Last updated: 2026.05.25
FANVERSE.ONE (the "Service") is operated by TAEON Branding Agency Pte. Ltd., a company incorporated in Singapore (the "Company"). We treat your personal information with great care and process it in compliance with the Singapore Personal Data Protection Act (PDPA), the Korean Personal Information Protection Act, the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable laws of your country of residence. This Privacy Policy explains what information we collect, how we use, store, and transfer it, and how you can exercise your rights.
We collect the following information in order to provide the Service. [Required — at email signup] · Email address (used as login ID) · Password (stored only as a one-way bcrypt hash; the plaintext password is never stored) · Nickname · Country code · Preferred language (ko / en / ja) · Invitation code (auto-generated) and referrer information (if applicable) [X (Twitter) OAuth signup / link] · X account ID (x_user_id, numeric OAuth ID) · X username / handle (@handle) · X display name · X profile image URL · Email address (only if you consent on X's side) This information is received from X during the official X OAuth flow with your explicit consent. We do NOT receive your X password. [Optional — when verifying missions] · Profile photo (uploaded or synced from X) · Twitter (X) handle (for email signup users who add it manually), Genie user ID · Email addresses associated with music-platform accounts (Spotify, iTunes, Amazon Music, 7digital, Qobuz, etc.) used for verification · Images of music-purchase receipts · LinkPick pick data: picked tracks, per-track one-line message (max 280 chars), default share message · Bank-account information (account holder name, bank name, account number) — collected only from Members who request Point cash-out [Automatically collected — General] · Access IP address, access timestamp, User-Agent, device and OS information, referrer · Service usage logs (page views, mission completions, Campaign participation, draw results) · Login-attempt history, bot/macro detection logs, fraud-detection logs · Cookies and session identifiers (language preference, login session, etc.), referral cookie (30 days) · Push-notification subscription information (VAPID endpoint, device token) [Automatically collected — LinkPick click tracking] · Click timestamp, target platform (Spotify / Apple / YouTube / Melon, etc.) · Visitor country (stored as 2-letter ISO code only — obtained from the Cloudflare CF-IPCountry header or via an ip-api.com lookup that returns only the country code) · Device type (mobile / tablet / desktop / bot) · The IP address itself is not stored; only its SHA-256 hash is retained (not personally identifiable, used solely to detect repeated visits from the same IP for abuse prevention). · Referral code (ref) and referrer user_id · User-Agent (for analytics and bot detection) [Automatically collected — Google Analytics (GA4)] · Page views and events (smart-link views, platform clicks, etc.) are sent to Google Analytics under an anonymous identifier.
We use the personal information we collect only for the following purposes: · Member identification, authentication, and prevention of fraudulent registration. · Operating the Service (missions, Campaigns, Entry Tickets, Points, draws, referrals). · LinkPick click/signup tracking and reward calculation. · LinkPick abuse prevention (IP cooldowns, daily/monthly caps, self-click and bot blocks). · Smart Link statistics (country / platform / device click distributions) for artist and content optimization. · Verification flows with external music platforms and social networks. · Automated verification of music-purchase receipts and screenshots using AI image analysis. · Sending push and in-app notifications (in the Member's chosen language). · Detecting and blocking fraudulent use (macros, multi-accounts, identity theft, VPN bypass). · Security monitoring, system-fault response, and dispute resolution. · Service-usage statistics and product improvement (including anonymous statistics via Google Analytics). · Limited marketing and event communications, only with the Member's prior consent.
As a general rule, we retain a Member's personal information until the Member withdraws from the Service, and we delete it immediately upon withdrawal. However, certain information may be retained for the following periods where required for Service operation or compliance with law: · Fraud-related records (macros, multi-accounts, abusive conduct): 1 year · Access logs / IP addresses / device information: 3 months (or up to 6 months where required by law) · LinkPick click logs (country / platform / device / IP hash / referral code): retained for 1 year for analytics and abuse prevention; afterwards only anonymous aggregate statistics are kept · LinkPick pick data (per-track messages): retained until Member withdrawal or until the Member unpicks the track · Referral cookie (ref): expires automatically after 30 days · Google Analytics data: retained according to Google's default retention period (up to 14 months), as anonymous identifiers only · Campaign participation, Entry Ticket, and Point transaction logs: up to 5 years for dispute resolution and accounting purposes (after identifying information has been removed or the records have been anonymized) · Referral relationships: until referral rewards have been fully settled · Push-notification subscriptions: deleted immediately upon unsubscription or withdrawal · Members inactive for more than one year: may be placed into a dormant state or deleted following prior notice
We do not, as a general rule, share personal information with external parties. Exceptions apply only in the following cases: · When the Member has given specific prior consent (for example, sharing winner contact details with a Campaign partner). · When required by law, or in response to a lawful request by an investigative authority. · When information has been irreversibly aggregated or anonymized for statistics or research. For Campaign winners, the minimum information required to operate the event (such as nickname, email, and contact details) may be shared with partners (agencies, artist companies, etc.), but only with the Member's prior consent.
We rely on certain external providers to operate the Service. Each provider processes data in accordance with its own privacy policy. · Hosting infrastructure (web/database servers): United States (Arizona) · Data backups: United States (Boston) · Image and media storage and delivery (CDN): Bunny.net — Storage Zone located in Germany (Frankfurt) · Music streaming and purchase verification: Melon, Genie, YouTube, iTunes / Amazon Music, etc. — Members submit verification material themselves; we do not automatically transmit Member credentials to these platforms. · Twitter (X) OAuth login: when signing up / logging in via X, we receive the X user ID, handle, display name, and profile image URL through X's official OAuth 1.0a flow. Your X password is never transmitted to us. · Social-media mission verification: Twitter (X) — Members submit tweet links, and we look up the public tweet metadata. · AI receipt / image analysis: Anthropic Claude API (United States) — uploaded purchase-receipt or screenshot images may be transmitted for automated OCR and validation. · Country detection (LinkPick click tracking): when the Cloudflare CF-IPCountry header is available, no external call is made; otherwise the visitor IP is sent to ip-api.com (United States) to retrieve only the 2-letter country code (the IP itself is not stored externally). · Analytics: Google Analytics (GA4) — anonymous identifiers used for page views and events (Google, United States). · Push notifications: messages are routed through W3C Web Push (VAPID) to the browser/OS push services (Google FCM, Apple APNs, Mozilla, etc.) used by your device.
Because the Service is operated globally, your personal information may be stored or processed in the following jurisdictions: · Application servers: United States (Arizona) · Backup data: United States (Boston) · Image CDN: Germany (Frankfurt, Bunny Storage) · Images sent to the AI analysis API: United States (Anthropic Claude) · Country lookup API (LinkPick): United States (ip-api.com) — only the IP is sent; only the country code is returned and stored · Analytics: United States (Google Analytics) — anonymous identifiers for page views and events only · Push-notification messages: infrastructure of the push service operator used by your browser or OS (Google, Apple, Mozilla, etc.) The categories and purposes of information transferred are the same as those described in this Privacy Policy. By agreeing to this Privacy Policy at registration, you consent to the above international transfers. If you do not agree to such transfers, you may not be able to register or use certain features of the Service.
We apply the following technical and organizational measures to protect your personal information: · One-way password hashing using bcrypt — even the Company cannot read your plaintext password. · LinkPick visitor IPs are stored only as SHA-256 hashes (raw IP is never stored) — usable only for abuse detection, not for any other purpose. · HTTPS/TLS encryption end-to-end. · CSRF tokens and XSS hardening, with input validation. · Restricted administrator access and audit logging. · Bot/macro detection systems and blocking of abnormal traffic. · Periodic security reviews and vulnerability response. · Encryption and access controls for backup data.
We use cookies and local storage to maintain login sessions, remember language preferences, and analyze service usage. · Strictly necessary cookies: session identifiers and security tokens (CSRF). Disabling these prevents use of the Service. · Functional cookies: language preference (ko/en/ja), UI settings. Disabling these limits convenience features. · Analytics cookies: anonymous usage statistics (you may opt out). You can refuse or delete cookies through your browser settings, but blocking strictly necessary cookies will prevent core features such as login from working.
You may exercise the following rights at any time: · The right to access your personal information. · The right to correct or supplement inaccurate information. · The right to request deletion of your personal information (except where retention is required by law). · The right to request restriction of processing. · The right to withdraw membership, which results in immediate deletion of registration information. · The right to withdraw consent (for marketing communications, push notifications, etc.). · (EU/EEA Members under GDPR) The right to data portability and the right to object to automated decision-making. · (California Members under CCPA) The right to opt out of the sale or sharing of personal information. You may exercise these rights via the in-Service profile/settings screens or by emailing privacy@fanverse.one. After verifying your identity, we will respond without undue delay (in principle within 30 days).
We do not knowingly allow children under 14 (under Korean law) or under 13 (under the U.S. Children's Online Privacy Protection Act, COPPA) to register without verifiable parental consent. Where applicable law requires parental consent for minors, the Company may take additional verification steps or cancel the registration of a Member identified as a minor.
When this Privacy Policy is amended, the Company will post the reasons for the change and the effective date in the in-Service notices at least seven (7) days in advance, or at least thirty (30) days in advance for material changes. If a Member continues to use the Service after the effective date without giving notice of refusal, the Member is deemed to have agreed to the amended policy.
· Operator: TAEON Branding Agency Pte. Ltd. (Singapore) · Data Protection Officer: FANVERSE.ONE Operations Team · Privacy inquiries: privacy@fanverse.one · General inquiries: hello@fanverse.one You may use the above contacts to file privacy-related inquiries, complaints, or access/correction/deletion requests. If you are not satisfied with our response, you may also lodge a complaint with the data-protection authority of your country of residence.
Operator: TAEON Branding Agency Pte. Ltd. (Incorporated in Singapore) Service: FANVERSE.ONE General inquiries: hello@fanverse.one · Privacy: privacy@fanverse.one
This Privacy Policy was first established on January 25, 2026 and revised/effective from May 25, 2026. Key revisions: added LinkPick click-tracking categories (country, device, IP hash); listed new external services (ip-api.com, Google Analytics); clarified Bunny CDN (Germany) and the IP-hash storage policy.
When the Terms or Privacy Policy is revised, prior versions are archived below. Click any version to view the document as it stood at that time.