Article 1 (Items of Personal Information Collected)
The Company collects and processes the following items of personal information.
- Sign-up / login: email address, authentication identifier
- Payment / subscription: order information, payment method information (payments are processed through a payment gateway (PG) provider, and the Company does not directly store the original payment information, such as card numbers)
- Automatically collected: service usage records, access logs (including IP address), device/browser information, cookies
Article 2 (Purpose of Collection and Use of Personal Information)
- Member identification and service provision, license issuance and management
- Payment, settlement, and refund processing for paid services
- Responding to customer inquiries and delivering notices
- Preventing fraudulent use of the service and ensuring security
Article 3 (Retention and Use Period of Personal Information)
In principle, the Company destroys personal information without delay once the purpose of its collection and use has been achieved. However, where retention is required under applicable laws, the Company retains such information for the periods set out below.
- Records of contracts or withdrawal of subscription: 5 years (Act on Consumer Protection in Electronic Commerce)
- Records of payment and supply of goods, etc.: 5 years (Act on Consumer Protection in Electronic Commerce)
- Records of consumer complaints or dispute resolution: 3 years (Act on Consumer Protection in Electronic Commerce)
- Records of labeling and advertising: 6 months (Act on Consumer Protection in Electronic Commerce)
- Website visit (access) logs: 3 months (Protection of Communications Secrets Act)
Article 4 (Entrustment of Personal Information Processing)
For the smooth provision of its services, the Company entrusts personal information processing tasks as set out below, and specifies in the entrustment agreements the matters necessary to ensure that personal information is managed securely.
- Toss Payments Corp.: payment processing and electronic payment gateway (PG) services
- Supabase Inc.: member authentication and database operation
- Cloudflare, Inc.: service infrastructure (hosting/network) operation
Article 5 (Provision of Personal Information to Third Parties)
The Company does not provide users' personal information to third parties beyond the scope specified in this Policy, except where the user has given prior consent, or where an investigative agency or other authority requests it through lawful procedures under applicable law.
Article 6 (Cross-Border Transfer of Personal Information)
For the provision of its services, the Company entrusts personal information processing tasks to the operators listed below, which perform such tasks outside of Korea, and users' personal information may accordingly be stored and processed abroad.
- Recipient: Supabase Inc., Cloudflare, Inc.
- Countries of transfer: the United States and other countries where the data centers operated by these providers are located
- Items transferred: the information listed under “Items of Personal Information Collected” above
- Time and method of transfer: transmitted via information and communications networks at the time the service is used
- Recipient's purpose of use and retention period: identical to the entrustment purpose and retention period set out in this Policy
Users may refuse the cross-border transfer of their personal information; however, refusal may limit sign-up and use of the service.
Article 7 (Procedure and Method of Destruction of Personal Information)
- Destruction procedure: Personal information whose retention period has elapsed or whose processing purpose has been achieved is destroyed without delay. Where retention is required by law, the information is stored separately and destroyed once the retention period has elapsed.
- Destruction method: Electronic files are permanently deleted using methods that prevent recovery or reproduction, and printed materials, etc. are shredded or incinerated.
Article 8 (Rights and Obligations of Data Subjects and Their Legal Representatives, and Methods of Exercising Them)
Users (data subjects) may at any time request access to, correction of, deletion of, or suspension of processing of their personal information.
- Users may directly check and modify their information, or delete their account and data, via the 'My Account' menu.
- Other rights may be exercised by submitting a request to the Privacy Officer in writing or by email (ai@onoffer.kr), and the Company will act without delay.
Article 9 (Installation, Operation, and Refusal of Cookies and Other Automatic Collection Devices)
The Company may use cookies to provide services tailored to users. Users may refuse to allow cookies to be stored by adjusting their web browser settings; doing so, however, may limit the use of some services.
Article 10 (Measures to Ensure the Security of Personal Information)
The Company takes the following measures to ensure the safe processing of personal information.
- Administrative measures: establishing and implementing an internal management plan, minimizing the number of personnel handling personal information, and providing training
- Technical measures: managing access authority, installing an access control system, encrypting data in transit (TLS)
- Physical measures: access control at the data centers of entrusted service providers
Article 11 (Personal Information of Children Under 14 Years of Age)
The Company's services are intended for users 14 years of age or older, and the Company does not accept sign-ups from children under 14 years of age.
Article 12 (Privacy Officer)
The Company has designated a Privacy Officer who oversees personal information processing and is responsible for handling complaints from data subjects and remedying any resulting harm.
Privacy Officer: 박태환
Contact: 070-4366-1899 / ai@onoffer.kr
Article 13 (Remedies for Infringement of Rights and Interests)
Users who require dispute resolution or consultation regarding infringement of personal information may contact the following organizations.
- Personal Information Dispute Mediation Committee: 1833-6972 (no area code) / www.kopico.go.kr
- Personal Information Infringement Report Center: 118 (no area code) / privacy.kisa.or.kr
- Supreme Prosecutors' Office Cyber Investigation Division: 1301 (no area code) / www.spo.go.kr
- National Police Agency Cyber Investigation Bureau: 182 (no area code) / ecrm.police.go.kr
Article 14 (Changes to This Privacy Policy)
This Policy may be amended in accordance with changes in laws, policies, or the service, and in the event of amendment, the effective date and the changes will be announced on the service screen. The effective date of this Policy is the same as the date indicated at the top.