XLGAMES, Inc. ("Company") legally processes and safely manages personal information in compliance with the Personal Information Protection Act and related laws of the Republic of Korea to protect the freedom and rights of data subjects. However, if the laws of a specific country or region require additional protection, users of that country or region will be protected by the privacy laws of that country or region.

In accordance with Article 30 of the Personal Information Protection Act of the Republic of Korea, the Company establishes and discloses the following personal information processing policy to inform data subjects of the procedures and standards for processing and protecting personal information and to promptly and smoothly handle any complaints related thereto.

Article 1. Items of Personal Information Processed

The Company collects and uses personal information to the minimum extent necessary to provide services in accordance with the Personal Information Protection Act and processes the following personal information items with the consent of the data subject in accordance with Article 15, Paragraph 1, Subparagraph 1 and Article 22, Paragraph 1, Subparagraph 7 of the Personal Information Protection Act.

1. Game Service Operation

• Legal Basis: Article 15, Paragraph 1, Subparagraph 1 (Consent of the Data Subject) and Subparagraph 4 (Contract Performance) of the Personal Information Protection Act
• Personal Information Items: Nickname, (*)SteamID64, platform nickname, purchase history (purchase date and time, item name, order number, amount), survey response (including gender, age, region, language, and country), mobile phone number
• (*)SteamID64 is a user identification code generated when you sign up for a platform like Valve Corporation's Steam. The privacy protection of this information lies with each platform. When you use game services through the platform, the Company receives this value and uses it to distinguish you from other users. However, the Company does not have access to or retain any information you provide to the platform (i.e., your name, contact information, or payment information).
• While operating the game service, consent history regarding terms and conditions and personal information processing (user identifier; consent date and time; IP address), service use history (user identifier; visit date and time, such as access record), IP address, record of abuse (sanction history), purchase history (purchase date and time, item name, order number, and amount, game currency use history), device information (settings, specifications, OS and version), system information (client and browser information), local and language settings, product identification, GUID (Globally Unique Identifier), error and log information, chat history, and cookies may be created and collected.

2. Customer Support Service

• Legal Basis: Article 15, Paragraph 1, Subparagraph 1 (Consent of the Data Subject) and Subparagraph 4 (Contract Performance) of the Personal Information Protection Act
• Personal Information Items: Nickname (depending on the inquiry channel), email address, content of inquiry, platform ID (if applicable), and primary language
• The Company may use the information collected and generated for the purpose of "Game Service Operation" based on the contents of your inquiry.
• In-game information (including build information and language used) may be created and collected during the process of providing customer support services.

3. Provision of Promotions Such as Events

• Legal Basis: Article 15, Paragraph 1, Subparagraph 1 (Consent of the Data Subject) and Article 22, Paragraph 1, Subparagraph 7 (Promotion of Goods or Services) of the Personal Information Protection Act
• Personal Information Items: Email address, nickname, and information required to deliver prizes (if applicable)
• When providing promotions such as events, in accordance with Article 15, Paragraph 3 of the Personal Information Protection Act, the Company may additionally use the information collected and created for the purpose of "Game Service Operation" of this policy without consent* in order to select and contact winners and confirm winner information. *This information is used without your consent for additional use (1) to provide promotions in accordance with your choice, such as events, and (2) on the basis that it does not unfairly infringe on the interests of the data subject.
• If applicable, additional personal information (name, address, mobile phone number, and for prizes exceeding 50,000 won, resident registration number) may be requested based on the prize in accordance with Article 15, Paragraph 1, Subparagraph 2 (Legal Compliance) for tax and public charge purposes.

4. Official Homepage Service

• Legal Basis: Article 15, Paragraph 1, Subparagraph 1 (Consent of the Data Subject) of the Personal Information Protection Act
• Personal Information Items: Access logs (visit date and time), IP address (non-identifiable processing), browser/device information, language settings, cookie information
• The collected information is limited to data that cannot directly identify individuals on its own and will not be used for any purpose other than ensuring the stable operation of the official homepage and improving service quality through usage statistics analysis.

Article 2. Purpose of Collection and Use of Personal Information

"Personal information" refers to information about a living individual that can identify the individual based on the information contained therein (including information that cannot identify a specific individual by itself but can be easily combined with other information to identify the individual). The purpose of collecting and using personal information collected by the Company is as follows.

1. Game Service Operation

• User Identification and Service Provision: Distinguishing users through nicknames, platform identifiers (such as SteamID64), and platform nicknames to ensure the smooth provision of game services
• Payment and Currency Management: Verifying purchase history, managing order numbers, and tracking of in-game currency usage
• Service Stability and Prevention of Abuse: Blocking abnormal users and enhancing security via access logs, IP addresses, abuse records, and device/system information
• Service Quality Improvement: Optimizing service based on statistics and improving game environment through local/language settings, error and log analysis, and survey responses (gender, age)

2. Customer Support Service

• Customer Support and Processing of Complaints: Verifying users upon inquiry, responding via email, and ensuring a smooth communication channel
• Technical Support: Identifying technical errors and providing consultation services through verification of in-game information and service usage records

3. Provision of Promotions Such as Events

• Operation and Management of Events: Confirming promotion participation, selecting winners, distributing prizes, and notifying users
• Compliance With Legal Obligations: - Processing tax and public charges and related reporting for prize distribution in accordance with applicable laws and regulations (name, address, mobile phone number, and for prizes exceeding 50,000 won, resident registration number)

4. Official Homepage Service

• Web Service Optimization: Ensuring stable operation of the homepage through visit dates and times, IP addresses, and browser/device information
• Statistical Analysis: Improving service quality and user convenience through usage statistics analysis (limited to information that cannot individually identify a person)

Article 3. Processing of Personal Information and Retention Period

① The Company processes and retains personal information within the retention/usage period stipulated by law or within the retention/usage period agreed upon by the data subject at the time of collection of personal information.

② The processing and retention periods for each piece of personal information are as follows.

[Retention of Personal Information Based on Company's Internal Policy]

• Records regarding abuse prevention: 1 year
• Records regarding non-member inquiries: 1 year

[Retention of Personal Information Based on Relevant Laws]

1. Act on the Consumer Protection in Electronic Commerce (Article 6)

• Records regarding a contract or purchase cancellation: 5 years
• Records of payment or provision of currency: 5 years
• Records regarding consumer complaints or dispute resolution: 3 years
• Records regarding advertisements/displays: 6 months

2. Framework Act on National Taxes (Article 85-3), Corporate Tax Act (Article 116), Income Tax Act (Article 160-2)

• Books and supporting documents related to transactions stipulated by tax laws: 5 years

3. Electronic Financial Transactions Act (Article 22)

• Records of electronic transactions: 5 years

4. Protection of Communications Secrets Act (Article 15-2)

• Personal information related to service use (login history): 3 months

Article 4. Procedures and Methods for Destroying Personal Information

① The Company destroys personal information without delay when the personal information becomes unnecessary, such as when the retention period for personal information has expired or the purpose of processing has been achieved.

② In cases where the retention period for personal information agreed upon by the data subject has expired or the purpose of processing has been achieved, but personal information must be retained in accordance with the Company's internal policy or other laws and regulations, the personal information will be transferred to a separate database (DB) or stored in a different location. ※ The items of personal information to be retained and the basis for retention can be confirmed in Article 3, "Processing of Personal Information and Retention Period."

③ Personal information transferred to a separate database will not be used for any other purpose than that for which it is retained, except in cases required by law or for processing business when re-registering.

The procedures and methods for destroying personal information are as follows.

1. Procedures The Company stores personal information for a certain period of time in accordance with the Company's internal policy and other relevant laws and regulations (Article 3, Processing of Personal Information and Retention Period) and then destroys it.

2. Methods The Company destroys personal information recorded and stored in electronic file format using a technical method that renders the records unrecoverable, and destroys personal information recorded and stored in paper documents by shredding or through incineration.

Article 5. Entrustment of Personal Information Processing Tasks

① To ensure efficiency in processing personal information, the Company entrusts personal information processing tasks as follows, and in accordance with Article 26 of the Personal Information Protection Act, the Company specifies in documents such as contracts matters related to responsibilities such as prohibition of processing personal information for purposes other than the performance of the entrusted work, technical and administrative protection measures, restrictions on re-entrustment, management and supervision of the trustee, and compensation for damages, and oversees whether the trustee safely processes personal information.

1. Domestic Personal Information Processing Trustees

• Trustee: Wellbia.Com Co., Ltd

  Entrusted Task: Provision of PC client security services

  Personal Information Retention/Usage Period: Destroyed without delay upon termination of entrustment contract or withdrawal from service

• Trustee: QROAD Inc.

  Entrusted Task: Infrastructure operation/management for customer support operation

  Personal Information Retention/Usage Period: Destroyed without delay upon termination of entrustment contract or withdrawal from service

② In accordance with Article 26, Paragraph 6 of the Personal Information Protection Act, the Company's consent is required when re-entrusting a trustee with the processing of personal information.

③ If there is a change in the content of the entrusted work or the trustee, the Company will disclose it without delay through this Privacy Policy.

Article 6. Overseas Collection and Transfer of Personal Information

In order to provide services, the Company entrusts processing and storage of personal information through contracts with foreign companies in accordance with Article 28-8, Paragraph 1, Subparagraph 3 of the Personal Information Protection Act (entrustment of processing and storage for contract performance).

• Trustee: Amazon Web Services Inc.

Transmitted Information: SteamID64, nickname, game usage history, access logs, etc.

Entrusted Task: Cloud service operation and management

Transmitted Country: United States, Germany, Japan, Taiwan, Singapore, Hong Kong

Transmit Date and Method: Transmission over the network at the time of service use

Personal Information Retention/Usage Period: Destroyed without delay upon termination of entrustment contract or withdrawal from service

How to Refuse: You may refuse the cross-border transmission of your personal information; however, as this is an essential element for service provision, refusal may result in restrictions on service use. In such cases, please express your refusal by withdrawing from the service or contact us via the contact information provided in Article 10.

• Trustee: Google LLC

Transmitted Information: Non-personally identifiable information such as access logs and cookie data

Entrusted Task: Website usage statistics analysis, service quality improvement, and media content provision

Transmitted Country: United States

Personal Information Retention/Usage Period: Upon termination of the entrustment contract or 14 months from the date of data collection

How to Refuse: Use Google's opt-out tool or refer to the settings method outlined in the "Cookie Policy" specified in the footer of the official homepage.

Article 7. Personal Information Safety Measures

When processing your personal information, the Company implements the following technical/administrative measures to ensure security and prevent personal information from being lost, stolen, leaked, altered, or damaged.

1. Technical Measures The Company makes every effort to prevent the leakage or damage of users' personal information due to hacking or computer viruses. To prepare for damage to personal information, data is being backed up on a regular basis while the latest antivirus programs are being used to prevent the leakage or corruption of users' personal information and data. The Company also ensures the secure transmission of personal information over networks through encrypted communication. Furthermore, any unauthorized external access is being monitored using intrusion prevention systems. The Company always strives to implement all possible technical measures to ensure system security.

2. Administrative Measures

1) The Company limits the handling of personal information to only those in charge, and issues separate passwords for these employees, which are regularly updated. In addition, the Company constantly emphasizes compliance with the Company's Privacy Policy on handling personal information through regular training for those in charge.

2) The Company strives to ensure compliance with the Company's Privacy Policy and the person in charge through the Company's internal organization for personal information protection, etc., and to immediately correct and rectify any problems when discovered.

3) The Company provides regular in-house or external training to employees who handle personal information on new security technologies and personal information protection obligations.

4) The transfer of duties in handling personal information is carried out thoroughly while maintaining security, and responsibility for any issues regarding personal information before and after employment is clearly defined.

5) The Company is not responsible for any personal information leaks that may occur due to your own mistakes or the inherent risks of the internet. You must properly manage your accounts and passwords to protect your personal information and take responsibility for them.

Article 8. Installation/Operation of Automatic Personal Information Collection Devices and Refusal Thereof

<Installation/operation of automatic personal information collection devices>

① The Company may use essential cookies to provide basic website functionality while users are on the official homepage, and may use analytics cookies and marketing cookies for usage statistics analysis with user consent. Analytics cookies are used to statistically analyze website usage through external analytics tools such as Google Analytics, and the collected information is processed to be non-identifiable.

② Cookies are small text files stored on a user's device via a web server. The Company may use cookies within the minimum necessary scope for service provision and stable operation. In this process, cookies do not directly identify individuals and may be used as technical identification information to maintain login status, security, and usage environment.

③ Users have the option to manage the storage of all cookies by adjusting settings in their web browser or through the cookie settings provided on the official homepage. However, refusing to store cookies may place restrictions on some of the services.

For detailed information about cookie types, usage purposes, management, and opt-out methods, please refer to the "Cookie Policy" in the footer of our official homepage.

▶ Deleting cookies from web browser

• Chrome: Settings > Privacy and security > Delete browsing data
• Edge: Settings > Cookies and site permissions > Manage and delete cookies and site data

Article 9. The Rights, Obligations, and Exercise Methods of the Data Subject and Legal Representative

① In accordance with the relevant laws and regulations, the data subject has the right to access, modify, delete, suspend processing, withdraw consent, reject automated decisions, or request explanations of personal information ("Information Access, Etc."). If you have any questions regarding matters related to personal information, please contact the Personal Information Protection Officer via email (privacy@xlgames.com). The officer will verify your identity through reasonable means. The Company will faithfully respond to the exercise of data subjects' rights in accordance with relevant personal information protection laws and regulations.

② Each of the rights of the data subject in Paragraph 1 of this Article may be exercised through the data subject's legal representative. In this case, the legal representative has all the rights of the data subject.

③ When the legal representative of the data subject requests Information Access, Etc., the Company may request additional evidence, such as submission of a power of attorney in the format of Appendix 11 of the "Notice on Methods of Personal Information Processing," to confirm whether the representative has legitimate authority.

④ The Company will provide Information Access, Etc. within 10 days of a request from the data subject or their legal representative ("Data Subject, Etc."). However, if there are legitimate reasons preventing access within this period, the Company may notify the data subject and extend the deadline. Once the restricting reasons are no longer valid, the Company will promptly provide Information Access, Etc.

⑤ In response to a request for correction or deletion from the Data Subject, Etc., the Company will correct or delete the relevant personal information within 10 days and notify the results, except in cases where other laws require procedures. However, if deletion is not possible, such as when the relevant personal information is explicitly designated as a target of collection under other laws, the Company will notify the Data Subject, Etc.

⑥ Requests for access to and processing of personal information of the Data Subject, Etc. may be restricted under Article 35, Paragraph 4, and Article 37, Paragraph 2, of the Personal Information Protection Act, and if the personal information is specified as a target of collection in other laws, the deletion of the personal information cannot be requested.

⑦ If you have given your separate consent to the automated decision-making process, have been notified in advance through a contract or other means, or are otherwise explicitly stipulated by law, you may not object to automated decisions. Only requests for explanation and review are permitted. Furthermore, requests for objection or explanation regarding automated decisions may be denied if there are reasonable grounds, such as concerns about unjustified harm to the life, body, property, or other interests of others.

Article 10. Privacy Officer, Personal Information Department, and Customer Support

① The Company is responsible for overall management of personal information processing and has designated a Privacy Officer as follows to handle complaints and provide remedies to data subjects related to personal information processing.

▶ Personal Information Protection Officer

Name: Kim Kyoung Min

Position: Head of Infrastructure Department

Email: privacy@xlgames.com

▶ Customer Support

Customer Support: https://help.rebotspro.com/thecube

② The data subject may inquire about all personal information protection-related matters, including inquiries, complaints, and damage relief, that arise while using the Company's services to the Personal Information Protection Officer or the responsible department. The Company will promptly respond to and process the data subject's inquiries.

Article 11. Remedies for Infringement of the Rights of Data Subjects

In order to seek relief for personal information infringement, the data subject may apply for dispute resolution or consultation to the Personal Information Dispute Mediation Committee of the Republic of Korea, the Privacy Infringement Reporting Center of the Korea Internet & Security Agency (KISA), etc. For other reports or consultations on personal information infringement, please contact the organizations below.

• Privacy Infringement Reporting Center (https://privacy.kisa.or.kr/ or dial "118" without area code)
• Personal Information Dispute Mediation Committee (https://www.kopico.go.kr/ or dial "1833-6972")
• Cybercrime Investigation Division of the Supreme Prosecutors' Office (https://www.spo.go.kr/ or dial "1301" without area code)
• Cyber Bureau of the National Police Agency (https://ecrm.police.go.kr/ or dial "182" without area code)
• Mobile/ARS Payment Arbitration Center (http://www.spayment.org/ or dial "02-1644-2367")

Announcement Date: February 4, 2026

Effective Date: This Privacy Policy takes effect on February 11, 2026.