Privacy Policy

beNX Co., Ltd. (hereinafter referred to as the “Company”) holds the personal data of its Weply service (hereinafter referred to as the “Service”) users (hereinafter referred to as the “Members”) to the upmost importance. Therefore, the Company has a strict privacy policy. Through this privacy policy (hereinafter referred to as the “Privacy Policy”), we inform our Members of the purpose and manner for which their personal data is being used and security measures the Company implements to safeguard the personal data. This Privacy Policy may be amended pursuant to changes in the applicable laws, regulations, and/or the Company’s policy, so please check the Privacy Policy from time to time for possible changes when using the Service.

Article 1 Purpose of collecting and using personal data

① The following personal data is collected by the Company from the Members when they sign up for or use the Service.

Classification Purpose of collection/use Items of personal data collected/used (collectively, “Collected Items”)
Required Information Registration for Weverse Account and Weply, service use and consultation, preventing and checking for illegal use, instructions regarding refunds and recalls ID (email), password, name, nationality (Korean/Foreigner)
Generated Information Service use and consultation, preventing and checking for illegal use, statistics/analysis Cookies, service use history (record of website visits, IP, history of unacceptable uses), device information (device identification number, OS version), purchase history
Additional information Delivery Recipient information (name, contact information, address)
User verification to confirm and prevent repeated fraudulent purchase/usage such as repeated purchase/usage when purchasing/using the products. Name, address, mobile phone number, and gender (optional)
Optional information Sending advertisements about the service. Email, AppPush

② The Company uses the information provided by the members, who agreed to the details under the Terms of Use (Article 2: Creation and Use of Weverse Accounts), to create Weverse accounts, and the members can use the connected services provided by the COMPANY by using the Weverse accounts created by the Company as above.

③ The Company collects personal data of the Members as above, but it does not collect sensitive personal data (e.g., race and ethnicity, ideology and beliefs, birthplace and domicile, political views and criminal record, health status and sex life) that may infringe upon the basic human rights of the Members and particular identification data.

④ The Company asks for permission to access the stored data or functions within a Member’s mobile device when the Members use the Service through a mobile application. When required, the Company asks for such permission in the form of either access that is necessary no matter what to provide the Service and access that is not, which can later be changed by the Member through the “Settings” option on their mobile device.

⑤ The Service is not intended for children (i.e., under 14 years old for Koreans and under 16 years old for foreigners). If the Company becomes aware that the collected personal data is from a child, we will delete the personal data and close the subject user’s account. If you believe that the Company has collected personal data from a child, please contact

Article 2 Use of personal data for purposes not consented to by members and provision of personal data to third parties

① The Company does not provide personal data of the Members to third parties; provided, however, this is not the case if otherwise provided for in an applicable law or the Member’s consent is obtained.

② The Company can get the consent of the users, if necessary, for the usage of service of the users, and consequently provide the personal information to a third party.

Personal Information Is Provided To Purpose Types of Personal Information Duration of Keeping and Usage of Personal Information
BIG HIT ENTERTAINMENT INC. Identity verification for events on, and service operation and analysis of Weverse Membership Information about the users of Weverse Membership for the artists of BIG HIT ENTERTAINMENT INC. (Name, gender, mobile phone number entered when purchasing Weverse membership; email address used to sign up for Weply, and the membership number) Until the expiration of Weverse Membership or the deletion of Weply accounts, or else.
INTERPARK CORP. User verification for the sale of tickets from Fan Club Raffle events offered to membership holders on Weverse Information about the users of Weverse Membership who won the Fan Club Raffle events (Last name, first name, Membership number on Weverse, and order number of Membership on Weverse) Until the end of the events
SOURCE MUSIC CO., LTD. Fan events and fan management for the holders of Weverse membership Information of the holders of Weverse membership for the artists of SOURCEMUSIC CO., LTD. (the name used when purchasing Weverse membership, gender, mobile phone number, and the email address used when signing up) Until the expiration of Weverse Membership or the deletion of Weply accounts, or else.

Article 3 The rights of the data subject

① Members can login to the Service and view/change their personal data through the MY > MY DATA section; provided, however, their ID (i.e., email) cannot be changed.

② In accordance with the restrictions and requirements under the relevant laws and regulations, the Members may exercise their rights relating to their personal data against the Company. For example, in Korea, a Member may request the Company to suspend its processing of his/her personal data, delete his/her personal data, and/or revoke consent to the Company’s collection/use of his/her personal data.

③ Should there are errors with the information entered, the members can request to correct their information. However, if the information before and after the correction shows that no errors were present at the time of request and if the members committed fraud by making the corrections, the Company will revoke the corrections and notify the reasons immediately.

④ Data subjects may exercise their rights set forth in this Article by contacting or

Article 4 Retention/use period of personal information

In principle, if the Company collects a Member’s personal data, the personal data is retained from the time of sign up until the cancellation of the Member’s account (including cancellation requested by the Member and cancellation by the Company itself based on its direct authority). When a member terminates his/her account, the Company shall destroy the Member’s personal data so it cannot be viewed or used; provided, however, in circumstances where the personal data is required to achieve the Company’s purposes of collection/use and/or where retaining the personal data is required or permitted by law, the Company may retain the Member’s personal data even after his/her account is terminated. For example, under the relevant Korean laws such as the Commercial Act, Act on Consumer Protection in Electronic Commerce (“E-Commerce Act”), Electronic Financial Transactions Act, Specialized Credit Finance Business Act, Framework Act on National Taxes, Corporate Tax Act, and the Value-Added Tax Act, and the Service’s internal regulations, information that can be used to identify a transacting party (e.g., name, address) and information that can be used to verify the rights and obligations of the transacting party with respect to the transaction may be retained by the Company even if the Member withdraws his/her consent to the use of the Service. Transaction records shall be retained as follows.

① Records relating to advertisement and labelling
- Grounds for retention: E-Commerce Act
- Duration of retention: six months

② Records relating to contracts, cancellation of service, etc.
- Grounds for retention: E-Commerce Act
- Duration of retention: five years

③ Records relating to payment settlement and supply of goods
- Grounds for preservation: E-Commerce Act
- Duration of retention: five years

④ Records relating to processing of consumer complaints and dispute resolution
- Grounds for retention: E-Commerce Act
- Duration of retention: three years

⑤ Information requested by an investigative agency pursuant to a search and seizure warrant
- Grounds for retention: Protection of Communication Secrets Act
- Duration of retention: six months

Article 5 Procedure and method for destroying personal data

In principle, once the personal data’s purpose of collection/use is achieved, the Company destroys the subject personal data without delay in accordance with the respective retention/use period. The procedure, method, and time for destroying personal data are as follows:

(1) Procedures for destroying personal data

① In the event that data provided by a Member when he/she signed up for membership must be retained or is permitted to be retained under an applicable law or regulation even after the purpose of collection/use is achieved, the data will be transferred to a separate database (if the data is provided in the form of a paper document, a separate filing cabinet), and destroyed after being retained for a certain period under the Company’s internal policy and other relevant regulations (see Article 4 (Retention/use period of personal data) above).

② The personal data that is moved to the separate database will not be used for purposes other than required or permitted by law.

(2) Methods for destroying personal data

① If stored in the form of electronic files, the personal data will be destroyed by technical means so that the records cannot be reproduced.

② If printed on paper, the personal data will be destroyed by shredding or incinerating the paper documents.

(3) Methods for destroying personal data of inactive accounts

Pursuant to Article 12 of weply’s Terms of Use, if a Member does not use the Service for at least one year, the Member’s inactive account may be terminated and the Member’s personal data may be destroyed.

The Company will notify Members at least 30 days prior to terminating an inactive account, and the notice will contain the following information:

- The fact that the Member’s personal data will be destroyed or separately stored

- Date and time of destruction

- The items of personal data to be destroyed

Notifications may be sent through email or other similar method.

As an exception, the information below may be maintained even after a year of inactivity.

- Where a Member and an information and communications service provider (e.g., the Company) enters into a separate agreement regarding the period of retention of personal data.

- Where the retention is required by applicable law or regulation

- For the prevention of fraudulent activities, emails of the deleted accounts will be encrypted with one-way password that renders decryption impossible and will be kept for 3 months, during which sign-ups are restricted.

- Once the 3-months period as explained above is over, the emails will be destroyed immediately.

Article 6 Operation of cookies

The Company uses cookies to save and occasionally search through data related to Members. Cookies are small text files sent from website servers to the user’s computer browser (e.g., Internet Explorer, Safari, Chrome, Firefox). Cookies identify the computers used by the Members but do not identify the individual Members themselves.

(1) Operation of cookies

① Provide differentiated information depending on the individual’s area of interest.

② Engage in targeted marketing by determining the Members’ preferences and areas of interesting based on an analysis of how often Members and non-Members visited the website and/or used the Service.

③ Provide personalized service to Members on their next visit/use by tracking content that the Members showed an interest in.

④ Use as criteria in deciding whether and how to improve the Service by analyzing the customers’ habits.

(2) Members’ options regarding cookies

By adjusting the web browser, the Members can choose whether to accept all cookies, to be notified when cookies are installed, or deny all cookies; provided, however, if a Member refuses to install cookies, he/she cannot use some of the services that require the Member to log in.

Below are the steps for changing the settings for installation of cookies on Internet Explorer:

① Under the [Tools] menu, select [Internet Options].

② Click the [Privacy] tab.

③ In the [Settings] section in the [Privacy] tab, the user can select the cookies setting by moving the slider. (Moving the slider to the top will block cookies from all websites and moving the slider to the bottom will allow cookies from all websites.)

(3) Cookies will expire once the user closes the browser or logs out of the browser.

Article 7 Technical/administrative measures for protecting personal data

(1) In processing personal data, the Company may take reasonable safety measures to ensure that personal data is not lost, stolen, leaked, altered, or damaged. The Company may use the following technical measures for such purpose.

① A Member’s personal data is protected by password and encrypted information. Even with these safety measures, there is still a high possibility that a Member’s password or personal data may be leaked to others if a Member accesses the Internet in a public area or through other means. As such, what is most important is to thoroughly protect the personal data of the Members as much as possible. Therefore, all Members should also be careful not to leak or provide their personal data to others, and take responsibility in managing their personal data. The Company is not responsible for problems that may arise from the Member’s own negligence or the inherent dangers of using the internet.

② Fundamentally, the Members’ personal data is protected by password and encrypted information. Files and transferred data are encrypted and important data is protected by separate security features.

③ The Company uses anti-virus software to prevent damages that arise from computer viruses and regularly updates the software.

④ To prevent leakage or damage of Members’ personal data from hackings, computer viruses, and other sources of intrusion, the Company maintains a 24-hour intrusion detection and intrusion prevention system that monitors possible threats from outside sources.

(2) The Company recognizes the importance of protecting personal data, so we limit the number of employees who process personal data to only those that are necessary. The Chief Privacy Officer (CPO) regularly educates/trains these employees to ensure the protection of the Members’ personal data. Also, the Company regularly reviews the relevant employees’ compliance with the provisions of this Privacy Policy, and where a violation is found, the Company orders the employees to correct/improve the violation and take any other necessary measures.

Article 8 Feedback and complaints

The Company operates a customer service center in order to facilitate communications with Members regarding any feedback or complaints they may have regarding the protection of their personal data.

In Korea, if a dispute arises between the Member and the Company with respect to personal data-related matters, the Member may contact any one of the following agencies and seek consultation regarding a possible privacy violation.

Agency Website Address (URL) Phone Number
Korea Internet & Security Agency 118
Personal Information Dispute Mediation Committee 1833-6972
Cyber Criminal Investigation, Supreme Prosecutor’s Office 1303
Cyber Terror Response Center of the National Police Agency 182

Article 9 Chief Privacy Officer

(1) The Company has designated a Chief Privacy Officer as below, and the Company’s internal department responsible for managing matters related to the processing of personal data always puts forth its best efforts to protect your valued personal data.

Any Member who has any questions, comments, or complaints relating to his/her personal data, please reach out to one of the contacts listed below through email or by phone. The Company will make every effort to respond promptly and with sincerity.

Chief Privacy Officer
Name (Position) Bae Sang Hun (CPO)
Phone Number (+82)-2-2097-1830
Department responsible for processing complaints
Name of Department Service Operations Department
Phone Number (+82)-2-2097-1830

Article 10 Outsourcing of the processing of personal data

In order to provide the Service to the Members, carry out the Service agreements entered into with the Members, and promote the convenience of the Members, the Company outsources the processing of the Members’ personal data to Korean and foreign third-party service providers (“Outsourced Processors”) specializing in data processing where necessary and within the scope disclosed under this Privacy Policy.

1) Outsourcing of processing to Korean third-party service providers:

Outsourced Processor Tasks that are outsourced
DMC System Co., Ltd. Customer service center system operation and customer consultation
Hanaro TNS Co., Ltd. Delivery service
NHN KCP Corp. Processing of credit card payments
KRP, Inc. Processing of credit card payments
Amazon Web Services, Inc. Cloud server operation and management
NHN, Inc. Outsourcing of SMS text messaging
Interpark, Inc. User verification upon the sale of the tickets of the event offered to users of Weverse Membership

2) Outsourcing of processing to foreign third-party service providers (i.e., cross-border transfer of personal data):

Recipient Country where personal data is transferred Date, time and method of transfer Items of personal data that are transferred Purpose of use; retention/use period
Zendesk USA Transmitted via the network when a 1:1 customer inquiry is registered and/or email is sent. Collected Items listed in Article 1 above Used to process customer complaints and is retained until membership withdrawal or termination/ expiration of the outsourcing agreement.
Amplitude USA Transmitted via the network when the Member uses the Service. Items listed as “Generated Information” in Article 1 above Used to improve the Service through big data analysis and is retained until membership withdrawal or termination/expiration of the outsourcing agreement.
Paypal USA Transmitted via the network when the Member uses the Service. Collected Items listed in Article 1 above Used to process foreign currency payments and is retained until membership withdrawal or termination/expiration of the outsourcing agreement.
Twilio USA Transmitted via network during sign-ups Emails listed in Article 1 above
Mobile phone numbers listed in Article 1 above
Used to process sign-ups, product purchases, outsourcing of SMS text messaging to users, account deletions, or termination/expiration of the outsourcing agreement.

When entering into an outsourcing agreement with an Outsourced Processor, the Company makes sure that the following provisions are included in the agreement: prohibition on processing personal information for purposes outside the initial scope of processing tasks that were outsourced, technical and managerial safeguards, restrictions on subcontracting by the Outsourced Processor, matters relating to the supervision of the Outsourced Processor, and liability for damages that may arise out of a violation of the Outsourced Processor’s obligations. The Company also supervises the Outsourced Processor to ensure that it securely processes the personal data.

If there are any changes to the tasks to be outsourced or the list of Outsourced Processors, they will be reflected in this Privacy Policy without delay.

Article 11 Notification obligation

This Privacy Policy was promulgated on June 3, 2019. Any changes (e.g., addition, deletion or revision) to this Privacy Policy pursuant to amendments in the Company’s or Korean government’s policy will be notified in advance to the Members on the Company’s website. For material changes that may significantly impact the Members’ rights, notice will be given 30 days prior to the scheduled effective date of such changes.

Privacy Policy version number: V1.8

Effective date: 2019.10.21