1. What type of information does Pearl Abyss collect, and how? 

The Company collects the following personal information when users sign up, use provided services, create data, edit account information, and through phone calls, faxes, customer support, event participation, partnered companies, and other methods.  
1) Information provided by users 

① Information collected to register an account for Black Desert Mobile: 

 - Social login: social login identifier  

 - Date of birth 

※ Only members who have previously registered their accounts with Facebook or X (formerly "Twitter") have their respective social login identifiers processed. The Company no longer provides said platforms as account registration methods; thus, related social login identifiers will not be collected.  

② Information collected to create a secondary password 

- Email address 

- Secondary Password 

③ Information collected to provide additional services 

- Purchase: Purchase history (Date of purchase, purchased items, order number, charge) 

※ Detailed information required during the payment process (credit card, bank transfer, simple payment service, etc.) is collected directly by the payment service provider. 

- Customer support: Contact information for customer support and information required to process inquiries 

- Events and promotions: Information required for the event and promotion, including name and address 

- Gift delivery: Name, address, email address, contact information 

- Pre-registration and related notices: Email address 

- Announcements and various notifications: Email address 

- Tax Reporting and Processing: Information specified as necessary for tax-related reporting according to the laws of each country, including a serial number  

2) Information automatically collected while using the Services 

- IP address, gameplay and service history, game version information, unauthorized gameplay records, purchase history, cookies, mobile device information (model, OS information, advertising ID, etc.) 

2. What is the legal basis for Pearl Abyss to process personal information? 

The Company complies with the legislation of the region where the users reside, and processes personal information in accordance with the following legal bases. The applicable legal bases depend on various circumstances, including but not limited to the type of information collected, the circumstances of collection, the services used, and the user’s location (IP address or country settings of the device). The Company complies with the following bases to process users’ personal information in a lawful and transparent manner. 

1) Fulfillment of contract  

Processing user information in order to allow users to create accounts or provide and operate essential features for the service based on the contractual relationship with users is based on the fulfillment of said contract.  

2) Legitimate interest  

The Company may process user information when it is determined that the pursuit of legitimate interests of the Company or a third party overrides the rights of privacy and freedoms of the user. This includes achieving the legitimate operational purposes of the Company, such as protecting the integrity of the services, maintaining fairness, and enhancing security. 

3) Compliance with legal obligations 

The Company processes user information to comply with relevant legal obligations of each country, such as retention of personal information or submission of said information to relevant authorities. 

4) Protection of vital interest of users 

The Company may process user information to protect the life, body, and safety of said user or other individuals as an emergency measure. 

5) Consent  
The Company obtains separate consent from users in order to process information that requires explicit consent prior to processing under applicable laws. 

※ The Company is committed to identifying the optimal legal basis and process personal information accordingly in jurisdictions where specific legal basis stated above is not recognized as legitimate under applicable laws of each country of service. 

3. Why does Pearl Abyss process personal information?   

The Company collects and uses information for the following purposes.   

1) To process the necessary data for providing services 

The Company processes necessary data for the following reasons in order to provide services based on the contractual relationship with users:   

- To support users’ account creation and use of service; 

- To provide products and operate services; 

- To provide information on use of service; 

- To settle payments for purchases and uses of paid services; 

- To fulfill the legal obligations under relevant laws and regulations. 

2) To provide better services to users 

The Company collects and processes necessary data for the following reasons in order to provide appropriate services to the users. The Company may analyze the collected data after anonymization for the purpose of service improvement: 

- To improve the services and features; 

- To set and manage registered user accounts, and update user profiles; 

- To maintain user settings and provide content 

- To respond and provide support to submitted user opinions or inquiries; 

- To provide updates and notices regarding Terms of Service changes, service disruptions, customer support, and security alerts for the services; 

- To operate programs and send prizes for events and promotions. 

3) To maintain safe and fair services 

The Company collects and processes necessary data for the following reasons in order to maintain safe and fair services:  

- To prevent and limit abusive and unauthorized use by malicious users;   

- To provide services to protect personal information;   

- To allow for a quality game experience across multiple devices;   

- To find bugs, errors, and provide solutions;   

- To analyze data in response to disputes. 

4)  To deliver targeted advertisements and marketing information 

- To track and analyze content accessed by users in relation to services and online behaviors; 

- To customize advertisements and offer tailored marketing and promotions; 

- To provide customized gaming services such as content and features tailored to the interests of individual users. 

4. Does Pearl Abyss share personal information with third parties? 

The Company may share personal information with third parties through due legal process if the user has given prior consent, if it is necessary to provide services, or to comply with applicable laws. 

1)  In the event the user consented in advance    

The Company informs users of the recipient, purpose, items, retention, and usage period before providing personal information to third parties and obtains prior consent as required by applicable laws. 

2) Information disclosed by the user within the service 

When users access services open to public, relevant information may be displayed for other users and the public. 

- Chats: in-game public chat will be displayed for other users; 

- Notices: minimum information of users will be displayed in public via notice on access restrictions or event winners. 

3) Business partners to whom work is outsourced 

The Company provides personal information to business partners to provide services without issue. The Company includes necessary provisions in the contract to ensure that personal information is processed safely.  

- Payment service providers: to process and receive results of payment; 

- Cloud service providers: to provide system infrastructure, data processing, and storage for service operation; 

- Event agencies: to conduct online and offline events, verify participants, and deliver prizes; 

- Marketing agencies: to conduct events and promotional campaigns, and send advertising information within the scope of user consent; 

- Customer support and security operation providers: To provide customer service, detect and prevent unauthorized activities, and enhance service security. 

4) In order to comply with applicable laws 

The Company provides data to investigative or public authorities by the due process of law to comply with legal obligations during the operation of the service.  

- Public authorities: to disclose data by the due process of law for the purpose of abiding by the law and protecting rights; 

- Investigative authorities: to provide data upon request in accordance with procedures defined by applicable law. 

5. How long does Pearl Abyss store personal information, and how is it deleted? 

1) Personal Information Retention and Deletion Period  

In principle, once the purpose for which the personal information was collected and used has been fulfilled (e.g., upon a user’s request for termination, or at the conclusion of a participatory event), the Company promptly deletes the relevant information. However, personal information is stored by the Company for a designated period before deletion in the following circumstances: 

① Retention according to internal Company policies  

- To minimize damages caused by identity theft, such as unintended account termination or unauthorized payments, the user’s personal information will be stored for 7 days after requesting account termination;  

- To prevent abusive and unauthorized use by malicious users, ban records will be stored. 

② Retention mandated by law 

- When retention of personal information is required under relevant legislations of each country 

2) Personal Information Deletion Method  

The Company destroys personal information printed on paper (e.g., printouts, written documents) by shredding or incineration, and information saved in the form of an electronic format is permanently deleted using irreversible methods. 

6. How does Pearl Abyss transfer personal information overseas? 

User data may be processed by Pearl Abyss and its affiliates, subsidiaries, or partners located around the world and may be transmitted to or stored in the cloud service region or IDC of the Company. 

Users can always reach Support or the personnel or department in charge of personal information and request discontinuance of overseas transfers of personal information. However, if personal information is no longer transferred, the user may experience some limitations when using our official website or game services.   
 

1) Notice for users residing in the European Economic Area (EEA) 

The Company complies with requirements from GDPR and is employing the following measures to safely transfer data of users residing in the European Economic Area (EEA): 

- Implementation of adequate safety measures: implementation of adequate technological and management measures to protect users’ personal information (refer to ‘7. How does Pearl Abyss protect personal information?’ for details) 

- Transfer in accordance with the Adequacy Decision: safe data transfer without the need for additional authentication under the Adequacy Decision between the Republic of Korean and EU that ensures equal protection. 

- Implementation of Standard Contractual Clauses (SCCs): EU Standard Contractual Clauses ensure adequate protection when transferring data to non-EEA countries that are not under the Adequacy Decision. 

2) Notice for users residing in Japan   

- The Company provides the following information regarding data transfer to countries outside Japan in accordance with the Act on the Protection of Personal Information (APPI): 

- Countries of transfer: Republic of Korea, USA 

- Policies on privacy security of said countries: members of APEC Cross-Border Privacy Rules (CBPR) that has an international-level privacy security system (implemented) 
- Implementation of privacy security measures of the entrusted companies: major cloud service providers (MS Azure, AWS, etc.) to whom the Company entrust personal information processing with comply with all 8 OECD Privacy Principles and implement adequate and necessary security measures. 

7. How does Pearl Abyss protect personal information? 

The Company uses the following technological, management, and physical security measures to prevent data loss, theft, breach, alteration, and destruction of personal information of users. Nevertheless, in cases of unforeseen incidents, the Company will faithfully take necessary measures, including reporting to relevant authorities in accordance with applicable laws and cooperating with investigations. 

1) Technological Measures   

- Data encryption: files and data transfer encyptions in accordance with applicable laws and internal regulations 

- Limited access: file locks and security measures implemented on personal information processing database system to prevent unauthorized access 

- Defensive measures: all-time monitoring and operation of security devices (anti-virus programs, firewalls, etc.) to prevent leaks or destruction from hacking or viruses 

- Data restoration: regular personal information backup to prepare for unforseen incidents (damage, loss, etc.) 

2) Management Measures   

- Limited access: access rights to personal information limited to a minimum 

- Security training program:  

training program about privacy protection on a regular basis for personnel and consigned companies handling personal information 

- Designated department in operation: the department in charge of privacy protection has established and manages the Privacy Policy 

- Internal checkups and audits: regular checkups on internal regulations to rectify issues as soon as they are discovered 

3)  Physical Security Measures     

- Physical access restriction: physically separated location for physically stored personal information system, entry monitoring under established entry protocol 
- Safe storage: documents and other forms of information storage containing personal information stored in lockable facilities in safe locations 

8. What personal information is automatically collected? 

1)Definition and usage of cookies 

Cookies are temporary files stored in the user’s computer, containing data created when accessing websites. The Company uses “cookies” to track users’ language settings and verification information, store user setting information to provide personalized services, and create a more user-friendly website environment.  

Additionally, the Company uses cookies to collect overall statistics about the websites’ users to analyze tendencies, manage the website, and to understand how our websites are used.  

① How to block PC web browser cookies from being saved  Chrome: Go to [⋮] at the top-right of the browser → [New Incognito window] (Shortcut: Ctrl+Shift+N)     
Microsoft Edge: Go to […] at the top-right of the browser → [New InPrivate window] (Shortcut: Ctrl+Shift+N)    
② How to block mobile web browser cookies from being saved  
Chrome: Go to [⋮] at the top-right of the browser → [New Incognito tab]    
Safari: Settings > Apps > Safari > Advanced > Block All Cookies  
Samsung Internet: Tap the ‘Tab’ icon on the bottom of the browser > Activate Secret Mode > Turn on Secret Mode 

2) Information on weblog analysis service 

The Company uses Google Analytics as the external weblog analyzing tool to analyze the preferences and interests of the users. To block Google Analytics, please refer to the following page: 
- How to block Google Analytics:  https://tools.google.com/dlpage/gaoptout/ 

 
3) What is targeted advertising?  

The Company analyzes users’ online behavioral data based on advertising IDs to provide tailored services and benefits (including advertisements) that suit each user’s needs. The Company is partnered with the following companies to collect and process behavioral data through the following methods: 

① Online advertisers providing targeted advertisement: Google, Meta (Facebook), X (Twitter)  
② Behavioral data collection method: Automatically collected when the user visits the official website or launches the application.  
③ How to block collection of Advertising ID  
- Android: Go to Settings – Google – Ads – Delete Advertising ID [See more]  
- IOS: Go to Settings – Privacy – Tracking – Turn off “Allow Apps to Request to Track” 

9. What rights and choices do users have pertaining to their personal information? 

Users are entitled to the right to view, edit, delete, restrict processing, withdraw consent, or refuse processing based on legitimate interest for their personal information, and the Company protects the rights of the users. Users can contact Customer Support or the department in charge of privacy protection to exercise their rights. The Company may deny user requests to exercise their rights on their personal information under circumstances specified by law. 

1) How to exercise user rights 

- Query or modify their personal information in Settings > Account in the game 

- Delete their accounts in Settings > Account > Delete Account 

- Submit an inquiry to Support or the department in charge of privacy protection 

※ The Company may deny user requests to exercise their rights (deletion, process restriction, etc.) under circumstances specified by law.   

2) Privacy rights of users residing in the European Economic Area (EEA) 

Users residing in the European Economic Area (EEA) have the following additional rights relating to personal information, but their effectiveness and procedures may be determined in accordance with the laws of individual countries.   

- The right to contact the supervisory authority 

3) Privacy rights of users residing in California  

Under the California Consumer Privacy Act (CCPA), users residing in California have the right to request the following information from the Company.  

- A list of personal information disclosed to any third party for direct marketing purposes within the last 12 months 

- Information that identifies any such third party(ies) 

The Company does not sell personal information for direct marketing purposes. For policies regarding the processing and use of personal information for other marketing purposes, please refer to Section 3. 4) “To deliver targeted advertisements and marketing information.” 

10. Is there an age restriction for using the service? 

1)  Account registration   

The Company does not knowingly collect or solicit personal information from users defined as "Children" under the applicable privacy laws of their country of residence, nor does it permit them to use its services. For the purposes of this policy, "Children" refers to users:   
Under the age of 13 in the United States and Canada;   
Under the age of 16 in the European Union (or a lower age of digital consent, if provided by the law of an individual member state in accordance with the GDPR);   
Under the age of 18 in Brazil; and   
Under the age defined by any other applicable national privacy laws.   

Children must not submit their personal information to the Company. If the Company learns that it has collected personal information from a Child, it will take prompt steps to delete such data. 

Please ensure that Children do not provide their personal information to the Company. If you become aware that the Company has collected or retains the personal information of a Child, please notify the Company immediately. 

2) Game Play  
- The age limit for the use of game services is set according to the game rating authorized in each service area. 

11. How do you contact Pearl Abyss? 

If any questions about personal information protection should arise, please contact the department in charge of personal information. The Company will provide prompt and sincere guidance. 

Department in charge of personal information  
Department: Information Security Division  
Email: privacy@pearlabyss.com  

1) Company Information in charge of personal information protection in Europe 

If you are residing in Europe, you may inquire about your personal information through the following contact information. 

Company in charge of personal information protection: Pearl Abyss Corp.    

Address: 48 Gwacheon-daero 2-gil, Gwacheon-si, Gyeonggi-do, 13824, Rep. of Korea 

Email: dpo@pearlabyss.com  

2) Agency information in Europe 

VeraSafe has been appointed as PEARL ABYSS's representative in the European Union for data protection matters, pursuant to Article 27 of the General Data Protection Regulation of the European Union. If you are in the European Economic Area, VeraSafe can be contacted in addition to dpo@pearlabyss.com, only on matters related to the processing of personal data. To make such an inquiry, please contact VeraSafe using this contact form: https://verasafe.com/public-resources/contact-data-protection-representative or via telephone at: +420 228 881 031 

VeraSafe Czech Republic s.r.o  

Rohanské nábřeží 678/23  

Prague 8, 18600  

Czech Republic 

 
VeraSafe Netherlands BV  

Keizersgracht 555  

1017 DR Amsterdam  

Netherlands 
 
VeraSafe Ireland Ltd. 

Unit 3D North Point House 

North Point Business Park 

New Mallow Road 

Cork T23AT2P 

Ireland 

Addendum 

This policy shall enter into force starting March 31, 2026.