising or profiling.

You can accept or block cookies through your browser settings; disabling cookies may affect some Service functionality.

11. International Data Transfers

To provide the Service, the Company may transfer your personal information to the processors listed under "5. Processors (Outsourcing)", some of which are located outside the Republic of Korea.

• Items transferred: those listed under "1. Personal Information We Collect" that are necessary for the entrusted work.
• Country and time of transfer: transferred in real time over networks while you use the Service.
• Recipients: the processors listed under "5. Processors (Outsourcing)".
• Purpose of transfer: authentication, database hosting, push notification delivery, error diagnostics, and similar work.
• Retention and use period: until the relevant processing agreement ends or you terminate your account.

The Company applies the protections required by the Korean Personal Information Protection Act (such as standard contractual clauses and certifications) to all entrusted work involving international transfers.

12. Rights of International Users

For users residing in the European Economic Area, the United Kingdom, or Switzerland, the Company relies on performance of a contract, legitimate interests, consent, and compliance with legal obligations as legal bases for processing. Such users have the rights of access, rectification, deletion, portability, restriction of processing, and objection under the GDPR.

California residents may have additional rights under the CCPA/CPRA, including the right to know what personal information is collected and how it is used, to delete or correct it, and to limit the use of sensitive personal information. The Company does not sell or share personal information for cross-context behavioral advertising.

Users residing in Japan may exercise rights to disclosure, correction, suspension of use, and deletion of retained personal data under the Act on the Protection of Personal Information (個人情報保護法).

13. Data Protection Officer

The Company has designated a Data Protection Officer to oversee personal-information processing and to handle complaints and remedies on behalf of data subjects:

• Data Protection Officer: Hunkyo Jung (정훈교)
• Position: Representative of ZMSM
• Contact: privacy@zmsm.io
• General inquiries and rights requests: support@zmsm.io

You may direct any personal-information question, complaint, or remedy request to the contacts above. The Company will respond and act without delay.

14. Remedies for Infringement

You may also contact the following Korean authorities for remedies and consultation regarding personal-information infringements:

• Personal Information Infringement Report Center (privacy.kisa.or.kr / dial 118 in Korea)
• Personal Information Dispute Mediation Committee (kopico.go.kr / 1833-6972)
• Supreme Prosecutors’ Office, Cyber Crime Investigation Division (spo.go.kr / 02-3480-3573)
• Korean National Police Agency, Cyber Investigation Bureau (ecrm.cyber.go.kr / dial 182 in Korea)

15. Changes to This Policy

If changes to laws, policies, or security practices require additions to, deletions from, or modifications of this Policy, the Company will announce them through in-Service notices at least seven (7) days before the effective date. For material changes that affect users’ rights, the Company will announce them at least thirty (30) days before the effective date and, where necessary, obtain renewed consent.

The "Effective" date at the top of this Policy indicates when the most recent changes were made.