Privacy Policy

Privacy Policy

KAKAO IX Corp., Ltd. (hereinafter “Company” or “we”) highly values the personal information of the users (“User” or “you”), and in the event that personal information needs to be collected, used or provided, the Company guarantees the right of User to make decisions regarding one’s own personal information based on the User’s consent.

The Company makes its best efforts to protect User’s personal information by duly complying with the applicable laws required of information technology service providers, including the Act on Promotion of Information and Communications Network Utilization and Information Protection and Personal Information Protection Act, as well as other regulations and guidelines pertaining to the protection of personal information.

This Privacy Policy applies to Kakao Friends online store and other related services in general provided by the Company (including mobile web services).

1. Purpose of Collection and Use of Personal Information

All Kakao Friends online store services may be used without membership registration, with the exception of individual benefit offers and event participation.

  • (1) Personal information collected
    • 1) When registering as a member
      - (Required) Name, ID (e-mail), password, date of birth, country, mobile phone number
      - (Optional) Gender
    • 2) When linking with a social media account
      - (Required) Member code for each social media account, ID (e-mail), password, date of birth, country
      - (Optional) Gender
    • 3) When making changes to social media account membership information
      - Name, mobile phone number
    • 4) When making a purchase
      - Purchaser information (country, name, ID (e-mail), mobile phone number), delivery information (country, name, ID (e-mail), password, address), credit card information, bank account information, payment history and other similar information, payment password (consolidated)
    • 5) When making a purchase as non-member
      - Purchaser information (country, name, ID (e-mail), mobile phone number), delivery information (country, name, ID (e-mail), mobile phone number, address), credit card information, bank account information, payment history and other similar information, payment password (consolidated)
    • 6) Refund
      - Information for the bank account to receive the refund (bank name, account number, account holder name)
    • 7) Information automatically generated during the process of using the services
      - Service usage history, IP address, cookies, date of visit, abnormal usage record, device information (OS version, unique device identifier), ADID, IDFA
    • 8) When participating in an event
      - Social media account, name, ID (e-mail), mobile phone number
    • 9) When selected as a winner for an event
      - Name, mobile phone number, address
      ※ “Event participating member” refers to the member who participated in an event organized through the channels such as Kakao Friends website or social media pages operated by KAKAO IX.
    • 10) When providing customer dispute processing and customer service
      - Content and detail of the customer service
  • (2) Purpose of using the collected personal information
    • 1) Personal identification
      - Name, ID (e-mail), password, date of birth, country, mobile phone number, member code for each social media account
    • 2) Identification of the children under 14 years of age
      - Date of birth
    • 3) Contact and notification for providing services and processing customer claims
      - Name, ID (e-mail), mobile phone number, date of birth, member code for each social media account
    • 4) Product purchase and delivery
      - Purchase information (country, name, ID (e-mail), mobile phone number), delivery information (country, name, ID (e-mail), mobile phone number, address), credit card information, bank account information, payment history and other similar information, payment password (consolidated)
    • 5) Notification for events and new services, marketing (including customized marketing), delivery of event gifts
      - Name, ID (e-mail), mobile phone number, address, date of address, gender, member code for each social media account, cookies, ADID, IDFA
    • 6) Account refund
      - Information for the bank account to receive the refund (bank name, account number, account holder name)
    • 7) Prevention of fraudulent use, prevention of unauthorized use, preservation of record for dispute resolution, customer dispute resolution and other customer services, etc.
      Service usage history, IP address, cookies, date of visit, abnormal usage record, device information (OS version, unique device identifier), content of customer service
2. Period of Retention and Use of Personal Information

As a general rule, the Company destroys without delay personal information of User upon User’s termination of membership. However, with User’s consent upon advance notice provided to User according to the Company’s internal policies or needed pursuant to the applicable legal provisions, the personal information is retained securely for such period and not used for any other purposes.

  • (1) The information retained according to the Company’s internal policies is as follows.
    - To prevent loss due to abnormal membership termination: 5 days after membership termination request
    - To prevent unlawful or unfair economic gain such as receiving discount coupons or event benefits through repeated terminations and such other methods, and to prevent other unlawful or unauthorized acts such as identity theft: name, ID (e-mail) and related information for 6 months after membership termination
  • (2) The information retained pursuant to the applicable laws is as follows.
    • 1) Protection of Communications Secrets Act
      - (Purpose) Provided when requested by law enforcement authority with a warrant
      - (Collected Items) Log information, IP, etc.
      - (Duration of Retention) 3 months
    • 2) Act on the Consumer Protection in Electronic Commerce, Etc.
      - (Purpose) Records pertaining to customer claims or dispute resolution
      - (Collected Items) Customer identification information, dispute processing records, etc.
      - (Duration of Retention) 3 years
      - (Purpose) Records pertaining to fee payments and supply of goods, etc. / Records pertaining to contracts or offer revocation, etc.
      - (Collected Items) Customer identification information, contract/ offer revocation records, etc.
      - (Duration of Retention) 5 years
    • 3) Framework Act on National Taxes
      - (Purpose) Calculation of period for excluding levy of national tax
      - (Collected Items) Evidentiary materials for national tax, etc.
      - (Duration of Retention) 10 years
      - (Purpose) Calculation of expiration date of the right to collect national tax, etc.
      - (Collected Items) Tax base and tax amount reporting materials, etc.
      - (Duration of Retention) 5 years
    • 4) Value-Added Tax Act
      - (Purpose) Books, tax invoices, income tax invoices, receipts, etc.
      - (Collected Items) Tax base for VAT and tax amount reporting materials, etc.
      - (Duration of Retention) 5 years
    • 5) Electronic Financial Transactions Act
      - (Purpose) Confirmation of electronic financial transaction records
      - (Collected Items) Records pertaining to electronic financial transactions, information regarding the transacting parties, etc.
      - (Duration of Retention) 5 years
3. Procedure and Method of Destruction of Personal Information

As a general rule, personal information of User is destroyed without delay when the purpose of the personal information is fulfilled. However, the information of User who has no record of using the service for 1 year or longer is converted into inactive account pursuant to “personal information validity period policy” under the “Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.”

  • A. Destruction procedure
    - Personal information of User is transferred to a separate database after the purpose has been fulfilled, retained for a certain period according to the internal policies and other grounds under the applicable laws (refer to the retention and usage period) and destroyed thereafter.
    - Personal information transferred to the separate database is not used for any other purpose except needed under the applicable laws, and access by anyone other than the manager is strictly limited.
    - You will be notified of the account conversion schedule through the registered email address at least thirty (30) days before the account is converted into inactive account, and if you do not want your account to be converted into inactive account, you can continue to use the services regularly by logging into your account following the instruction email.
    - The information of the User whose account has been converted into inactive account is segregated and stored in a separate database and managed securely, and you may start using the services regularly at any time by logging in and going through simple reactivation procedure.
  • B. Destruction method
    - Personal information stored in the form of electronic file is deleted irrecoverably in a secure manner.
    - Personal information printed on paper is destroyed by shredding.
4. Providing Personal Information with Third Parties
  • (1) As a general rule, the Company does not provide User’s personal information to third parties outside the purpose of collection and use of such personal information. However, when it is necessary to share User’s personal information with partnering business entities and other parties for the purpose of providing better service, the Company will seek User’s consent by notifying the User of the identity of the parties that will receive the information, purpose of providing the information, information to be provided, and period of use and retention. Also, personal information of User may be provided pursuant to a legal provision or upon a demand by law enforcement authority for law enforcement purposes in accordance with the procedure and method set forth by applicable laws.
  • (2) The Company does not use User’s personal information for any purpose other than delivering internet services provided by the Company and does not provide personal information to any third party without consent of User. When it is necessary to provide personal information, the Company will notify the User and obtain separate consent. However, the following exceptions apply.
    • When it is deemed necessary to disclose personal information in order to take legal action against any person who violated the Company’s terms of use, harmed another person by using the services or engaged in unlawful activities against social order and customs;
    • Pursuant to a legal provision, or when there is a demand by law enforcement authority for law enforcement purposes in accordance with the procedure and method set by applicable laws; and
    • When information is provided in de-identified form for the purpose of producing statistical data, conducting academic studies or market researches, providing information or sending out instruction emails for public announcement.
5. Outsourcing of Processing of Personal Information

The Company handles certain tasks required for providing services to Users by outsourcing part of such tasks to third-party service providers.

When the Company outsources such tasks, the Company identifies the obligation to comply with the laws pertaining to the protection of personal information, maintenance of confidentiality of personal information, prohibition of sharing the information with third parties, liabilities in the event of breach, period of outsourcing, and the obligation to destroy personal information after completion of the task, and the Company provides management and supervision to ensure compliance.

For improved services and effective handling of the tasks, the Company outsources the processing of personal information as follows.

Personal Information Handling Entrustment Guide
Third-party Service Providers Outsourced Tasks
Transcosmos Korea Co. Ltd. Customer support and customer service
Inicis Co. Ltd., Kakao Pay Corp, PayPal Payment processing
CJ OliveNetworks Co. Ltd., CJ Korea Express Storage and delivery of the products ordered
Kakao SMS transmission
Service development and operation
dk techin Service development and operation

KAKAO IX continuously supervises and manages the third-party service providers to securely process the outsourced personal information and ensures that the third-party service providers immediately destroy the personal information in their possession upon completion of the outsourced tasks.

6. Linked Websites

The Company may provide User with a link to website or certain material provided by another company. Because the Company does not have any control over third-party websites or materials provided therein when the Company provides the User with a link to website or material of another company, the Company cannot warrant or take responsibility for the validity of the services or materials provided through such website or material. When you move to a third-party website by clicking a link included on the Company’s website, please review the terms and conditions of the third-party website since the privacy policy of such third-party website has no relation to the Company.

7. Rights of User and Exercise of the Rights

User and the User’s legal guardian may exercise the following rights.

  • (1) User and the User’s legal guardian may view or change the registered personal information of the User at any time and may refuse to give consent or request termination if the User does not consent to the Company’s processing of personal information. However, if User revokes consent to the processing of personal information, use of the services may be inevitably restricted in part or in whole.
  • (2) Personal information may be viewed by taking the following steps.
    - Viewing personal information collected and retained: Log in and go to My Page > Personal Information
    - Outsourcing status of processing of personal information: See “5. Outsourcing of Processing of Personal Information” in this Privacy Policy.
  • (3) Change of personal information and membership termination (revocation of consent) can be done by taking the following steps.
    - Change of personal information: Log in and go to My Page > Personal Information > Update Personal Information
    - Membership termination (revocation of consent): Log in and go to My Page > Personal Information > Update Personal Information > Unregister
  • (4) Or, you may contact the Privacy Officer in writing or by phone as disclosed in this Privacy Policy, and we will take necessary actions without delay.
  • (5) When User requests correction of error in personal information, the personal information is not used or provided until such correction is completed. Also, when incorrect personal information has been provided to a third party, the Company will complete the correction process by notifying the third party of the result of such correction without delay.
  • (6) The Company processes any information terminated or deleted by the request of User in accordance with the terms set forth in “retention and usage period” of personal information collected by the Company and takes measures to prevent such personal information from being viewed or used.
  • (7) Only those who are 14 years of age or older are eligible for membership registration, and as a general rule, the Company does not collect personal information of children under 14 years of age for whom legal guardian’s consent is required for collection/use of personal information.
8. Responsibilities of Members
  • (1) User has obligation to protect his or her own personal information, and the Company takes no responsibility for the issues arising out of leakage of personal information due to User’s negligence.
  • (2) User should provide accurate and up-to-date personal information. The liability for any problem caused by User’s providing inaccurate information is upon the User, and in the event that User registers as a member or uses services by misappropriating another person’s personal information, the User may lose the membership status and be punished by applicable laws pertaining to personal information.
  • (3) Together with the right to be protected of personal information, User also has the obligation to protect oneself and not to infringe upon the information of another person. You should take cautions so that your personal information is not leaked and also that you do not infringe upon personal information of other persons, including web postings.
  • (4) User must comply with the “Act on Promotion of Information and Communications Network Utilization and Information Protection,” “Personal Information Protection Act,” and other laws pertaining to personal information.
9. Installation, Operation and Refusal Regarding Automatic Personal Information Collection System (Cookies, etc.)

Following are the items related to the installation, operation, and refusal regarding automatic personal information collection system.
The Company utilizes cookies, which frequently saves and finds User’s information. A cookie is a very small text file sent by the website to the User’s browser and stored in the User’s hard disk.

  • (1) Purpose of using cookies
    • Cookies are used in order to provide customized services to individuals, such as targeted marketing, by analyzing frequency and time of visit by members and non-members, patterns of use and field of interest, tracking online traces, event participation rate, number of visits and such others.
  • • User has the right to accept or refuse installation of cookies and may at any time choose to refuse or delete the storage of cookies.
    • User may choose options available on web browsers to (i) allow all cookies, (ii) check whenever cookies are stored, or (iii) block storage of all cookies. Since each web browser has different mechanisms for setting cookies, please refer to the instruction for each web browser for further details.
    - Internet Explorer: Tools > Internet Options > Privacy tab > Select a setting for the Internet zone
    - Chrome: Settings > Advanced > Under “Privacy and Security,” click Content Settings > Select the desired level of cookies
    - Firefox: Options > Privacy > History - Select “Use custom settings for history” > Select the desired level of cookies
    - Safari: Preferences > Privacy tab > Select a “Cookies and website data” option
    • How to disable AdID/IDFA
    - ios: Settings > Advertising > Switch on “Limit Ad Tracking”
    - Android: Settings > Google (Google Settings) > Ads > Opt out of interest-based ads
    • However, when storage of cookies is blocked, use of certain services such as personally customized services may become difficult.
10. Technological/Managerial Safeguards for Personal Information

The Company strives to protect information by preparing technological/managerial safeguards in processing Users’ personal information.
The Company implements the following technological/managerial safeguards in order to ensure security in processing the personal information of Users and prevent loss, theft, leakage, alteration or contamination of personal information.

  • (1) Encryption of passwords
    • User passwords are stored and managed after one-way encryption, and only the owner of the personal information who knows the password may view or change the information. Therefore, please take extra care so that your password is not disclosed to any other person.
  • (2) Anti-hacking measures
    • The Company operates systems to detect and block intrusion 24 hours a day to prevent loss, theft, leakage, alteration or contamination of Users’ personal information through intrusion into the information communication network of the Company such as hacking or viruses, and such intrusion detection and blocking systems are operated with double-layered structure in case of any emergency situation.
    • Important data are backed up on regular basis preparing for the case personal information is damaged, and the Company strives to prevent leakage of personal information or other important data using antivirus software.
    • Sensitive personal information is encrypted in the process of being transmitted over the information communication network to ensure secure transmission of the personal information.
    • The Company continues to ensure data security in other ways such as adopting security systems and expanding professional work force in this field.
  • (3) Minimization and regular training of personal information managers
    • The Company minimizes the number of persons managing personal information by limiting personal information management task only to the necessary personnel; when there is any HR change such as termination or transfer of positions, the Company restricts access to personal information through adjustment or termination of the relevant authority without delay.
    • The Company makes its best efforts by conducting trainings for personal information managers on regular basis to raise awareness of the importance of the protection of personal information and to ensure that the information is securely managed.
11. Privacy Officer

The Company has designated Privacy Officer and the department in charge of the protection of personal information in order to handle claims regarding personal information of Users.

  • (1) For any claims related to personal information that may arise while using the services, please contact the Privacy Officer or the department in charge of personal information. The Company will swiftly respond to such inquiries.
    Personal Information Handling Department and Manager Guide
    Category Information
    CISO HYUN CHEOL
    Information security officer KANG SEOKHO
    Period of Retention and Use of Personal Information Guide
    Email Phone number
    privacy@kakaoix.com 1577-6263
    privacy@kakaoix.com 1577-6263
  • (2) If any other reporting or consultation is required regarding infringement of personal information, please contact the following organizations.
    • Personal Information Infringement Reporting Center (http://privacy.kisa.or.kr / 118 with no preceding numbers)
    • Supreme Prosecutor’s Office Cyber Security Center (http:// www.spo.go.kr / 1301 with no preceding numbers)
    • National Police Agency Cyber Security Bureau (http://cyberbureau.police.go.kr/index.do / 182 with no preceding numbers)
    • Electronic Transactions Dispute Resolution Commission (https://www.ecmc.or.kr / 1661-5714)
12. Revision to the Privacy Policy and Notice Thereof

The current Privacy Policy may be revised according to the government policy or the need of the Company. When there is any addition, deletion or modification of the content, notice will be provided through the homepage or email in advance at least 7 days prior to the effective date that the Policy as amended will take effect 7 days from the date of notification. If any material term (i.e., the purpose of collection and use of personal information, the third party to which personal information will be provided, etc.) is added, deleted or revised, such addition, deletion or revision will be notified in advance at least 30 days prior to the effective date that the Policy as amended will take effect 30 days from the date of notification. Also, the Company will seek separate consent from User in accordance with applicable laws for any addition or modification of the content pertaining to the items that require separate consent, such as collection and use of personal information and sharing of the information with third parties, pursuant to the applicable laws such as the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.

Effective date: July 29, 2019