Effective Date: May 29, 2026
MakeStar Co., Ltd. (hereinafter the "Company") processes personal information lawfully and manages it securely in compliance with the Personal Information Protection Act and related laws and regulations to protect the freedom and rights of data subjects. Accordingly, pursuant to Article 30 of the Personal Information Protection Act, the Company establishes and discloses this Privacy Policy to inform data subjects of the procedures and standards for processing and protecting personal information, and to ensure that related grievances can be handled promptly and smoothly.
Table of Contents
The Company processes members' personal information for the following purposes and does not use it for any other purposes.
The Company collects only the minimum personal information necessary for service operation. If additional personal information is required for service use, it will be collected based on legal grounds for personal information processing. The specific items of personal information collected and their purposes of use are as follows.
The Company processes the following personal information items without the data subject's consent.
[Mandatory Processing Items]
Legal Basis:
| Service Name | Category | Collection Items | Purpose of Collection | Retention and Use Period |
|---|---|---|---|---|
| Integrated Members (MakeStar, Poca Album) |
Sign Up (Email) | Email address, password | Member identification and verification, delivery of notices and announcements to members, receipt of member consultations and complaints, notification of processing results | 3 months after membership termination or the period specified by relevant laws and regulations |
| Service Usage | Service usage records, access logs, access IP, device information | Retention of communication confirmation data, prevention of fraudulent use, service quality improvement | 3 months under the Protection of Communications Secrets Act (website visit records); otherwise 3 months after membership termination | |
| MakeStar | Product Ordering and Shipping | Buyer information (email), payment information (payment method, payment currency, payment amount, payment date/time, payment authorization number), shipping address (shipping country/region, recipient, email, phone number, address, tax identification number) | Ordering, payment, product delivery, and returns | 3 months after membership termination or the period specified by relevant laws and regulations |
| Funding or Product-Related Event Entry | Name, email address, applicant nationality, applicant language, contact information, date of birth, messenger information | Product-related funding and event participation | 1 year after the event ends (participation information for non-winners is retained for 1 year after the winners are announced) | |
| Refund Processing | Account bank, account number, account holder name | Refund measures | Within 3 months after the refund is completed or the period specified by relevant laws and regulations | |
| Winner Announcement and Prize Receipt | Event participant name (Korean), event participant name (English), phone number, email for receiving winning notification, date of birth, phone number, country and address for receiving event prize | Winner announcement, guidance on prize receipt | 1 year after winner announcement and prize receipt | |
| Event/Partnership Inquiries | Name/Company name, email, phone number | Event proposals and B2B transactions | Period of 3 years as stipulated by relevant laws and regulations | |
| Contact Us | Email address, order number | Contact us | Period of 3 years as stipulated by relevant laws and regulations | |
| DreamStar Charging and Ordering | Buyer information (email), payment information (payment method, payment amount, payment date/time, payment authorization number) | Star charging and purchase | 3 months after membership termination or the period specified by relevant laws and regulations | |
| Poca Album | Contact Us | Email address | Contact us | Period of 3 years as stipulated by relevant laws and regulations |
| Feed | Profile photo, nickname, feed content | Posting to the feed | 3 months after membership termination or the period specified by relevant laws and regulations |
[Mandatory Processing Items] When Receiving Personal Information from Other Than the Data Subject
| Service Name | Category | Collection Items | Purpose of Collection | Retention and Use Period |
|---|---|---|---|---|
| Integrated Members (MakeStar, Poca Album) |
Sign Up (SNS) |
Kakao: Birthday, Kakao account (email), gender, year of birth, nickname, name Naver: User identifier, name, email address, alias, gender, birthday, year of birth Google: Name, profile photo, email Apple: Email |
Member identification and verification, delivery of notices and announcements to members, receipt of member consultations and complaints, notification of processing results | 3 months after membership termination or the period specified by relevant laws and regulations |
[Optional Processing Items]
| Service Name | Category | Collection Items | Purpose of Collection | Retention and Use Period |
|---|---|---|---|---|
| Integrated Members (MakeStar, Poca Album) |
Marketing and Advertising Use | MakeStar: ID (email address), PUSH token Poca Album: PUSH token |
Information, advertising, promotions, publicity, events, and benefits related to services provided by the Company, marketing-related notifications 'Includes push notifications sent via Firebase Cloud Messaging' |
3 months after membership termination or the period specified by relevant laws and regulations |
| Integrated Members (MakeStar, Poca Album) |
Advertising Identifier Collection and Use | Advertising identifier (Android ADID, iOS IDFA) | Analysis of behavioral information for the Company's services, measurement of personalized advertising/marketing effectiveness, prevention of fraudulent use | Until membership termination or until the user resets/restricts the advertising identifier in OS settings · How to refuse: See Article 11 ④ (Refusal of Advertising Identifier) of this Policy |
| Integrated Members (MakeStar, Poca Album) |
Service Usage | Service usage records, access logs, access IP, device information | Service provision and quality improvement, prevention of fraudulent use within services, development of new services/technologies, provision of personalized services | 3 months after membership termination or when cookies are blocked |
| MakeStar | Edit Member Information | Real name, nickname, date of birth, gender, country/region of residence, phone number | Edit member information | 3 months after membership termination or the period specified by relevant laws and regulations |
① The Company processes and retains personal information within the retention and use period prescribed by law or within the retention and use period set by the Company.
② If a user agrees to the terms of service and registers as a member, the Company retains the member's personal information until the member terminates the service use contract or withdraws from membership. However, the Company may retain personal information until the end of the relevant cause in the following cases.
③ The Company may retain personal information in accordance with relevant laws as follows.
| Stored Information | Retention Period | Legal Basis |
|---|---|---|
| Records on payment and supply of goods, etc. | 5 years | 『Act on the Consumer Protection in Electronic Commerce, etc.』 |
| Records on contracts or withdrawal of subscription, etc. | 5 years | 『Act on the Consumer Protection in Electronic Commerce, etc.』 |
| Records on consumer complaints or dispute handling | 3 years | 『Act on the Consumer Protection in Electronic Commerce, etc.』 |
| Records on display/advertising | 6 months | 『Act on the Consumer Protection in Electronic Commerce, etc.』 |
| Records on electronic financial transactions | 5 years | 『Electronic Financial Transactions Act』 |
| Website visit records | 3 months | 『Protection of Communications Secrets Act』 |
| Records on collection, processing, and use of credit information, etc. | 3 years | 『Act on the Use and Protection of Credit Information』 |
① For smooth service provision, the Company provides personal information only to the minimum necessary extent with the consent of the data subject in accordance with Article 17(1)(1) of the 「Personal Information Protection Act」 in the following cases.
Legal Basis: Article 17(1)(1) of the Personal Information Protection Act (when the data subject's consent is obtained)
| Recipient | Purpose of Provision | Information Provided | Retention and Use Period |
|---|---|---|---|
| Agency | Event entry and participation | Name, email address, applicant nationality, applicant language, contact information, date of birth, messenger information | 1 year after the event ends However, participation information for non-winners is retained for 1 year after the winners are announced |
① For smooth processing of personal information, etc., the Company entrusts personal information processing tasks as follows.
| Trustee | Entrusted Tasks |
|---|---|
| Toss Payments Co., Ltd., Eximbay Co., Ltd. | Electronic payment services |
| Hanjin Co., Ltd., Korea Post Office (EMS), Federal Express Korea Co., Ltd. (FedEx), United Parcel Service Korea Co., Ltd. (UPS), SF Express | Reward or product delivery |
| Google Cloud | Infrastructure operation for service provision |
| Oracle Cloud | Infrastructure operation for product delivery |
| Microsoft (Clarity), Thinking Data | Web analytics/behavioral analysis |
| Mailgun | Email delivery (cross-border transfer) |
| NHN Cloud | Email and SMS delivery |
| Google LLC (Firebase) | App usage behavior analysis (Analytics), push notification delivery (Cloud Messaging), crash analysis (Crashlytics), remote configuration (Remote Config) |
② Cross-border Transfer: Pursuant to Article 28-8 of the 「Personal Information Protection Act」, the Company transfers personal information overseas as follows.
| Transferee | Transferred Items | Destination Country | Transfer Date/Time and Method | Purpose of Use | Retention Period |
|---|---|---|---|---|---|
| Google LLC (Firebase) | Advertising identifier, device information, app event logs, PUSH token | United States and other countries where Google data centers are located | HTTPS network transmission upon service use | App usage analysis, push notification delivery, crash analysis | Until the end of the entrustment contract or membership termination |
| Mailgun (Sinch) | Email address, email body | United States | HTTPS transmission upon email delivery | Email delivery | Until the end of the entrustment contract or membership termination |
③ When entering into an entrustment contract, the Company specifies the following items in the contract or other documents in accordance with Article 26 of the 「Personal Information Protection Act」 and supervises whether the trustee safely manages and processes personal information.
① Members may exercise the following rights related to personal information protection with the Company at any time.
② Members may exercise their rights under Paragraph 1 by written notice, telephone, email, fax, or other means to the Company, and the Company shall take action without delay.
③ If a member requests correction or deletion of errors in their personal information, the Company shall not use or provide such personal information until the correction or deletion is completed.
④ If a member is a child under the age of 14, the legal representative may request access to the child's personal information from the Company.
⑤ Members shall not infringe upon the personal information or privacy of themselves or others processed by the Company in violation of the 「Personal Information Protection Act」 or other relevant laws and regulations.
① When personal information becomes unnecessary due to the expiration of the retention period, achievement of processing purposes, etc., the Company shall destroy the relevant personal information without delay.
② If the retention period of personal information consented to by the member has expired or the processing purpose has been achieved, but the personal information must continue to be preserved under other laws, the relevant personal information shall be transferred to a separate database (DB) or stored in a different location.
③ The procedures and methods for destroying the member's personal information are as follows.
① The Company does its best to safely manage members' personal information and protects personal information at a level above that required by the 「Information and Communications Network Act」 and the 「Personal Information Protection Act」 in accordance with the methods prescribed in this Article.
② The Company manages the employees who handle personal information to the minimum extent and continuously emphasizes that the protection of members' personal information is the most important value through regular and occasional training for personal information handlers.
③ To prevent leakage and damage of personal information by hacking, computer viruses, etc., the Company installs security programs, conducts periodic updates and inspections, installs systems in areas with controlled external access, and monitors and blocks them technically and physically.
④ The Company stores documents containing personal information, auxiliary storage media, etc., in a secure location with locking devices.
⑤ The Company maintains a separate physical storage location for personal information and controls access to it.
① If there are any additions, deletions, or modifications to the content of the Privacy Policy, the Company will announce the revised content through the site or app at least 7 days prior to the effective date of the revised Privacy Policy.
② If there are significant changes to members' rights, such as provision to third parties in relation to the processing of personal information, the Company will announce the revised content through the site or app at least 30 days prior to the effective date of the revised Privacy Policy.
When the Company transfers personal information to another party due to the transfer or merger of all or part of its business, it must notify the relevant member in advance of the following matters by means such as notification, communication, or announcement.
The Company installs and operates cookies to provide personalized services to users. The purpose of using cookies and matters concerning refusal are as follows.
A cookie is a small piece of information sent by the server used to operate a website to the user's computer browser and stored on the user's computer.
Cookies are used to analyze user access frequency and visit times, understand usage patterns and areas of interest, track user activity, gauge participation in various events, and determine visit counts, in order to provide personalized services such as targeted marketing.
Users have the option to choose whether to install cookies. Through browser-specific options, users can allow or refuse all cookies, or set their browser to prompt for confirmation each time a cookie is stored. Methods for specifying cookie installation permissions are as follows.
Allowing/Blocking Cookies in Web Browsers
Allowing/Blocking Cookies in Mobile Browsers
However, if you refuse to save cookies, you may experience difficulties using certain services, such as those requiring login.
The Company may collect and use the advertising identifier provided by the mobile OS for behavioral information analysis and personalized advertising. Users may refuse by the following methods.
The Company processes automatically collected information through the following SDKs. The retention/use period and cross-border transfer of each item follow Article 5.
MakeStar
The Company requests the following access permissions on the user's device to provide mobile app services. Even if optional permissions (other than required permissions) are refused, service use is not restricted except for the corresponding features.
| Category | Permission | Purpose of Use | Effect of Refusal |
|---|---|---|---|
| Required | Notifications | Receiving push notifications for order/payment/delivery status, event/announcements, marketing information (for consenting users) | Cannot receive push notifications |
| Optional | External Storage Read/Write (Photos/Media/Files) | Upload profile photos/inquiry attachments, save downloaded content | Cannot use the corresponding features (image attachment, file storage) |
| Optional | Camera | Take profile photos instantly, recognize QR/barcodes (event entry, prize verification, etc.) | Cannot use camera-based features (album attachment still possible) |
| Optional | Microphone | Voice input when recording artist support videos/voice messages | No audio recorded during video recording |
| Optional | NFC | NFC tag recognition for offline event/fan meeting entry, membership/goods authenticity verification | Cannot use NFC-based authentication/check-in features |
| Optional | Installed Apps List (QUERY_ALL_PACKAGES) | Verifying installation of linked apps (bank apps, SNS, etc.) for payment/sharing/external authentication, detection of fraudulent payments/automation tools | External apps cannot be automatically launched (manual entry workaround possible) |
▶ How to Withdraw Access Permission Consent
You can withdraw previously granted permissions at any time through your device's OS settings.
Android 6.0 or higher
[Settings] → [Applications] → [MakeStar] → [Permissions] to revoke each permission individually.
Android below 6.0
Due to OS limitations, individual permissions cannot be revoked, so we recommend one of the following methods.
iOS
[Settings] → [MakeStar] → toggle each permission item (Photos, Camera, Microphone, Notifications, NFC, etc.) to revoke.
※ After revoking permissions, you must consent to permission re-requests within the app to use features that require those permissions.
Poca Album
The Company requests the following access permissions on the user's device to provide the Poca Album app service. Even if optional permissions (other than required permissions) are refused, service use is not restricted except for the corresponding features.
| Category | Permission | Purpose of Use | Effect of Refusal |
|---|---|---|---|
| Required | Notifications | Receiving push notifications for feed alerts, event/announcements, marketing information (for consenting users) | Cannot receive push notifications |
| Optional | External Storage Read/Write (Photos/Media/Files) | Upload Poca (photocard) images, attach photos stored in the album, save downloaded content | Cannot use photo upload/storage features |
| Optional | Camera | Take photocards instantly, take profile photos | Cannot use camera-based features (album attachment still possible) |
| Optional | Microphone | Voice input when attaching feed videos, voice memo feature | No audio recorded during video recording |
| Optional | NFC | Offline event entry, goods authenticity verification, and other near-field recognition-based features | Cannot use NFC-based authentication features |
| Optional | Installed Apps List (QUERY_ALL_PACKAGES) | Verifying installation of SNS/messenger apps for sharing features, detection of fraudulent behavior (automation tools, etc.) | External apps cannot be automatically launched (manual entry workaround possible) |
▶ How to Withdraw Access Permission Consent
You can withdraw previously granted permissions at any time through your device's OS settings.
Android 6.0 or higher
[Settings] → [Applications] → [Poca Album] → [Permissions] to revoke each permission individually.
Android below 6.0
Due to OS limitations, individual permissions cannot be revoked, so we recommend one of the following methods.
iOS
[Settings] → [Poca Album] → toggle each permission item (Photos, Camera, Microphone, Notifications, NFC, etc.) to revoke.
※ After revoking permissions, you must consent to permission re-requests within the app to use features that require those permissions.
① The Company designates a Personal Information Protection Officer as follows to oversee all matters related to personal information processing, handle complaints from data subjects regarding such processing, and provide remedies for damages.
Personal Information Protection Officer
Name: Jongmyeong Oh
Phone: +82-70-5055-6068
E-MAIL: oh@makestar.com
② Users may contact the Personal Information Protection Officer regarding all inquiries, complaint handling, and damage relief related to personal information protection arising from the use of the Company's services (or business). The Company shall respond to and process user inquiries without delay.
Data subjects may apply for dispute resolution or consultation with the Personal Information Dispute Mediation Committee, the Korea Internet & Security Agency's Personal Information Infringement Reporting Center, etc., to seek remedies for personal information infringement. For other reports or consultations regarding personal information infringement, please contact the following institutions.
This amended Privacy Policy shall take effect on May 29, 2026.
The previous Privacy Policy (effective February 12, 2026) shall cease to have effect upon the effective date of this amendment.