- Data controller: COSRX Inc.
1. How we collect or obtain information about you:
- Personal information collected
- When registering as a member
- (Required) First Name, Last Name, E-mail, Password
- When making a purchase
- Purchaser information (Name, E-mail, country, Phone Number), Shipping information (Name, E-mail, Password, Country, Address, Phone Number) PayPal (Credit Card information, Bank Account information, Payment history and other similar information, Payment password (consolidated))
- When making a purchase as non-member
- Purchaser information (Name, E-mail, Country), Shipping information (E-mail), Name, Company (Optional), Street Address, City, State/Providence, Zip/Postal Code, Country, Phone Number)
- Information for the bank account to receive the refund (Bank name, Account number, Account holder name)
- Information automatically generated during the process of using the services
- Service usage history, IP address, Cookies, Date of visit, Abnormal usage record, Device information (OS version, Unique device identifier), ADID, IDFA and occasionally, from third parties.
- When participating in an event
- Name, Mobile phone number, address
- “Event participating member” refers to the member who participated in an event organized through the channels such as COSRX website or social media pages operated by COSRX Inc.
- When selected as a winner for an event
- Name, mobile phone number, address
- When providing customer dispute processing and customer service
- Content and detail of the customer service
- Information about you use our website (e.g. Which pages you have viewed, the time when your view them and what you clicked on, the geographical location from which you accessed our website (based on your IP address), your answers to quizzes or surveys, and information about our internet connection.
How we use your information:
- Personal identification
- Name, ID (E-mail), Password, Country, Mobile phone number, Date of birth
- Contact and notification for providing services and processing customer claims
- Name, ID (E-mail), Mobile phone number
- Product purchase and shipping
- Purchase information (Country, Name, ID (E-mail), Mobile phone number), Shipping information (Country, Name, ID (E-mail), mobile phone number, address), PayPal: Credit card information, Bank account information, Payment history and other similar information, payment password (consolidated)
- Notification for events and new services, marketing (including customized marketing), delivery of event gifts
- Name, ID (E-mail), Mobile Phone number, address, Date of Birth, Gender, Cookies, ADID, IDFA
- Account refund
- Information for the bank account to receive the refund (bank name, account number, account holder name)
- Prevention of fraudulent use, prevention of unauthorized use, preservation of record for dispute resolution, customer dispute resolution and other customer services, etc.
- Service usage history, IP address, cookies, date of visit, abnormal usage record, device information (OS version, unique device identifier), content of customer service
- We use your information for administrative and business purposes (particularly to contact you and process orders you place on your website), to improve our business and website, to fulfil our contractual obligations, to advertise our goods and services, to analyze your use of our website, and in connection with our legal rights and obligations.
- We only use your information to third parties to the extent necessary to run our business, to our service providers, and to fulfil any contracts we enter with you, and where required by law or to enforce our legal rights.
- We do not sell your information to third parties (other than in the course of a business sale or purchase or similar event).
2. How long we retain your information
For no longer than necessary, taking into account any legal obligations we have (e.g. to maintain records for tax purposes), any other legal basis we have for using your information (e.g. your consent, performance of a contract with you or our legitimate interests as a business).
- The information retained according to the Company’s internal policies is as follow
- To prevent loss due to abnormal membership termination: 5 days after membership termination request.
- To prevent unlawful or unfair economic gain such as receiving discount coupons or event benefits through repeated terminations and such other methods, and to prevent other unlawful or unauthorized acts such as identity theft: Name, ID (E-mail) and related information for 6 months after membership termination.
The information retained pursuant to the applicable laws is as follows.
- Protection of Communications Secrets Act
- (Purpose) Provided when requested by law enforcement authority with a warrant
- (Collected Items) Log information, IP, etc.
- (Duration of Retention) 3 months
- Act on the Consumer Protection in Electronic Commerce, Etc.
- (Purpose) Records pertaining to customer claims or dispute resolution
- (Collected Items) Customer identification information, dispute processing records, etc.
- (Duration of Retention) 3 years
- (Purpose) Records pertaining to fee payments and supply of goods, etc. / Records pertaining to contracts or offer revocation, etc.
- (Collected Items) Customer identification information, contract/ offer revocation records, etc.
- (Duration of Retention) 5 years
- Framework Act on National Taxes
- (Purpose) Calculation of period for excluding levy of national tax
- (Duration of Retention) 10 years
- (Purpose) Calculation of expiration date of the right to collect national tax, etc.
- (Collected Items) Tax base and tax amount reporting materials, etc.
- (Duration of Retention) 5 years
3. How we secure your information
- Using appropriate technical and organizational measures such as storing your information on secure servers, encrypting transfers of data to or from our servers using Secure Sockets layer (SSL) technology, encrypting payments you make on or via our website using Secure Sockets Layer (SSL) technology, only granting access to your information where necessary and by only trusted individuals that have been trained and briefed on appropriate handling of personal information.
4. How we procedure and method of destruction of your personal information
Generally, personal information of User is destroyed without delay when the purpose of the personal information is fulfilled. However, the information of User who has no record of using the service for 1 year or longer is converted into inactive account pursuant to “personal information validity period policy” under the “Act on Promotional of Information and Communications Network Utilization and Information Protection, etc.”
- Destruction procedure
- Personal information of User is transferred to a separate database after the purpose has been fulfilled, retained for a certain period according to the internal policies and other grounds under the applicable laws (refer to the retention and usage period) and destroyed thereafter.
- Personal information transferred to the separate database is not used for any other purpose except needed under the applicable laws, and access by anyone other than the manager is strictly limited.
- You will be notified of the account conversion schedule through the registered email address at least thirty (30) days before the account is converted into inactive account, and if you do not want your want your account to be converted into inactive account, you can continue to use the services regularly by logging into your account following the instruction email.
- The information of the User whose account has been converted into inactive account is segregated and stored in a separate database and managed securely, and you may start using the services regularly at any time by logging in and going through simple reactivation procedure.
- Destruction method
- Personal information stored in the form of electronic file is deleted irrecoverably in a secure manner.
- Personal information printed on paper is destroyed by shredding.
5. Providing Personal Information with Third Parties
- Generally, the Company does not provide User’s personal information to third parties outside the purpose of collection and use of such personal information. However, when it is necessary to share User’s personal information with partnering business entities and other parties for the purpose of providing better service, the Company will seek User’s consent by notifying the User of the identity of the parties that will receive the information, purpose of providing the information, information to be provided, and period of use and retention. Also, personal information of User may be provided pursuant to a legal provision or upon a demand by law enforcement authority for law enforcement purposes in accordance with the procedure and method set forth by applicable laws.
- The Company does not use User’s personal information for any purpose other than delivering internet services provided by the Company and does not provide personal information to any third party without consent of User. When it is necessary to provide personal information, the Company will notify the User and obtain separate consent. However, the following exceptions apply.
- Pursuant to a legal provision, or when there is a demand by law enforcement authority for law enforcement purposes in accordance with the procedure and method set by applicable laws; and
- When information is provided in de-identified form for the purpose of producing statistical data, conducting academic studies or market researches, providing information or sending out instruction emails for public announcement.
6. Outsourcing of Processing of Personal Information
The Company handles certain tasks required for providing services to Users by outsourcing part of such tasks to third-party service providers.
When the Company outsources such tasks, the Company identifies the obligation to comply with the laws pertaining to the protection of personal information, maintenance of confidentiality of personal information, prohibition of sharing the information with third parties, liabilities in the vent of breach, period of outsourcing, and the obligation to destroy personal information after completion of the task, and the Company management and supervision to ensure compliance.
For improved services and effective handling of the tasks, the Company outsources the processing information as follows.
Magento: Ecommerce Platform
AWS: Cloud Service
PayPal: Payment processing
EFS: Storage for Shipping and Returns
DHL: Delivery of the products ordered
EMS: Delivery of the products ordered
MailChimp: Email service
COSRX continuously supervises and manages the third-party service providers to securely process the outsourced personal information and ensures that the third-party service providers immediately destroy the personal information in their possession upon completion of the outsourced tasks.
7. Linked Websites
8. Rights of User and Exercise of the Rights
User may exercise the following rights.
- User may view or change the registered personal information of the User at any time and may refuse to give consent or request termination if the User does not consent to the Company’s processing of personal information. However, if User revokes consent to the processing of personal information, use of the services may be inevitably restricted in part or in whole.
- Personal information may be viewed by taking the following steps.
- Viewing personal information collected and retained: Log in and go to My Account > Personal Information
- Change of personal information and membership termination (revocation of consent) can be done by taking the following steps.
- Change of personal information: Log in and go to My Account > Personal Information > Update Personal Information
- Membership termination (revocation of consent): Log in and go to My Account > Personal information > Update Personal Information > Unregister
- When User requests correction of error in personal information, the personal information is not used or provided until such correction is completed. Also, when incorrect personal information has been provided to a third party, the Company will complete the correction process by notifying the third party of the result of such correction without delay.
- The Company processes any information terminated or deleted by the request of User in accordance with the terms set forth in “retention and usage period” of personal information collected by the Company and takes measures to prevent such personal information from being viewed or used.
- Only those who are 14 years of age older are eligible for membership registration, and as a general, the Company does not collect personal information of children under 14 years of ages for whom legal guardian’s consent is required for collection/use of personal information.
9. Responsibilities of Members
- User has obligation to protect his or her own personal information, and the Company takes no responsibility for the issues arising out of leakage of personal information due to User’s negligence.
- User should provide accurate and up-to-date personal information. The liability for any problem caused by User’s providing inaccurate information is upon the User, and in the event that User registers as a member or uses services by misappropriating another person’s personal information, the User may lose the membership status and be punished by applicable laws pertaining to personal information.
- Together with the right to be protected of personal information, User also has the obligation to protect oneself and not to infringe upon the information of another person. You should take cautions so that your personal information is not leaked and that you do not infringe upon personal information of other persons, including web postings.
- User must comply with the “Act on Promotion of Information and Communications Network Utilization and Information Protection,” “Personal Information Protection Act,” and other laws pertaining to personal information.
10. Installation, Operation and Refusal Regarding Automatic Personal Information Collection System (Cookies, etc.)
Following are the items related to the installation, operation, and refusal regarding automatic personal information collection system. The company utilizes cookies, which frequently saves and finds User’s information. A cookie is a very small text file sent by the websites to the User’s browser and stored in the User’s hard disk.
- Purpose of using cookies
- Cookies are used in order to provide customized services to individuals, such as targeted marketing, by analyzing frequency and time of visit by members and non-members, patterns of use and field of interest, tracking online traces, event participation rate, number of visits and such others.
- User has the right to accept or refuse installation of cookies and may at any time choose to refuse or delete the storage of cookies.
- User may choose options available on web browsers to (i) allow all cookies (ii) check whenever cookies are stored, or (iii) block storage of all cookies. Since each web browser has different mechanism for setting cookies, please refer to the instruction for each web browser for further details.
- Internet Explorer: Tools > Internet Options > Privacy tab > Select a setting for the Internet zone
- Chrome: Settings > Advanced > Under “Privacy and Security,” click Content settings > Select the desired level of cookies
- Firefox: Options > Privacy > History – Select “Use custom settings for history” > Select the desired level of cookies
- Safari: Preferences > Privacy tab > Select a “Cookies and website data” option
- How to disable ADID/IDFA
- IOS: Settings > Advertising > Switch on “Limit Ad Tracking”
- Android: Settings > Google (Google Settings) > Ads > Opt out of interest-based ads
- However, when storage of cookies is blocked, use of certain services such as personally customized services may become difficult.
11. Technological/Managerial Safeguards for Personal Information
The Company strives to protect information by preparing technological/managerial safeguards in processing User’s personal information. The Company implements the following technological/managerial safeguards in order to ensure in processing the personal information of users and prevent loss, theft, leakage, alteration or contamination of personal information.
- Encryption of passwords
- User passwords are stored and managed after one-way encryption, and only the owner of the personal information who know the password may view or change the information. Therefore, please take extra care so that your password is not disclosed to any other person.
- Anti-hacking measure
- The Company operates systems to detect and block intrusion 24 hours a day to prevent loss, theft, leakage, alteration or contamination of User’s personal information through intrusion into the information communication network of the Company such as hacking or viruses, and such intrusion detection and blocking systems are operated with double-layered structure in case of any emergency situation.
- Important data are backed up on regular basis preparing for the case personal information is damaged, and the Company strives to prevent leakage of personal information or other important data using antivirus software.
- Sensitive personal information is encrypted in the process of being transmitted over the information communication network to ensure secure transmission of the personal information.
- The Company continues to ensure data security in other ways such as adopting security systems and expanding professional work force in this field.
- Minimization and regular training of personal information managers.
- The Company minimizes the number of people managing personal information by limiting personal information management tasks only to the necessary personnel; when there is any HR change such as termination or transfer of positions, the Company restricts access to personal information through adjustment or termination of the relevant authority without delay.
- The Company makes its best efforts by conducting trainings for personal information managers on regular basis to raise awareness of the importance of the protection of personal information and to ensure that the information is securely managed.
12. Privacy Officer
The Company has designated Privacy Officer and the department in charge of the protection of personal information in order to handle claims regarding personal information of Users.
- For any claims related to personal information that may arise while using the services, please contact the Privacy Officer or the department in charge of personal information. The Company will swiftly respond to such inquiries.
- Privacy Officer (Head)
- Privacy Officer (Junior)
- Customer Support
- If any other reporting or consultations is required regarding infringement of personal information, please contact the following organizations.
- Personal Information Infringement Reporting Center (http://privacy.kisa.or.kr / 118 with no preceding numbers)
- Supreme Prosecutor’s Office Cyber Security Center (http://www.spo.go.kr / 1301 with no preceding number)
- National Police Agency Cyber Security Bureau (http://cyberbureau.police.go.kr/index.do / 182 with no preceding numbers)
- Electronic Transactions Dispute Resolution Commission (https://www.ecmc.or.kr / 1661-5714)
Effective date: August 8, 2019