Effective: May 5, 2026 | TWOD Studio Co., Ltd.
TWOD Studio Co., Ltd. (hereinafter "Company") collects the following personal information to provide the Service.
[Required Information]
• At registration: Email, password, nickname
• Social login (Google): Email, name, profile image (provided by Google)
• At payment: Payment metadata received from the international Merchant of Record — Polar Software Inc. The metadata includes order ID, amount, currency, payment method type, last 4 digits of the card, billing country, and transaction status. The Company does not directly receive or store full credit card numbers, CVV, or full billing addresses — these are handled solely by the Merchant of Record.
• At registration: Country of residence (used for age verification method and service localization)
[Automatically Collected Information]
• Service usage records, access logs, IP address, browser information
• Device information (mobile/desktop, OS type, device model)
• Viewing history, search history
• Analytics identifiers and event data via Google Analytics 4 (GA4 Client ID, page views, custom events) and Vercel Analytics (Web Vitals, route timing). These tools may set cookies; see §10.
The Company uses collected personal information for the following purposes:
• Member management: Member identification, verification of intent to register, prevention of fraudulent use
• Service provision: Content delivery, purchases and payments, personalized service
• Payments and settlement: Coin top-up, Membership payments, and refund processing (refunds for international transactions are issued by Polar Software Inc. as Merchant of Record)
• Customer support: Inquiry processing, notices and announcements
• Service improvement: Usage statistics analysis (via GA4 / Vercel Analytics), service improvement, and new service development
The Company promptly destroys personal information once the purpose of collection and use has been achieved. However, where retention is required by applicable law, information is retained for the following periods:
• Records related to contracts or withdrawal of subscription: 5 years
• Records related to payment and supply of goods/services: 5 years
• Records related to consumer complaints or dispute resolution: 3 years
• Access log records: 3 months (or as required by applicable law)
• Age verification data (self-declared age confirmation, e.g., "I am 18 or older" affirmation): Until account withdrawal (immediately destroyed upon withdrawal)
Note: Payment records held by the international Merchant of Record are retained independently of the Company's retention policy above. Polar retains transaction records in accordance with its own retention policy and applicable U.S. (Delaware) tax/accounting laws and EU VAT legislation (Polar is registered for EU VAT through the Irish OSS scheme under VAT number EU372061545).
The Company does not, in principle, provide users' personal information to third parties. Exceptions include:
• When the user has given prior consent
• When required by law or regulation
• When minimum necessary information is provided to the international Merchant of Record — Polar Software Inc. — for transaction processing, including refund and chargeback handling
The Company outsources personal information processing for service provision as follows:
| Service Provider | Purpose | Location |
|---|---|---|
| SproutVideo | Video streaming hosting | United States |
| Vercel | Website hosting and analytics (Web Vitals) | United States |
| Amazon Web Services | Data storage and server operation | Republic of Korea (Seoul Region) |
| NHN Cloud | Email and notification delivery | Republic of Korea |
| Google (Google Analytics 4 / BigQuery) | Service usage analytics | United States / Multi-region |
Independent Data Controller (not outsourcing): The following entity acts as Merchant of Record for international payment transactions and, in that capacity, independently determines the means and purposes of processing the payment-related personal data it collects (card details, billing address, email, transaction records, fraud-screening data). It is therefore an independent data controller, not a processor acting on the Company's instructions.
• Polar Software Inc. — 3500 South DuPont Highway, Dover, DE 19901, USA (a Delaware C Corporation; EU VAT EU372061545). Processing governed by Polar's Privacy Policy. Polar acts as an independent data controller with respect to checkout and customer-facing personal data (including card details, billing address, email, transaction records, and fraud-screening data), and as a data processor with respect to information the Company shares with Polar to provide the Service. Polar's payment processing is performed via PCI-DSS Level 1 certified upstream payment infrastructure (Stripe).
The independent controller is identified on the checkout page and on the receipt issued for each transaction.
The Company's primary servers are located in the Republic of Korea (AWS Seoul Region). By using the Service, you acknowledge that the personal information you provide directly to the Company is transferred to and processed in the Republic of Korea. The Company takes appropriate measures to protect your data in accordance with applicable data protection laws.
Transfers to the United States: For international payment transactions, payment-related personal data (card details, billing address, email, transaction records, fraud-screening data) is transferred directly to and processed by Polar Software Inc. in the United States as an independent data controller. Polar additionally engages PCI-DSS Level 1 certified upstream infrastructure (Stripe, located in the United States) as a sub-processor for card processing. Video streaming hosting (SproutVideo), website hosting (Vercel), and analytics (Google Analytics 4) likewise involve transfer to the United States. For users in the European Economic Area (EEA), the United Kingdom, and Switzerland, such transfers rely on the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and equivalent safeguards as set out in each provider's privacy policy. Disputes arising under the SCCs entered into between the Company and Polar are governed by the laws of Sweden, as set out in Polar's Data Processing Addendum.
For users residing in Japan: In compliance with the Act on the Protection of Personal Information (個人情報保護法 / APPI), the Company notifies that your personal information is transferred to and stored on servers in the Republic of Korea, and that payment-related personal data is transferred to the United States via Polar Software Inc. as Merchant of Record. The Republic of Korea has been recognized by Japan's Personal Information Protection Commission (PPC) as a country with a data protection system of equivalent standards. For U.S. transfers, Polar maintains contractual safeguards consistent with APPI through its own privacy commitments and through Standard Contractual Clauses or equivalent mechanisms.
Where the EU General Data Protection Regulation (GDPR) or the UK GDPR applies, the Company processes personal information on the following legal bases (Article 6 GDPR):
• Performance of a contract (Art. 6(1)(b)): Account creation, content delivery, payments, refunds, and customer support.
• Compliance with a legal obligation (Art. 6(1)(c)): Tax, accounting, age verification, and consumer protection record-keeping.
• Legitimate interests (Art. 6(1)(f)): Fraud prevention, network and information security, service analytics, and product improvement, balanced against the rights and freedoms of data subjects.
• Consent (Art. 6(1)(a)): Optional cookies and marketing communications (where applicable).
Special categories of data (Art. 9 GDPR) are not intentionally collected by the Company.
Users may exercise the following rights regarding their personal information at any time:
• Right to access personal information
• Right to request correction of personal information
• Right to request deletion (erasure) of personal information
• Right to request suspension or restriction of processing
• Right to data portability — receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller (where required by GDPR / UK GDPR / APPI)
• Right to object to processing based on legitimate interests, including profiling
• Right to withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal
• For California residents (CCPA/CPRA): right to know, delete, correct, opt-out of "sale" or "sharing" of personal information, and limit the use of sensitive personal information. The Company does not "sell" personal information for monetary consideration.
These rights may be exercised through the account settings page or by submitting a 1:1 inquiry. For matters specifically concerning payment data processed by the international Merchant of Record (e.g., card transaction records, billing address), users may also contact Polar's privacy team directly at privacy@polar.sh or via polar.sh/legal/privacy. Polar has not designated a separate Data Protection Officer; data subject requests are handled by the privacy team at the same address.
For users residing in Japan: In accordance with APPI, you have the right to request disclosure, correction, deletion, or cessation of use of your personal information. Requests will be processed in accordance with applicable Japanese law.
Users also have the right to lodge a complaint with the data protection supervisory authority of their country of residence.
The Company promptly destroys personal information when the retention period has expired or the processing purpose has been achieved.
• Electronic files: Permanently deleted using methods that prevent recovery
• Paper documents: Shredded or incinerated
The Company implements the following measures to ensure the security of personal information:
• Password encryption (bcrypt hashing)
• Encryption of data in transit (HTTPS/TLS)
• Access control and authorization management
• Retention of access logs
• PCI-DSS compliant payment processing handled by the international Merchant of Record. Polar Software Inc. processes card payments through PCI-DSS Level 1 certified upstream infrastructure (Stripe). The Company's systems do not store full card data.
The Company uses cookies and similar technologies for user convenience and analytics.
• Strictly necessary: session and authentication cookies (e.g., NextAuth session, country detection)
• Functional: user preferences such as language and locale
• Analytics: Google Analytics 4 and Vercel Analytics for usage and performance measurement
• Payment provider cookies: The international Merchant of Record may set cookies during its checkout flow for fraud prevention and session continuity. Polar cookies (and the cookies set by Polar's upstream provider Stripe) are governed by Polar's Privacy Policy.
• How to reject cookies: You may enable or block cookies in your browser settings. Blocking strictly necessary cookies may prevent core functions (login, payment).
The Company has designated the following person as the Privacy Officer responsible for overseeing personal information processing:
• Privacy Officer: Park Kyung-oh (CEO)
• Email: contact@twodstudio.com
Users may contact the Privacy Officer for any inquiries, complaints, or remedies related to personal information protection.
For matters specifically concerning payment data processed by the international Merchant of Record (international transactions only), users may contact Polar's privacy team directly at privacy@polar.sh or via polar.sh/legal/privacy.
This Privacy Policy may be updated due to changes in laws, policies, or security technologies. The Company will announce any changes at least 7 days before the effective date through the Service's notice board. Material changes that adversely affect users will be announced at least 30 days in advance and, where required, the user's renewed consent will be obtained.
Effective Date: May 5, 2026
