Article 1 (Purpose of Processing Personal Information)
Personal data is processed by the Company for the following reasons. The Company’s personal information will not be used for any reason other than those listed below, and if the purpose of use changes, the Company will take the necessary steps, such as obtaining separate consent under Article 18 of the Personal Information Protection Act.
1. Provision of Goods and Services (Mandatory)
Personal information is processed by the Company in order to deliver services, content, and customized services.
2. Use in marketing and advertisement (Optional)
Personal information is processed by the Company to develop new services (products) and customized services, provide event and advertising information as well as participation opportunities, provide services and advertising based on demographic characteristics, validate services, identify access frequency, or provide statistics on its members’ use of services.
Article 2 (Processing and Retention Period of Personal Information)
① During the course of delivering services to a data subject, the Company will handle and retain the data subject’s personal information.
1. Providing goods or services: Until the delivery of goods or services is completed or the charges are settled. Personal information, on the other hand, shall be destroyed after being stored for the term provided in the applicable laws, if required by the relevant laws.
2. Use in marketing and advertising activities: From the date of acquiring personal information to the 3rd anniversary
3. Processing inquiries and complaints: Retain for 3 years after completion of handling inquiries and complaints, then discard.
② Notwithstanding paragraph 1, the Company may process and maintain each personal information for a specific period of time if such personal information is required to be preserved under the relevant laws, as follows:
|Item to be Preserved||Applicable Laws||Retention Period|
|Contract or subscription withdrawal records||Act On The Consumer Protection In Electronic Commerce||5 years|
|Payment settlement and provision of goods records||5 years|
|Records pertaining to the resolution of consumer complaints or disputes||3 years|
|Displayed records and advertisements||6 months|
|Books and supporting documentation for all Tax Act-regulated transactions||Framework Act On National Taxes||5 years|
|Electronic financial transaction records||Electronic Financial Transactions Act||5 years|
|Records of service visits||Protection Of Communications Secrets Act||3 months|
Article 3 (Providing Personal Information to Third Party and International Transfer)
① The Company will only process personal information for the purposes stated in Article 1 (Purpose of Processing Personal Information), and will not transfer personal information to third parties without the consent of the data subject. However, if there is a particular provision in the law or it is permitted by Article 18 of the “Personal Information Protection Act,” such as an unavoidable necessity for executing the defined obligations provided by other laws, the Company may transfer such personal information to a third party with or without consent.
② The company does not transfer the personal information of information subjects abroad, except as permitted by the Personal Information Protection Act. The company currently transfers personal information overseas in the following ways.
|Recipient||Country of residence of the recipient||Purpose of use||Provided items||When and how to transfer||Retention and use period|
25 First Street, 2nd Floor, Cambridge, MA 02141 USA
Data Protection Officer
||Name, E-mail address, Affiliation, Department, Duty, Telephone Number||Through the network of information and communication, transfers may occur from time to time||During the period of retention and use of personal information agreed to at the time of collection|
Article 4 (Consignment of personal information processing)
The company entrusts part of its work necessary to provide services to outside companies, stipulates the matters necessary for the entrusted party to safely process personal information, and carries out management or supervision to ensure such safe processing, in accordance with the Personal Information Protection Act. If a user does not use the service related to the work entrusted to the entrusted party, his/her personal information will not be provided to the said entrusted party. Listed below are the consignees and the tasks they have been entrusted with for processing personal information on behalf of the company. If the consignee or details of the entrusted tasks change, the policy will be updated without delay.
|Entrusted Company||Entrusted Operations||Retention and Usage Period of Personal Information|
|HubSpot, Inc.||CRM service provision, CRM server operation, CRM management||Until the member withdraws membership or the entrustment agreement term has expired|
Article 5 (Rights and Obligations of Data Subject and Statutory Representative and Method of Exercise)
① At any time, a data subject may exercise his or her right to seek access to, correction of, deletion of, or suspension of processing of his or her personal information by the Company.
② Under Article 41.2 of the Enforcement Decree of the “Personal Information Act,” the rights under paragraph 1 may be exercised to the Company in writing, via e-mail or fax, etc., and the Company will take the necessary actions without delay.
③ A data subject’s statutory representative or an authorized person may exercise his or her rights under paragraph 1. In such a circumstance, a power of attorney must be presented in Form No. 11 of the Appendix to the “Public Notice on the Method of Processing Personal Information (No. 2020-7).”
④ In the event that a data subject requests the suspension of accessing and processing personal information, his or her rights may be limited under Articles 35.4 and 37.2 of the “Personal Information Protection Act.”
⑤ It is not permitted to request the correction or deletion of any personal information listed as the subject of collection under other laws and regulations.
⑥ When the Company receives a request for access to, correction/deletion of, or suspension of processing under a data subject’s rights, it will determine whether the person making the request is a person concerned or a lawful representative.
Article 6 (Items of Personal Information to be Processed)
① The following personal information is processed by the Company in order to provide various services and customer counseling.
- Required Items: Name, E-mail address, Affiliation, Department, Duty
- Optional Items: Telephone Number
② The following types of personal information may be created and collected automatically while using services or processing service providers.
- IP address, cookies, service usage record, visit record
③ Customers who use paid services may be asked to provide the additional information listed below.
- Required Items: Bank Account Information, Details of Purchase
Article 7 (Destruction of Personal Information)
① The Company will destroy the applicable personal information without any delay when personal information becomes unnecessary, such as the expiration of the retention period, the achievement of the purpose of processing, etc.
② If the Company is required to continue preserving personal information under other laws and regulations despite the expiration of the retention period or the achievement of the purpose of processing agreed upon by a data subject, the applicable personal information will be transferred to a separate database (DB) or preserved in a different location.
③ The following is the procedure and method for erasing personal information.
1. Destruction Procedure
The Company will select personal information that must be erased and then destroy such personal information with the agreement of a privacy officer.
2. Method of Destruction
Personal information in the form of electronic files will be destroyed using a technical manner that prevents restoration, and personal information printed on paper will be destroyed using a shredder or incineration.
Article 8 (Measures for Securing Safety of Personal Information)
The Company takes the following measures to secure the safety of personal information:
1. Internal auditing should be done regularly.
To ensure the stability of the management of personal information, the Company conducts an internal audit on a regular basis (once a quarter).
2. Minimizing and training employees who handle personal information
The Company implements procedures to better manage personal information by designating a staff member who handles personal information and granting a person in charge restricted handling authorization.
3. Establishing and implementing an internal control plan
The Company develops and implements an internal control plan to ensure the secure handling of personal information.
4. Technical measures for preventing hacking, etc.
To avoid any leakage or harm to personal information caused by hacking or computer viruses, for example, the Company installs security programs, constantly updates and inspects them, and installs a system in the area with access control and monitors and blocks it technically and physically.
5. Encryption of personal information
After encryption, the user’s personal information will be saved and managed such that only that user has access to it, and any vital data will be safeguarded by a separate security function, such as encrypting files and transmission data or utilizing a file locking mechanism.
6. Storage of access records and Prevention of forgery/falsification
The Company preserves and monitors access records to the personal information processing system for at least 6 months and employs a security function to prevent forgery/falsification, theft, or loss of access to records.
7. Restriction on access to personal information
The Company takes the appropriate steps to limit access to personal information by granting, altering, or withdrawing access to the database system that processes personal information, and by utilizing an intrusion prevention system to control unauthorized external access.
8. Use of locking device for document security
Documents holding personal information, auxiliary storage media, and so on are kept in a secure location with a locking device.
9. Access control for an unauthorized person
Personal information is stored in a separate physical location, and access control mechanisms are devised and implemented
Article 9 (Installation/Operation and Refusal of Automatic Collector of Personal Information)
① The Company uses ‘cookies’ to store and retrieve user information in order to provide users with individually customized services.
② Cookies are a small amount of information that the server (HTTP) used for operating the website sends to a user’s computer browser, and are sometimes stored on a user’s computer hard disk.
1. Purpose of using cookies: Cookies are used to provide users with optimized information by identifying the type of person who visits and uses each service and website, popular search phrases, security access information, and so on.
2. Installation/Operation and Refusal of Cookies: You can disable cookie saving by selecting the option from the ‘Tool > Internet Option > Privacy’ menu at the top of the web browser.
3. Refusing to save cookies may make it difficult to access personalized services.
Article 10 (Privacy Officer)
① To resolve data subject complaints and remedy damages linked to the processing of personal information, the Company appoints a privacy officer who is in charge of problems relating to the processing of personal information, as follows:
▶ Privacy Officer
※ Connected to the Privacy Department
② A data subject may contact the Privacy Officer or the department in charge of personal information protection with inquiries about personal information protection, complaints, remedies, and so on that arise while using the Company's services (or companies). Such inquiries about the data subject will be answered and handled by the Company.
Article 11 (Request for Access to Personal Information)
Under Article 35 of the Personal Information Protection Act, a data subject may seek access to personal information from the following department.
The Company will make every effort to respond to a data subject’s request for access to personal information as soon as possible.
▶ Department in charge of receiving and handling a request for access to personal information
Article 12 (Remedy of Infringement)
To claim compensation for personal information infringement, a data subject may apply for dispute resolution or consultation with the Personal Information Dispute Mediation Committee, KISA’s Personal Information Infringement Report Center, and so on. For additional reports and consultations on personal information infringement, please contact the agencies listed below.
1. Personal Information Dispute Mediation Committee: (Direct call) 1833-6972 (kopico.go.kr)
2. Personal Information Infringement Reporting Center: (Direct call) 118 (privacy.kisa.or.kr)
3. Supreme Prosecutors’ Office: (Direct call) 1301 (spo.go.kr)
4. National Police Agency: (Direct call) 182 (cyberbureau.police.go.kr)
A person whose right or interest has been violated by a decision or omission made by the head of a public agency in response to a request under Article 35 (Access to Personal Information), Article 36 (Correction and Deletion of Personal Information), or Article 37 (Suspension of Processing of Personal Information) may file an administrative appeal in accordance with the Administrative Appeal Act.
※ Please visit the Central Administrative Appeals Commission’s homepage for more information about administrative appeals (www.simpan.go.kr)