Privacy Policy

COSRX Inc. (hereinafter referred to as “the Company”) complies with the provisions of laws and regulations related to personal information such as “Information Communication Network Promotion and Information Protection Act” and “Personal Information Protection Act”.

This Privacy Policy sets out how we, COSRX collect, store and use information about you when you use or interact with our website, COSRX.COM (our website) and where we otherwise obtain or collect information about you. This Privacy Policy is effective from August 8, 2019.

Contents
  • Summary
  • Information we collect when you visit our website
  • Information how we use your information
    • How long we retain your information
  • How we secure your information
  • How we procedure and method of destruction of your personal information
  • Providing Personal Information with Third Parties
  • Outsourcing of Processing of Personal Information
  • Linked Websites
  • Rights of User and Exercise of the Rights
  • Responsibilities of Members
  • Installation, Operation and Refusal Regarding Automatic Personal Information Collection System (Cookies, etc.)
  • Technological/Managerial Safeguards for Personal Information
  • Privacy Officer
Summary

This section summarizes how we obtain, store and use information about you. It is intended to provide a very general overview only. It is not complete in and of itself and it must be read in conjunction with the corresponding full section of this Privacy Policy.

  • Data controller: COSRX Inc.

1. How we collect or obtain information about you:

  • Personal information collected
    • When registering as a member
      • (Required) First Name, Last Name, E-mail, Password
    • When making a purchase
      • Purchaser information (Name, E-mail, country, Phone Number), Shipping information (Name, E-mail, Password, Country, Address, Phone Number) PayPal (Credit Card information, Bank Account information, Payment history and other similar information, Payment password (consolidated))
    • When making a purchase as non-member
      • Purchaser information (Name, E-mail, Country), Shipping information (E-mail), Name, Company (Optional), Street Address, City, State/Providence, Zip/Postal Code, Country, Phone Number)
    • Refund
      • Information for the bank account to receive the refund (Bank name, Account number, Account holder name) 
    • Information automatically generated during the process of using the services
      • Service usage history, IP address, Cookies, Date of visit, Abnormal usage record, Device information (OS version, Unique device identifier), ADID, IDFA and occasionally, from third parties.
    • When participating in an event
      • Name, Mobile phone number, address
        • “Event participating member” refers to the member who participated in an event organized through the channels such as COSRX website or social media pages operated by COSRX Inc.
    • When selected as a winner for an event
      • Name, mobile phone number, address
    • When providing customer dispute processing and customer service
      • Content and detail of the customer service
    • Furthermore
      • Information about you use our website (e.g. Which pages you have viewed, the time when your view them and what you clicked on, the geographical location from which you accessed our website (based on your IP address), your answers to quizzes or surveys, and information about our internet connection.

How we use your information:

  • Personal identification
    • Name, ID (E-mail), Password, Country, Mobile phone number, Date of birth
  • Contact and notification for providing services and processing customer claims
    • Name, ID (E-mail), Mobile phone number
  • Product purchase and shipping
    • Purchase information (Country, Name, ID (E-mail), Mobile phone number), Shipping information (Country, Name, ID (E-mail), mobile phone number, address), PayPal: Credit card information, Bank account information, Payment history and other similar information, payment password (consolidated)
  • Notification for events and new services, marketing (including customized marketing), delivery of event gifts
    • Name, ID (E-mail), Mobile Phone number, address, Date of Birth, Gender, Cookies, ADID, IDFA
  • Account refund
    • Information for the bank account to receive the refund (bank name, account number, account holder name)
  • Prevention of fraudulent use, prevention of unauthorized use, preservation of record for dispute resolution, customer dispute resolution and other customer services, etc. 
    • Service usage history, IP address, cookies, date of visit, abnormal usage record, device information (OS version, unique device identifier), content of customer service
  • Furthermore
    • We use your information for administrative and business purposes (particularly to contact you and process orders you place on your website), to improve our business and website, to fulfil our contractual obligations, to advertise our goods and services, to analyze your use of our website, and in connection with our legal rights and obligations.
    • We only use your information to third parties to the extent necessary to run our business, to our service providers, and to fulfil any contracts we enter with you, and where required by law or to enforce our legal rights.
    • We do not sell your information to third parties (other than in the course of a business sale or purchase or similar event).

2. How long we retain your information

For no longer than necessary, taking into account any legal obligations we have (e.g. to maintain records for tax purposes), any other legal basis we have for using your information (e.g. your consent, performance of a contract with you or our legitimate interests as a business).

  • The information retained according to the Company’s internal policies is as follow
    • To prevent loss due to abnormal membership termination: 5 days after membership termination request.
    • To prevent unlawful or unfair economic gain such as receiving discount coupons or event benefits through repeated terminations and such other methods, and to prevent other unlawful or unauthorized acts such as identity theft: Name, ID (E-mail) and related information for 6 months after membership termination.

The information retained pursuant to the applicable laws is as follows.

  • Protection of Communications Secrets Act
    • (Purpose) Provided when requested by law enforcement authority with a warrant
    • (Collected Items) Log information, IP, etc.
    • (Duration of Retention) 3 months
  • Act on the Consumer Protection in Electronic Commerce, Etc.
    • (Purpose) Records pertaining to customer claims or dispute resolution
    • (Collected Items) Customer identification information, dispute processing records, etc.
    • (Duration of Retention) 3 years
    • (Purpose) Records pertaining to fee payments and supply of goods, etc. / Records pertaining to contracts or offer revocation, etc.
    • (Collected Items) Customer identification information, contract/ offer revocation records, etc.
    • (Duration of Retention) 5 years
  • Framework Act on National Taxes
    • (Purpose) Calculation of period for excluding levy of national tax
    • (Duration of Retention) 10 years
    • (Purpose) Calculation of expiration date of the right to collect national tax, etc.
    • (Collected Items) Tax base and tax amount reporting materials, etc.
    • (Duration of Retention) 5 years

 3. How we secure your information

  • Using appropriate technical and organizational measures such as storing your information on secure servers, encrypting transfers of data to or from our servers using Secure Sockets layer (SSL) technology, encrypting payments you make on or via our website using Secure Sockets Layer (SSL) technology, only granting access to your information where necessary and by only trusted individuals that have been trained and briefed on appropriate handling of personal information.

4. How we procedure and method of destruction of your personal information

Generally, personal information of User is destroyed without delay when the purpose of the personal information is fulfilled. However, the information of User who has no record of using the service for 1 year or longer is converted into inactive account pursuant to “personal information validity period policy” under the “Act on Promotional of Information and Communications Network Utilization and Information Protection, etc.”

  • Destruction procedure
    • Personal information of User is transferred to a separate database after the purpose has been fulfilled, retained for a certain period according to the internal policies and other grounds under the applicable laws (refer to the retention and usage period) and destroyed thereafter.
    • Personal information transferred to the separate database is not used for any other purpose except needed under the applicable laws, and access by anyone other than the manager is strictly limited.
    • You will be notified of the account conversion schedule through the registered email address at least thirty (30) days before the account is converted into inactive account, and if you do not want your want your account to be converted into inactive account, you can continue to use the services regularly by logging into your account following the instruction email.
    • The information of the User whose account has been converted into inactive account is segregated and stored in a separate database and managed securely, and you may start using the services regularly at any time by logging in and going through simple reactivation procedure.
  • Destruction method
    • Personal information stored in the form of electronic file is deleted irrecoverably in a secure manner.
    • Personal information printed on paper is destroyed by shredding.

 5. Providing Personal Information with Third Parties

  • Generally, the Company does not provide User’s personal information to third parties outside the purpose of collection and use of such personal information. However, when it is necessary to share User’s personal information with partnering business entities and other parties for the purpose of providing better service, the Company will seek User’s consent by notifying the User of the identity of the parties that will receive the information, purpose of providing the information, information to be provided, and period of use and retention. Also, personal information of User may be provided pursuant to a legal provision or upon a demand by law enforcement authority for law enforcement purposes in accordance with the procedure and method set forth by applicable laws.
  • The Company does not use User’s personal information for any purpose other than delivering internet services provided by the Company and does not provide personal information to any third party without consent of User. When it is necessary to provide personal information, the Company will notify the User and obtain separate consent. However, the following exceptions apply.
    • When it is deemed necessary to disclose personal information in order to take legal action against any person who violated the company’s terms of use, harmed another person by using the services or engaged in unlawful activities against social order and customs;
    • Pursuant to a legal provision, or when there is a demand by law enforcement authority for law enforcement purposes in accordance with the procedure and method set by applicable laws; and
    • When information is provided in de-identified form for the purpose of producing statistical data, conducting academic studies or market researches, providing information or sending out instruction emails for public announcement.

6. Outsourcing of Processing of Personal Information

The Company handles certain tasks required for providing services to Users by outsourcing part of such tasks to third-party service providers.

When the Company outsources such tasks, the Company identifies the obligation to comply with the laws pertaining to the protection of personal information, maintenance of confidentiality of personal information, prohibition of sharing the information with third parties, liabilities in the vent of breach, period of outsourcing, and the obligation to destroy personal information after completion of the task, and the Company management and supervision to ensure compliance.

For improved services and effective handling of the tasks, the Company outsources the processing information as follows.

 

Magento: Ecommerce Platform

AWS: Cloud Service

PayPal: Payment processing

EFS: Storage for Shipping and Returns

DHL: Delivery of the products ordered

EMS: Delivery of the products ordered

MailChimp: Email service

 

COSRX continuously supervises and manages the third-party service providers to securely process the outsourced personal information and ensures that the third-party service providers immediately destroy the personal information in their possession upon completion of the outsourced tasks.

 

7. Linked Websites

The Company may provide User with a link to website or certain material provided by another company. Because the Company does not have any control over third-party websites or materials provided therein when the Company provides the User with a link to website or material of another company, the Company cannot warrant or take responsibility for the validity of the services or materials provided through such website or material. When you move to a third-party website by clicking a link included on the Company’s website, please review the terms and conditions of the third-party website since the privacy policy of such third-party website has no relation to the Company.

 

8. Rights of User and Exercise of the Rights

User may exercise the following rights.

  • User may view or change the registered personal information of the User at any time and may refuse to give consent or request termination if the User does not consent to the Company’s processing of personal information. However, if User revokes consent to the processing of personal information, use of the services may be inevitably restricted in part or in whole.
  • Personal information may be viewed by taking the following steps.
    • Viewing personal information collected and retained: Log in and go to My Account > Personal Information
    • Outsourcing status of processing of personal information: See “6. Outsourcing of Processing of Personal Information” in this Privacy Policy.
  • Change of personal information and membership termination (revocation of consent) can be done by taking the following steps.
    • Change of personal information: Log in and go to My Account > Personal Information > Update Personal Information
    • Membership termination (revocation of consent): Log in and go to My Account > Personal information > Update Personal Information > Unregister
  • Or, you may contact the Privacy Officer in writing (E-mail) as disclosed in this Privacy Policy, and we will take necessary actions without delay.
  • When User requests correction of error in personal information, the personal information is not used or provided until such correction is completed. Also, when incorrect personal information has been provided to a third party, the Company will complete the correction process by notifying the third party of the result of such correction without delay.
  • The Company processes any information terminated or deleted by the request of User in accordance with the terms set forth in “retention and usage period” of personal information collected by the Company and takes measures to prevent such personal information from being viewed or used.
  • Only those who are 14 years of age older are eligible for membership registration, and as a general, the Company does not collect personal information of children under 14 years of ages for whom legal guardian’s consent is required for collection/use of personal information.

9. Responsibilities of Members

  • User has obligation to protect his or her own personal information, and the Company takes no responsibility for the issues arising out of leakage of personal information due to User’s negligence.
  • User should provide accurate and up-to-date personal information. The liability for any problem caused by User’s providing inaccurate information is upon the User, and in the event that User registers as a member or uses services by misappropriating another person’s personal information, the User may lose the membership status and be punished by applicable laws pertaining to personal information.
  • Together with the right to be protected of personal information, User also has the obligation to protect oneself and not to infringe upon the information of another person. You should take cautions so that your personal information is not leaked and that you do not infringe upon personal information of other persons, including web postings.
  • User must comply with the “Act on Promotion of Information and Communications Network Utilization and Information Protection,” “Personal Information Protection Act,” and other laws pertaining to personal information.

10. Installation, Operation and Refusal Regarding Automatic Personal Information Collection System (Cookies, etc.)

Following are the items related to the installation, operation, and refusal regarding automatic personal information collection system. The company utilizes cookies, which frequently saves and finds User’s information. A cookie is a very small text file sent by the websites to the User’s browser and stored in the User’s hard disk.

  • Purpose of using cookies
    • Cookies are used in order to provide customized services to individuals, such as targeted marketing, by analyzing frequency and time of visit by members and non-members, patterns of use and field of interest, tracking online traces, event participation rate, number of visits and such others.
    • User has the right to accept or refuse installation of cookies and may at any time choose to refuse or delete the storage of cookies.
    • User may choose options available on web browsers to (i) allow all cookies (ii) check whenever cookies are stored, or (iii) block storage of all cookies. Since each web browser has different mechanism for setting cookies, please refer to the instruction for each web browser for further details.
      • Internet Explorer: Tools > Internet Options > Privacy tab > Select a setting for the Internet zone
      • Chrome: Settings > Advanced > Under “Privacy and Security,” click Content settings > Select the desired level of cookies
      • Firefox: Options > Privacy > History – Select “Use custom settings for history” > Select the desired level of cookies
      • Safari: Preferences > Privacy tab > Select a “Cookies and website data” option
    • How to disable ADID/IDFA
      • IOS: Settings > Advertising > Switch on “Limit Ad Tracking”
      • Android: Settings > Google (Google Settings) > Ads > Opt out of interest-based ads
    • However, when storage of cookies is blocked, use of certain services such as personally customized services may become difficult.

11. Technological/Managerial Safeguards for Personal Information

The Company strives to protect information by preparing technological/managerial safeguards in processing User’s personal information. The Company implements the following technological/managerial safeguards in order to ensure in processing the personal information of users and prevent loss, theft, leakage, alteration or contamination of personal information.

  • Encryption of passwords
    • User passwords are stored and managed after one-way encryption, and only the owner of the personal information who know the password may view or change the information. Therefore, please take extra care so that your password is not disclosed to any other person.
    • Anti-hacking measure
      • The Company operates systems to detect and block intrusion 24 hours a day to prevent loss, theft, leakage, alteration or contamination of User’s personal information through intrusion into the information communication network of the Company such as hacking or viruses, and such intrusion detection and blocking systems are operated with double-layered structure in case of any emergency situation.
      • Important data are backed up on regular basis preparing for the case personal information is damaged, and the Company strives to prevent leakage of personal information or other important data using antivirus software.
      • Sensitive personal information is encrypted in the process of being transmitted over the information communication network to ensure secure transmission of the personal information.
      • The Company continues to ensure data security in other ways such as adopting security systems and expanding professional work force in this field.
    • Minimization and regular training of personal information managers.
      • The Company minimizes the number of people managing personal information by limiting personal information management tasks only to the necessary personnel; when there is any HR change such as termination or transfer of positions, the Company restricts access to personal information through adjustment or termination of the relevant authority without delay.
      • The Company makes its best efforts by conducting trainings for personal information managers on regular basis to raise awareness of the importance of the protection of personal information and to ensure that the information is securely managed.

12. Privacy Officer

The Company has designated Privacy Officer and the department in charge of the protection of personal information in order to handle claims regarding personal information of Users.

  • For any claims related to personal information that may arise while using the services, please contact the Privacy Officer or the department in charge of personal information. The Company will swiftly respond to such inquiries.
  • If any other reporting or consultations is required regarding infringement of personal information, please contact the following organizations.
  • Personal Information Infringement Reporting Center (http://privacy.kisa.or.kr / 118 with no preceding numbers)
  • Supreme Prosecutor’s Office Cyber Security Center (http://www.spo.go.kr / 1301 with no preceding number)
  • National Police Agency Cyber Security Bureau (http://cyberbureau.police.go.kr/index.do / 182 with no preceding numbers)
  • Electronic Transactions Dispute Resolution Commission (https://www.ecmc.or.kr / 1661-5714)

 

The current Privacy Policy may be revised according to the government policy or the need of the Company. When there is any addition, deletion or modification of the content, notice will be provided through the homepage or email in advance at least 7 days prior to the effective date that the Policy as amended will take effect 7 days from the date of notification. If any material term (I.e., the purpose of collection and use of personal information, the third-party to which personal information will be provided, etc.) is added, deleted or revised, such addition, deletion or revision will be notified in advance at least 30 days prior to the effective date that the Policy as amended will take effect 30 days from the date of notification. Also the Company will seek separate consent from User in accordance with applicable laws for any addition or modification of the content pertaining to the items that require separate consent, such as collection and use of personal information and sharing of the information with third-parties, pursuant to the applicable laws such as the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.

 

Effective date: August 8, 2019

back