Refundly Privacy Policy
Effective date: 30 June 2026
Refundly, a company incorporated in the Republic of Korea (the “Company”), protects the personal data of users of Refundly (the “Service”) in accordance with applicable law and establishes and discloses this Privacy Policy to handle related grievances promptly and smoothly.
The Company is incorporated in the Republic of Korea and is subject to the Personal Data Protection Act (PIPA); for users resident in Vietnam, Thailand or Singapore, the relevant data-protection law of that country (as identified in Sections 6, 7 and 11) may also apply.
1. Categories of Personal Data Processed
The Company collects and processes the following personal data and does not process the personal data of children under 16 years of age:
•On membership registration (mandatory): email address, password (stored encrypted);
•On linking a Member exchange UID (mandatory): exchange name, the relevant exchange UID, and the relevant exchange’s futures trading history (date/time, volume);
•On non-member Payback use (mandatory): exchange name, the relevant exchange UID, and the relevant exchange’s futures trading history (date/time, volume);
•Automatically generated/collected: IP address, browser type, language, Service usage records (access date/time and visit records; Payback/Reward accrual, application and withdrawal records, etc.), device information (model, OS name and version), cookies;
•On surveys or feedback via email or other channels: items necessary for the relevant survey or feedback.
The Company does not collect exchange API keys, withdrawal permissions or wallet private keys, and does not directly hold or handle Users’ digital assets.
2. Processing and Retention Period
The Company deletes and destroys collected information without delay, even absent a separate request, when a User withdraws or loses user status. However, the following are retained for the periods stated:
(a) where an investigation or inquiry for violation of law is in progress: until conclusion of that investigation or inquiry;
(b) where claims and obligations arising from use of the Service remain: until settlement is complete;
(c) the email address, to prevent re-registration with the same email: until termination of the Service;
(d) Payback/Reward accrual, application and withdrawal records: for five (5) years (with identifying information such as UID masked from the date of the withdrawal request);
(e) where applicable law specifies a retention period: for the period specified by that law.
3. Purposes of Processing
•verifying intent to register, maintaining and managing Member status, preventing misuse of the Service, and various notices;
•detecting and preventing fraud and loss of funds, and protecting accounts;
•providing the Service, including accrual, settlement and payment of Payback and Reward;
•providing Service communications such as security notices and updates;
•providing customer support, including handling enquiries and disputes;
•ensuring network and information security (verifying identity and access, countering malware and security risks, complying with security law);
•improving Service content and layout and developing new services;
•marketing and advertising (email, SMS, etc.) only to Users who have consented to receive it.
4. Provision to Third Parties
The Company provides personal data to third parties only with the User’s consent or where there is a special provision in applicable law. Where provision is necessary, the Company gives prior notice of the recipient, purpose, items and retention/use period and obtains consent.
5. Entrustment of Processing
The Company may entrust the following operations to external parties for smooth provision of the Service, and will disclose the trustees and entrusted operations in this Policy and conclude relevant agreements to ensure personal data is managed securely:
•cloud infrastructure (server / data storage) operation;
•email and notification delivery;
•customer-support and enquiry tools.
Specific trustees and entrusted operations are as set out in the finalised list of trustees, and changes will be disclosed through this Policy.
6. Cross-Border Transfer of Personal Data
As the Company is incorporated in the Republic of Korea, it processes personal data principally within the Republic of Korea. Where the Company uses overseas cloud providers or trustees and transfers personal data abroad, it gives prior notice of the recipient, purpose, items, destination country and retention/use period and obtains consent or secures another lawful basis, in accordance with applicable law. The Company may in future transfer its operating entity or infrastructure abroad, including to the Dubai International Financial Centre (DIFC), and will follow the lawful procedures required by applicable law.
6.1 Korea (PIPA)
For users resident in the Republic of Korea, cross-border transfer is carried out with prior notice and consent (or another lawful basis) under the Personal Data Protection Act.
6.2 Vietnam (Law No. 91/2025/QH15)
For users resident in Vietnam, personal data is transferred to the Company’s location (Republic of Korea) and infrastructure. Under Vietnam’s Law on Personal Data Protection, the Company prepares and retains a Transfer Impact Assessment Dossier and submits it to the competent authority (A05) as required — a particularly important obligation for this Service.
6.3 Thailand (PDPA)
For users resident in Thailand, the Company ensures that the recipient country/entity provides an adequate level of protection or secures appropriate safeguards such as standard contractual clauses under the PDPA, with particular care for sensitive data such as identity documents.
6.4 Singapore (PDPA)
For users resident in Singapore, the Company ensures, in accordance with the Transfer Limitation Obligation under the PDPA, that the recipient provides a standard of protection comparable to the PDPA by contract or other means.
7. Rights of Data Subjects and How to Exercise Them
(a) Users may exercise the rights afforded by the applicable data-protection law, namely:
•Korea (PIPA): access, correction/deletion, suspension of processing, and withdrawal of consent;
•Vietnam (Law No. 91/2025/QH15): withdrawal of consent, access, correction, deletion, restriction of processing, objection, and request for provision of data;
•Thailand (PDPA): access, correction, deletion, restriction of processing, data portability, objection, and withdrawal of consent;
•Singapore (PDPA): access and correction, and withdrawal of consent.
(b) Rights may be exercised through a legal representative or a duly authorised agent, in which case a power of attorney evidencing the authorisation must be submitted.
(c) Rights may be exercised by contacting the Data Protection Officer (or responsible department) set out in Section 10, by email or otherwise; the Company will act without delay, although some rights may be restricted under applicable law.
(d) A request to suspend processing or withdraw consent may mean the Company can no longer provide the Service, in which case the Use Agreement may be terminated.
(e) Where the User is a child, the Company obtains the consent of a legal representative as required by applicable law; the Company does not, as a rule, process the personal data of children under 16.
8. Cookies and Automatic Collection
(a) The Company uses cookies to provide tailored services. Cookies are used to analyse access frequency and visit times, identify usage patterns, verify secure access, improve the Service, and provide tailored services and advertising.
(b) Users may refuse the storage of cookies through browser settings, but this may cause difficulty in using parts of the Service.
9. Destruction of Personal Data and Security Measures
(a) The Company destroys personal data without delay when it becomes unnecessary, such as upon expiry of the retention period or achievement of the processing purpose. Electronic files are destroyed by technical means that prevent recovery, and printed materials are shredded or incinerated.
(b) The Company takes the following measures to ensure the security of personal data:
Administrative: establishing and implementing an internal management plan and conducting regular staff training;
Technical: encryption of personal data, access-rights management, retention of access logs and prevention of forgery/alteration, and technical measures against hacking;
Physical: access control of server rooms and data storage rooms.
10. Data Protection Officer and Responsible Department
The Company designates a Data Protection Officer and responsible department to take overall responsibility for the processing of personal data and to handle enquiries, complaints and remedies relating to personal data protection:
•Data Protection Officer: (name / title)
•Responsible department: (department name)
•Contact: (email / telephone)
11. Remedies for Infringement and Supervisory Authorities
Users may contact the competent supervisory authority of their country of residence:
•Korea: Personal Information Protection Commission (PIPC); the Privacy Infringement Report Centre (KISA, 118) and the Personal Information Dispute Mediation Committee are also available;
•Vietnam: the Ministry of Public Security and the Department of Cybersecurity and Hi-Tech Crime Prevention (A05);
•Thailand: the Personal Data Protection Committee (PDPC) and its office;
•Singapore: the Personal Data Protection Commission (PDPC).
12. Changes to this Privacy Policy
The Company may amend this Policy to reflect changes in law or the Service. The Company will post any changes at least seven (7) days before the effective date; where there is a material change to users’ rights, such as a change to the categories of personal data collected or the purposes of use, the Company will give notice at least thirty (30) days in advance.
This Privacy Policy takes effect on 30 June 2026.