WEXVR
PRIVACY NOTICE
White Exchange S.r.l. (WHTEXCH)
Effective date: 11 May 2026
About this Notice
This Privacy Notice (the “Notice”) explains how White Exchange S.r.l., an Italian company with registered office at Via Durini 25, 20122 Milan, Italy, VAT and tax code No. 12380700968 (“WHTEXCH”, “we”, “us”, or “our”), processes personal data in connection with the WEXVR service (the “Service”), including www.wexvr.com and the WEXVR application made available within the Meta Horizon ecosystem on compatible Meta Quest headsets.
This Notice is addressed to individuals who interact with WEXVR, including visitors, registered users, purchasers of paid Content, support contacts, complainants, reporters, and persons identified in notices or moderation workflows. Channel Owners (professional creators) are also covered to the extent personal data of their authorised representatives is processed.
Data controller, DPO, and contact details
Data controller: White Exchange S.r.l., Via Durini 25, 20122 Milan, Italy. VAT/Reg. No. 12380700968.
Data Protection Officer: Francesca Valenti — dpo@whtexch.com. The DPO contact has been notified to the Italian Garante under Article 37(7) GDPR.
Privacy and rights requests: dpo@whtexch.com.
Authorities and legal: whtexchsolutionssrl@legalmail.it (PEC).
Personal data we process
The categories of personal data we process depend on how you interact with the Service. We typically process:
Account and identity data: name (where provided in the user name), email, country, language, customer-support history, account status, Channel Owner representative details where applicable.
Authentication and security data: Magic-link or passwordless sign-in records, session tokens, IP address, user-agent, approximate sign-in location derived from IP, security logs, anti-abuse and anti-fraud indicators.
Transaction and Entitlement data: transaction identifiers, purchase status, product / title purchased, view count, access period, scheduling window, currency, applied taxes, refund status, dispute status, billing descriptors. We do not store full payment-card details, which are processed by Stripe and other providers within their secured environments.
Usage, viewing, and engagement data: Unlocked titles, watch history, playback events, likes, comments, follows/followers, timestamps, content-interaction history, and related service-usage events.
Moderation and report data: notices, reports, evidence, complaints, statements of reasons, internal review notes, decisions, repeat-infringer records.
Communications: emails and messages exchanged with us (support, privacy, legal).
Disclaimer: Comments posted through the Service are public within the relevant user-facing surface. Likes and watch history are processed within the Service. Follow/follower relationships are not currently displayed to other users, but may be processed internally for service functionality, moderation, recommendation, and ranking.
Sources. Personal data is collected directly from you (registration, purchase, support, reports); automatically from your browser, app, and headset; from payment processors (Stripe and others).
Special categories. We do not intentionally collect special categories of personal data (Article 9 GDPR) or sensitive personal information (under U.S. state privacy laws). Where such data inadvertently appears in user-generated content or in support communications, we apply additional safeguards and do not use it for inference or profiling.
VR / immersive technology. The Service does not currently use eye-tracking, facial-recognition, biometric, or comparable inference signals to identify users or to profile them. Any device-level processing of such signals by Meta Quest hardware or operating system is governed by Meta’s privacy notices and the headset-level controls available to you. If we ever introduce immersive features that involve biometric or behavioural data, we will update this Notice and apply additional safeguards, including a Data Protection Impact Assessment (DPIA) under Article 35 GDPR, before deployment.
Purposes, lawful bases, and balancing tests
Where the GDPR / U.K. GDPR applies, the cited lawful bases are those of Article 6 GDPR (and Article 9 GDPR where special-category data is involved). For each Article 6(1)(f) (legitimate interests) basis below, WHTEXCH has performed and documented a legitimate-interest assessment (LIA), available on request to dpo@whtexch.com.
| Purpose | Description | Lawful basis |
|---|---|---|
| Service delivery | Account creation, authentication, processing purchases, unlocking and managing Entitlements, customer service. | Performance of contract — Art. 6(1)(b) |
| Payments and billing | Processing payments, invoicing, refunds, chargebacks, dispute handling, accounting. | Performance of contract — Art. 6(1)(b); legal obligation — Art. 6(1)(c) |
| Anti-fraud, security, abuse | Fraud detection, anti-piracy, account-takeover prevention, scraping. | Legal obligation — Art. 6(1)(c); legitimate interests — Art. 6(1)(f) |
| Moderation and reporting | Receiving and processing notices and complaints; making moderation decisions; issuing statements of reasons; cooperating with trusted flaggers and authorities. | Legal obligation — Art. 6(1)(c) (DSA, AVMSD) |
| Compliance and authority cooperation | Compliance with DSA, AVMSD/TUSMA, AGCOM, GDPR, sanctions, tax laws; responding to authority orders. | Legal obligation — Art. 6(1)(c) |
| Communications | Transactional, security, billing, moderation, legal, and policy-change notices. | Performance of contract; legal obligation. |
| Recommendation and ranking | Using viewing and engagement data, including likes, follows, comments, and watch history, to improve in-service ranking, recommendation, discovery, and product integrity. | Performance of contract - Art. 6(1)(b); legitimate interests - Art. 6(1)(f) |
| Cookies and similar technologies | Strictly necessary cookies for authentication, fraud, security; analytics cookies subject to consent. | Strictly necessary: Art. 6(1)(b)/(f); non-strict: consent — Art. 6(1)(a) |
| Personnel and B2B Channel Owner relations | Payouts, contractual administration of Channel Owner relationship. | Performance of contract; legal obligation |
No marketing or behavioural advertising. We do not currently use personal data for direct marketing, profiling, cross-context behavioural advertising, or targeted advertising. We do not sell personal data within the meaning of any applicable U.S. state privacy law. If we change this position, we will update this Notice and obtain any consent required by applicable law before relying on the new processing.
Automated decision-making (Article 22 GDPR). Anti-fraud and anti-piracy controls may use automated decision-making in respect of, for example, transaction declines or temporary account suspensions. Where such decisions produce legal effects or similarly significantly affect you, you have the right to obtain human intervention, to express your point of view, and to contest the decision. Substantive review is performed by trained staff of the WHTEXCH and Stripe.
No sale of personal data. We do not sell personal data within the meaning of any applicable U.S. state privacy law (including CCPA/CPRA, CPA, CTDPA, VCDPA, UCPA, TDPSA, and equivalents) and we do not share personal data for cross-context behavioural advertising. For state-specific disclosures and rights, see the U.S. State Privacy Rights Supplement.
Stripe and other payment processors
All Content on WEXVR is paid. Payments are processed by Stripe, Inc. and its affiliates and, where applicable, by other authorised processors, acquirers, or merchants of record.
Roles. Stripe processes personal data on our behalf as a data processor pursuant to Article 28 of the GDPR for the purpose of facilitating payment transactions. However, Stripe may also act as an independent data controller for certain processing activities, such as fraud prevention, anti-money laundering compliance, and other legal obligations. For more information on how Stripe processes personal data, please refer to Stripe’s Privacy Policy: https://stripe.com/en-it/privacy
When you make a payment on our website, certain personal data is processed by Stripe in order to complete the transaction. This may include:
Full name
Email address
Billing address
Payment method details (e.g., credit or debit card information)
Transaction amount and details
Payment data is transmitted directly to Stripe via a secure SSL-encrypted connection. We do not store full payment card details on our servers.
Recipients of personal data
We share personal data only with categories of recipients required for the purposes set out above, including:
hosting, cloud, content-delivery, transcoding, encryption, and security providers;
payment processors, billing, accounting, and tax providers (Stripe and others — see Section 5);
technical support, software maintenance, professional advisers, auditors, and external legal counsel;
authorities, courts, regulators, law-enforcement bodies, rights-holders, and other recipients where required by law or to protect rights, safety, or the integrity of the Service.
International transfers
WHTEXCH is established in Italy. Some recipients of personal data are established outside the European Economic Area, the United Kingdom, or Switzerland, including in the United States and other countries. Where transfers occur, we rely on the following safeguards under Articles 44–49 GDPR:
Adequacy decisions under Article 45 GDPR (e.g., EU-US Data Privacy Framework, where the recipient is certified; UK Adequacy Bridge for UK-EEA flows).
Standard Contractual Clauses (SCCs) adopted by Commission Implementing Decision (EU) 2021/914 (June 2021) for EEA transfers; the U.K. International Data Transfer Addendum (IDTA) for U.K. transfers; and the Annex on Switzerland to the SCCs for Swiss transfers.
A summary of the safeguards in place for a particular transfer is available on request to dpo@whtexch.com.
Retention
We retain personal data only for as long as reasonably necessary for the purposes for which it was collected, unless a longer retention period is required or justified by law, dispute risk, fraud prevention, or evidence preservation.
| Data category | Retention period | Basis |
|---|---|---|
| Account and Service data | Life of the account + 12 months after deletion | Contract; legitimate interests; legal limitation periods |
| Payment, accounting, invoice, tax, transaction records | Up to 10 years | Italian Civil and Tax Code (Art. 2220 c.c.; Art. 22 D.P.R. 600/1973) |
| Sign-in logs (Korean residents) | 6 months | Korean Network Act |
| Comments and engagement data | For as long as the relevant content remains available on the Service, and longer where required for moderation, legal claims, or evidence preservation | Comments are public within the relevant surface and may be removed or restricted ex post. |
| Moderation, report, complaint, statement-of-reasons records (DSA) | At least 6 months from decision; longer where ongoing investigation or limitation period requires | Article 24(5) DSA |
| Anti-fraud and chargeback records | Up to 13 months for Stripe / scheme disputes; longer for ongoing fraud investigations | Card-scheme rules; legitimate interests |
| Sanctions records | Up to 5 years from end of relationship | Italian D.lgs. 231/2007 |
| DPO file, RoPA, DPIAs, breach register | Indefinite (whilst processing continues) + 5 years thereafter | Accountability — Article 5(2) and Article 30 GDPR |
Deleting the WEXVR application from a device does not by itself delete your account, cancel a purchase, or erase backend records. We may require identity verification and the closure of open disputes or active Entitlements before finalising an account-deletion request, where applicable law allows.
Your privacy rights
Subject to applicable law, you have one or more of the following rights in respect of your personal data:
| GDPR | Rights | Descriptions |
|---|---|---|
| Art. 15 | Right of Access | Obtain confirmation of the existence of data processing activities, as well as access to the data, its origin, purposes, retention period, recipients, and methods used. |
| Art. 16 | Right to Rectification | Request the updating, rectification, or integration of Personal Data being processed by the Company. |
| Art. 17 | Right to Erasure | Request deletion of Personal Data when (i) it is no longer necessary for the purpose it was collected, (ii) consent is withdrawn, (iii) processing is unlawful, or (iv) law requires deletion. |
| Art. 19 | Right to Restriction of Processing | Request restriction of processing under specific conditions, allowing only storage or temporary limitation during verification processes related to other rights. |
| Art. 20 | Right to Data Portability | Obtain data in a commonly used, machine-readable format (e.g., Excel file) and transfer it to another data controller. |
| Art. 22 | Right to Avoid Automated Decisions | Request that data not be subjected to automated decision-making processes or confirm that such methods are not used. |
| Art. 7(3) | Right to withdraw consent | You can withdraw your consent at any time, where consent is the legal basis (without affecting prior lawful processing). |
| Artt. 13+77 | Right to File a Complaint |
Submit a complaint to the competent supervisory authority if you believe that the Company is processing data in violation of this policy or the law. For complaints to the Italian Data Protection Authority, use the following link: |
How to exercise your rights. Send a request to dpo@whtexch.com. We may need to verify your identity before acting on a request. Where you act through an authorised agent and applicable law allows it, we may require proof of authority. We respond within the time limits set by applicable law (in the EEA / UK, one month from receipt under Article 12(3) GDPR, extendable by two months for complex requests with notice). For U.S. state privacy laws, we follow the timing required by the relevant state law (typically 45 days, extendable). For California requests through an authorised agent, written authority and identity verification are required. Requests may be denied or limited where a legal exemption applies.
Universal opt-out signals. For U.S. state purposes, WEXVR honours the Global Privacy Control (GPC) signal as an opt-out preference where the relevant state law treats GPC as a recognised opt-out mechanism (California, Colorado, Connecticut, Texas, Oregon, and equivalent). Because WHTEXCH does not sell or share personal information for cross-context behavioural advertising, the operational effect of GPC is limited to confirming the no-sale / no-share posture.
Security
We implement technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, or disclosure, including: access controls and multi-factor authentication for administrative access; key management; segregation of duties; vendor due diligence and DPAs; vulnerability and patch management; logging and monitoring; incident response procedures; staff training.
Cookies and similar technologies
WEXVR uses strictly necessary cookies and similar technologies to authenticate users, deliver Entitlements, prevent fraud, maintain session and platform security, and remember your preferences. Where required by ePrivacy law (Italian Codice Privacy and Italian Garante guidelines on cookies and other tracking tools, June 2021), we use a consent management mechanism for non-strictly-necessary cookies, with “accept all” and “reject all” options of equivalent prominence. The Cookie Notice published on www.wexvr.com lists the specific categories of cookies, retention periods, and third-party recipients. WHTEXCH does not use cookies for cross-context behavioural advertising.
Changes to this Notice
We may update this Notice from time to time to reflect changes to the Service, our processing activities, legal requirements, regulator guidance, payment-provider requirements, or security practices. Material changes affecting users will be notified through the Service or by other reasonable means with reasonable advance notice. The “Effective date” at the top of this Notice. Previous versions are available on request to dpo@whtexch.com.
Region-specific information
European Economic Area, Italy, and United Kingdom
If the GDPR or U.K. GDPR applies, you benefit from the rights described in Section 9. If you have a complaint about how we handle your data, you may contact our DPO at dpo@whtexch.com or lodge a complaint with the Italian Garante (www.gpdp.it) or the supervisory authority of your habitual residence. UK users may complain to the Information Commissioner’s Office (ICO, www.ico.org.uk).
Switzerland
If Swiss law (revFADP) applies, you may request information about the processing of your personal data and request correction of inaccurate personal data. WHTEXCH does not currently appoint a Swiss representative under Article 14 revFADP because the processing does not meet the cumulative conditions of regular processing of high-risk data; the position is reviewed periodically. Complaints may be addressed to the Federal Data Protection and Information Commissioner (FDPIC, www.edoeb.admin.ch).
Canada
If Canadian law (PIPEDA, Quebec Law 25, Alberta PIPA, B.C. PIPA, or other applicable provincial legislation) applies, you may request access to and correction of your personal information, withdraw consent (where consent is the legal basis), and exercise other applicable rights. For Quebec, the Privacy Officer is Francesca Valenti, dpo@whtexch.com; complaints may be addressed to the Commission d’accès à l’information (CAI). Mandatory breach notification to the CAI is given without delay where the breach presents a risk of serious injury.
Australia
If the Australian Privacy Act 1988 (Cth) applies (currently subject to the AUD 3M turnover threshold), you have the rights set out in the Australian Privacy Principles. Complaints may be lodged with us first and then, if unresolved, with the Office of the Australian Information Commissioner (OAIC, www.oaic.gov.au).
New Zealand
If the New Zealand Privacy Act 2020 applies, you have rights of access, correction, and complaint to us and (if unresolved) to the New Zealand Privacy Commissioner (www.privacy.org.nz).
Supplements below:
Sub processors list
US States
Republic of Korea
***
SUBPROCESSOR LIST
Effective date: 11 May 2026
1. Purpose
This Subprocessor List identifies the third parties that actually process personal data of WEXVR users in the operation of the Service. Tooling that does not process personal data is intentionally not listed here.
Controller. White Exchange S.r.l. — Via Durini 25, 20122 Milan, Italy — VAT/Reg. No. 12380700968 — DPO: Francesca Valenti — dpo@whtexch.com.
2. List of subprocessors
| Subprocessor | Provider entity & country of establishment | Service / function | Categories of personal data processed |
|---|---|---|---|
| Meta — Meta Quest / Meta Horizon | Meta Platforms Ireland Limited (Ireland) for EEA users; Meta Platforms, Inc. (United States) for non-EEA users. | Operating system and application distribution environment for the WEXVR app on Meta Quest headsets; account-linking with Meta Horizon for Entitlement delivery. | Meta account identifier; device identifier; entitlement-link metadata; technical telemetry surfaced to the app. |
| Stripe — Payments | Stripe Payments Europe Ltd (Ireland) for EEA users; Stripe, Inc. (United States) and group affiliates for back-end processing. | Payment processing, fraud screening, sanctions screening, anti-money-laundering controls, dispute and chargeback handling, regulatory reporting. | Cardholder data (processed in Stripe’s secured environment, not stored by WHTEXCH); transaction identifiers and amounts; billing name and address; country; risk indicators; dispute and refund metadata. |
| Clerk — Authentication and user management | Clerk, Inc. (United States). | User registration, authentication, session management, magic-link and passwordless flows, social-login orchestration (e.g., Google), session token issuance. | E-mail address; account credentials and tokens; IP address; device identifier and user-agent; approximate sign-in location (geolocation derived from IP); browser and OS metadata; usage data within Clerk dashboards. |
| Supabase — Application database (Postgres) | Supabase Inc. (United States). | Primary relational data store for the WEXVR application: user profiles, channels, content metadata, entitlements, watch records, moderation and report records. | Account and identity data; email; transaction and Entitlement data; usage and viewing data; moderation and report records; channel-owner profile metadata for B2B users. |
| Upstash — Redis cache and workflow state | Upstash, Inc. (United States). | Shared cache (rate-limiting, session state, device-authorisation flow); workflow state store with replay-on-failure semantics. | IP address; device fingerprint; session and rate-limit counters; transient workflow payloads (which may include account identifier, transaction reference). |
| Google Cloud Platform (GCP) — Hosting infrastructure | Google Cloud EMEA Limited (Ireland) for EEA customers, with Google LLC (United States) as an affiliated processor where applicable. | Compute, storage, networking, container orchestration, secrets management, observability, and other primary infrastructure on which WEXVR services run. | All categories of personal data processed in connection with the Service while in transit through and at rest on the GCP infrastructure (account, transaction, telemetry, moderation, support communications). |
| Resend — Transactional e-mail delivery | Resend, Inc. (United States). | Sending of transactional and service e-mails (purchase confirmations, withdrawal-acknowledgement messages on durable medium, security alerts, statements of reasons, password-reset, refund updates). | Recipient e-mail address; e-mail content (which may include name, transaction identifier, and case-specific information); sending and delivery metadata. |
***
WEXVR U.S. STATE PRIVACY RIGHTS SUPPLEMENT
Applies only to residents of U.S. states whose privacy laws apply to WEXVR
Effective date: 11 May 2026
This Supplement provides additional privacy disclosures for residents of U.S. states that grant consumer privacy rights and that apply to White Exchange S.r.l. and the WEXVR service. It should be read together with the WEXVR Privacy Notice. If there is a conflict between this Supplement and the general Privacy Notice, this Supplement governs only to the extent required by applicable U.S. state law.
1. Scope and current WEXVR position
WEXVR is a paid, account-based digital content service. We currently do not sell personal information, do not share personal information for cross-context behavioural advertising or comparable targeted advertising, and do not knowingly permit under-13 users on the Service. WEXVR is not directed to children under 13, and we do not knowingly sell or share personal information of users we know to be children within the meaning of applicable law.
WEXVR also does not currently use personal information to make decisions that produce legal or similarly significant effects through solely automated profiling. If our practices materially change, we will update the Privacy Notice and this Supplement where required.
2. Rights that may be available
Depending on your state of residence and the thresholds or exemptions that apply, you may have some or all of the following rights: to know whether we process your personal information; to access a copy of personal information we maintain about you; to correct inaccurate personal information; to delete personal information; to obtain a portable copy of certain personal information; to appeal a refusal of a privacy-rights request; and, where applicable, to opt out of sales, targeted advertising, or profiling in furtherance of decisions that produce legal or similarly significant effects.
Because WEXVR does not currently sell personal information or use personal information for targeted advertising, many opt-out rights will ordinarily be addressed by confirming that such processing is not presently carried out. If that changes, we will publish an updated process for exercising those rights.
3. How to exercise your rights
You may submit privacy requests by emailing dpo@whtexch.com. Please identify the right you wish to exercise, the state in which you reside, the email address associated with your WEXVR account (if any), and enough information for us to locate and verify the relevant records.
If you are a parent or legal guardian making a request on behalf of a minor, or an authorised agent acting on behalf of another person, we may require additional verification, proof of authority, or signed authorisation before acting on the request.
We may deny, limit, or defer a request where permitted by law, including where we cannot verify identity or authority, where an exemption applies, or where the request would compromise security, fraud prevention, legal compliance, or the rights of others.
4. Appeals
If applicable law gives you the right to appeal a refusal of your request, you may submit an appeal to dpo@whtexch.com with the subject line “Privacy Appeal”. Please include the original request, our response (if any), the state whose law you believe applies, and why you believe the request should be reconsidered.
5. California-specific disclosures
For California residents, and only to the extent the California Consumer Privacy Act as amended applies, the categories of personal information WEXVR may collect are described in the WEXVR Privacy Notice and may include identifiers, account information, payment and transaction information, internet or other electronic network activity information, device and technical information, coarse geolocation or country information, customer-support communications, moderation and reporting records, and inferences reasonably drawn from such information for service, security, or fraud-prevention purposes.
The categories of sources from which we may collect personal information include: directly from you; automatically from your device, browser, headset, or app session; from payment processors such as Stripe; from analytics, fraud-prevention, hosting, and infrastructure providers acting on our behalf; from Meta or compatible-device ecosystem providers where relevant to account or entitlement support; from other users, Channel Owners, rights holders, or authorities who submit reports or complaints; and from publicly available or compliance-related sources where necessary.
The categories of recipients to whom we may disclose personal information for business purposes include service providers, payment processors, infrastructure and security providers, professional advisers, authorities or courts where legally required, and corporate counterparties in connection with a transaction subject to appropriate protections. WEXVR does not currently sell personal information and does not currently share personal information for cross-context behavioural advertising.
California residents may designate an authorised agent to make a request on their behalf, subject to verification and proof of authority. We will not discriminate against you for exercising rights granted by applicable law.
6. Retention
We retain personal information only for as long as reasonably necessary for the purposes described in the WEXVR Privacy Notice, including account administration, entitlement management, payment and accounting, fraud prevention, moderation, legal compliance, dispute handling, and records retention. Different categories of data may be kept for different periods depending on operational, tax, anti-fraud, or legal needs.
7. Changes to this Supplement
We may update this Supplement from time to time to reflect changes in WEXVR’s practices, changes in U.S. state privacy laws, regulator guidance, or operational needs. The most current version will be made available with an updated effective date.
8. Contact
Privacy questions and privacy-rights requests should be sent to dpo@whtexch.com.
White Exchange S.r.l. | Via Durini 25, 20122 Milan, Italy | VAT / Reg. no. 12380700968
***
PRIVACY NOTICE — REPUBLIC OF KOREA
1. Controller and contact
White Exchange S.r.l. (the “Controller”), an Italian limited liability company with registered office at Via Durini 25, 20122 Milan, Italy, VAT/Tax No. 12380700968, is the controller for the personal information of Republic of Korea residents processed in connection with the WEXVR service.
Personal Information Protection Manager (개인정보 보호책임자): Francesca Valenti, Data Protection Officer — dpo@whtexch.com — White Exchange S.r.l., Via Durini 25, 20122 Milan, Italy.
Personal information rights and complaints: dpo@whtexch.com.
General support: support@wexvr.com.
Domestic agent (PIPA Art. 31-2): Not appointed at this date because WHTEXCH does not meet the thresholds under Article 32-2 of the PIPA Enforcement Decree (≥ 1 trillion KRW total annual revenue, OR ≥ 10 billion KRW Korean information service revenue, OR ≥ 1 million daily active users in Korea, OR processing of sensitive data of more than 50,000 Korean data subjects on average daily).
2. Categories of personal information collected
| Category | Items | Source |
|---|---|---|
| Account / identity | E-mail, password (hashed), age confirmation, country, language preference | Provided by user at registration |
| Transaction | Purchased title, transaction ID, amount, currency, payment status, refund / dispute status, billing descriptor | Stripe, payment processors (Stripe acts partly as processor and partly as independent controller for fraud / sanctions / regulatory reporting) |
| Device / technical | IP address, device identifier, headset model, firmware version, app version, OS, language, timezone, session and crash logs | Auto-collected from user device / browser |
| Usage / viewing | Titles unlocked, view counts consumed, time spent, feature usage | Auto-collected |
| Moderation / report | Reports, complaints, evidence, statements of reasons, decisions | User submissions |
| Communications | Support emails / messages | Provided by user |
3. Purposes and legal grounds (consent-based)
Personal information is processed only for the purposes set out below. For Korean residents, processing is based on user consent (PIPA Art. 15(1)(1)) unless another legal basis applies (e.g., performance of contract, legal obligation).
| Purpose | Required / optional | Legal basis |
|---|---|---|
| Service delivery, account, Entitlement | Required | Consent (PIPA Art. 15(1)(1)) and contract (PIPA Art. 15(1)(4)) |
| Payment processing and billing | Required | Consent + legal obligation (PIPA Art. 15(1)(2)) |
| Anti-fraud, security, abuse prevention | Required | Legitimate interests (PIPA Art. 15(1)(6)) + legal obligation |
| Moderation, reports, complaints | Required | Legal obligation + legitimate interests |
| Service analytics and improvement | Optional | Consent (separate opt-in) |
4. Retention
Personal information is retained only for the period necessary to fulfil the relevant purpose, then deleted or de-identified, save where retention is required by Korean law.
| Data | Retention |
|---|---|
| Account / Service data | Life of the account + 12 months after deletion |
| Transaction records (Korean Commercial Act / e-Commerce Act) | 5 years |
| Sign-in logs (Network Act) | 6 months |
| Moderation / report records | 6 months from decision; longer for ongoing investigations |
5. Cross-border transfer of personal information (PIPA Art. 28-8)
Personal information of Korean residents is transferred to Italy (Controller’s establishment) and to other countries where the Controller’s service providers operate. The Controller obtains specific consent for such transfer at sign-up, with the disclosures required by PIPA Article 28-8.
| Item | Disclosure |
|---|---|
| Recipient identity | White Exchange S.r.l. (Controller) — Italy. Stripe, Inc. — United States and Ireland. Meta Platforms — United States and Ireland. Cloud-hosting and CDN providers — European Union and United States. |
| Recipient’s contact details | dpo@whtexch.com (Controller). Recipient processors’ DPAs are available on request. |
| Items transferred | All categories listed in Section 2. |
| Purposes of transfer | Service delivery, payment processing, anti-fraud, security, moderation, support. |
| Retention | As set out in Section 4. |
| Method of transfer | Encrypted electronic transfer (TLS 1.2+) over public networks. |
| Date and frequency | Continuous, as required for service delivery. |
6. Rights of Korean residents
Korean residents have the following rights under PIPA: (i) request access to personal information; (ii) correction; (iii) deletion (subject to legal exceptions); (iv) suspension of processing; (v) withdrawal of consent at any time; (vi) lodge a complaint with the PIPC (www.pipc.go.kr) or the Personal Information Dispute Mediation Committee.
How to exercise: Send a request to dpo@whtexch.com. The Controller responds within 10 days under PIPA Art. 35(3).
7. Use of cookies and online identifiers (Network Act)
WEXVR uses strictly necessary cookies and similar technologies for authentication, Entitlement delivery, fraud prevention, and security. Optional analytics cookies are used only with consent through the consent-management mechanism, with parity between “accept all” and “reject all”. The Controller does not use cookies for cross-context behavioural advertising.