Usage Guide
Notice

[Pocamarket] Privacy Policy

Effective April 28, 2025
This Privacy Policy (“Policy”) applies to every website (“Site”), mobile application (“App”) and related online service (collectively, the “Service”) that Infludeo Inc. (“Company”) operates or provides, and to every person worldwide who uses them (“Member”). The Company complies with the Personal Information Protection Act of Korea, the Network Act, the EU GDPR, the U.S. CCPA and all other applicable domestic and foreign privacy laws, and strives to protect Members’ personal information safely and transparently.
This Policy describes:
the categories of personal information we collect and the purposes of use;
our retention periods and destruction procedures;
when we share information with third parties or entrust it to processors;
cross‑border transfers;
Members’ rights and how to exercise them; and
the technical and organisational measures we take to safeguard data.
The Policy may change when we launch new services, or when laws and internal rules change, so please review it periodically. If a material change is made, we will give at least 30 days’ prior notice on the Site or by e‑mail.

Article 1 — Purposes of Processing Personal Information

Category
Specific purposes
1. Sign‑up & Identity Verification
Issuing/Managing Member IDs; confirming intent to join/leave; age verification; verifying legal‑guardian consent; preventing duplicate or fraudulent sign‑ups
2. Transaction Management (Purchase/Sale/Settlement)
Ordering & paying for goods (photocards, etc.); Wallet top‑ups; paying sales proceeds; overseas remittances; issuing tax invoices & customs declarations; shipping/returns/reshipment
3. Customer Support & Dispute Resolution
Handling enquiries & complaints; reviewing refund requests; mediation, litigation & evidence retention; service‑failure response
4. Service Operation & Security
System development, maintenance & monitoring; detecting fraud & account theft; access‑control; statutory compliance (e.g. AML)
5. Service Improvement & New Service Development
Analysing usage patterns & statistics; AI‑based recommendations & content creation; UI/UX improvement; testing & QA
6. Marketing / Promotions (opt‑in)
E‑mail or push notices about events, coupons, new features; personalised ads & benefits; measuring ad effectiveness
7. Legal Obligations
Accounting & tax; compliance with e‑commerce, customs & consumer‑protection laws; cooperation in fraud/illegal‑activity investigations
We do not collect sensitive information (e.g., race, ideology, health). The Service is not directed to children (under 14 in Korea, under 16 elsewhere). If we learn we have collected such data, we delete it and close the account.

Article 2 — Items of Personal Information

The Company observes the retention/use periods set out below. Where another law (e‑Commerce Act, Tax Basic Act, etc.) prescribes a longer statutory period, that period prevails (see section 3).
Required information is indispensable for core functions (membership, payment, shipping, etc.).
Optional information is collected only for added features (marketing consent, events, etc.). Service access is not restricted if optional data is not provided.
The Service is not provided to children (KR < 14 yrs / non‑KR < 16 yrs). If the Company becomes aware that a child’s personal information has been collected, it will delete the data immediately and close the account. Please report any concerns via the contact in Article 10.
1. Items processed without Member consent
Service area
Time of processing
Legal basis
Items
Retention / use*
Purchase / Payment / Shipping
When a paid service is used
PIPA § 15(1) 4 (contract performance)
Name, email address, mobile number, shipping address, payment‑approval data
3 months after account deletion or 5 yrs under e‑Commerce Act § 6 (transaction records)
Settlement & Refunds
When settlement/refund is processed
e‑Commerce Act § 6(1); Tax Basic Act § 85‑3
Bank account information, ID copy, refund payee information, settlement details
5 yrs
Logs & Security (fraud prevention, system access)
When the Service is accessed/used
PIPA § 15(1) 3 (legal duty); Communications Secrets Act § 15‑2
IP address, access time, device ID, usage logs
3 months
Tax / Accounting
When revenue is paid or taxes filed
Tax Basic Act § 85‑3
Transaction amounts, tax invoices, cash‑receipt information
5 yrs
2. Items processed with Member consent
Type
Time collected
Items
Retention
Required
Sign‑up
Email address, SNS data, user identifier, mobile number, country, encrypted CI & DI
1 month after deletion
Required
Wallet top‑up / Payment / Settlement / Refund
User ID, mobile number, bank account, wallet balance, ID copy, transaction history, payment information
5 yrs¹²
Required
Returns / Reshipment
Email address, mobile number, shipping address, tax ID
5 yrs
Required
Service use
IP address, device ID, OS/browser, access logs, cookies, fraud‑detection indicators
1 yr
Required
Enquiry submission
Email address, user ID, mobile number
3 yrs after resolution
Optional
Marketing‑consent request
Email address, push token
Until withdrawal/deletion
Optional
Event participation
Only the items explicitly announced in the event notice (e.g., name, contact, shipping address, SNS info)
Until withdrawal or 3 months after event end
Only the fields announced on each event’s participation page are collected/used.
¹ e‑Commerce Act § 6 (Retention of transaction records)
² Tax Basic Act § 85‑3 (Tax evidence retention)
3. Longer statutory periods (override default periods above)
e‑Commerce Act § 6: 5 yrs (payments & supply), 3 yrs (consumer dispute records)
Electronic Financial Transactions Act § 22(2): 5 yrs (electronic financial transaction records)
Communications Secrets Act § 15‑2: 3 months (logs, tracing data)
Tax Basic Act § 85‑3: 5 yrs (tax evidence)

Article 3 — Provision to Third Parties

1.
The Company shall not provide any personal information to third parties unless a member has given explicit consent or there is a legal basis for such provision. The Company does not sell, rent, or exchange personal information.
2.
As of April 21, 2025, the Company does not provide members’ personal information to any third party, whether on a regular or ad‑hoc basis.
3.
In the following exceptional cases, only the minimum necessary personal information may be provided to third parties:
When requested by investigative agencies, courts, prosecutors, or other public authorities under applicable laws (e.g., the Criminal Procedure Act or the Customs Act).
When a member has separately consented to participate in a specific partner service or event.
When disclosure is necessary to protect life, property, or public health from a grave threat (PIPA §18(2)).
4.
In such cases, unless a statutory exception applies, the Company will notify members in advance of the recipient, purpose, items to be provided, and retention period, and will obtain the member’s separate consent.
5.
Current List of Third‑Party Disclosures
Recipient
Purpose
Items Handled
Retention Period
(None at present)
If any new third‑party disclosures occur, the Company will update this Privacy Policy and provide notice in advance—or, in urgent situations, without undue delay thereafter.

Article 4 — Entrustment of Personal Information Processing

1.
The Company entrusts the processing of personal information—such as service provision, customer support, and payment processing—to specialized processors in accordance with Article 26 of the Personal Information Protection Act (PIPA).
2.
Contracts with processors stipulate:
prohibition of any processing beyond the agreed purpose;
required technical and administrative safeguards;
management, supervision, and liability for damages by processors and any sub‑processors.
The Company regularly audits processors’ compliance with these requirements.
3.
The Company shall promptly notify members via this Privacy Policy of any changes to processors, the scope of processing, or processing purposes.
4.
If a longer statutory retention period applies, that period shall prevail. Once it expires, personal information shall be promptly destroyed. Upon termination of the entrustment contract, processors shall immediately destroy or return all personal information.
5.
Domestic processors (overseas processors are listed in Article 5):
Processor
Task
Items Handled
Retention Period / Use
Amazon Web Services, Inc.
Infrastructure hosting / backup
Encrypted service data (logs & database)
Until account deletion or end of contract
Eximbay Co., Ltd.
Payment‑gateway (PG)
Card BIN, transaction log, IP address, payer ID
5 yrs (e‑Commerce Act)
AB180 Co., Ltd.
Usage‑log & behavioural analytics
Service logs, device data, cookies
Until deletion or end of contract
Korea Post; Brinko Co., Ltd.; Pasto Co., Ltd.
Domestic & international shipping
Name, mobile number, address (tax ID if required)
3 months after delivery
Channel Corporation Co., Ltd.
Customer support (CS)
Name, email, enquiry text & logs
Until deletion or end of contract
Flare Labs Co., Ltd.
Information & advertising message delivery
Email, mobile number
Until deletion or end of contract
Toss Payments
Payment & payout agency
Name, bank account information, payment/refund history
5 yrs (e‑Commerce Act)
NHN Cloud Corp.
SMS transmission
Mobile number
Until deletion or end of contract
Moin Inc.
Overseas settlement processing
Name, bank account information, settlement amount
5 yrs (Tax Basic Act)
PIPA Article 26 (entrustment to processors)
“e‑Commerce Act” = Electronic Commerce Consumer Protection Act
“Tax Basic Act” = Framework Act on National Taxes

Article 5 — Overseas Transfer of Personal Information

The Company transfers personal information overseas (through consignment) as follows to operate its global infrastructure and provide payment/analytics services. Members have the right to refuse such transfers; however, refusal may limit access to payment or log‑analysis features. Should the status of any transfer change, the Company will promptly notify members via this Policy. To refuse an overseas transfer, submit a “Refuse overseas transfer” request via [My Page → Delete Account] or by emailing hello@infludeo.com.
Transferee (Contact)
Country
Timing / Method of Transfer
Purpose
Items Transferred
Retention
Legal Basis*
PayPal Pte. Ltd (privacyofficer@paypal.com)
USA
Encrypted API transmission at payment
Overseas payment processing
Name, e‑mail, address, country, phone
10 years from payment
PIPA Article 28‑8 (1) 3(a) — outsourcing/overseas storage for contract performance
Amplitude Inc (privacy@amplitude.com)
USA
TLS‑encrypted transfer of usage logs
Analysis of usage logs & service improvement
Service usage logs, device identifier
Until user withdrawal or contract termination
PIPA Article 28‑8 (1) 3(a) — outsourcing/overseas storage for contract performance
Vercel Inc (privacy@vercel.com)
USA
Encrypted transmission via CDN upon service request
Operation of web‑application deployment infrastructure
IP address, cookie/session ID, error logs
Until user withdrawal or contract termination
PIPA Article 28‑8 (1) 3(a) — outsourcing/overseas storage for contract performance
Stripe, Inc.(privacy@stripe.com)
USA
Encrypted API transmission at payment
Overseas payment processing
Name, e‑mail, address, country, phone
10 years from payment
PIPA Article 28‑8 (1) 3(a) — outsourcing/overseas storage for contract performance
* “Personal Information Protection Act” Article 28‑8 (1) 3(a) (outsourcing/overseas storage necessary for contract performance)

Article 6 — Destruction of Personal Information

1.
The Company securely destroys personal information collected when the purpose of its collection and use has been achieved or upon a member’s withdrawal (30 days after a withdrawal request or upon forced withdrawal). In accordance with applicable laws, the Company retains personal information for the following periods before securely destroying it:
For the prevention of fraudulent activity, personal information submitted at the time of service registration is retained for one (1) month following service withdrawal.
The Company retains certain information as required by relevant laws.
2.
Personal information stored in electronic form is deleted irreversibly, and personal information stored in printed or other physical form is destroyed by shredding or incineration.
3.
The Company separately retains the personal information of accounts that have requested withdrawal with the user’s consent. Such information is retained for one (1) month and then destroyed upon final completion of the withdrawal process.

Article 7 — Rights of Data Subjects

1.
Members may view or modify their personal information by logging in to the service and accessing the “My Info” section under My Page. However, the ID generated at the time of registration cannot be changed.
2.
Members may exercise their rights regarding personal information, subject to the limitations and requirements prescribed by applicable laws. For example, under domestic law, members may request the suspension of processing, the deletion of personal information, or the withdrawal of consent to its collection and use.
3.
If provided information contains errors, members may request its correction. However, if at the time of the correction request it is determined that no inaccuracy existed before or after the correction and that the request was made by the member to commit fraudulent acts, the Company may cancel the correction request and immediately inform the member of the reasons.
4.
Data subjects may exercise the rights set forth in this Article by contacting hello@infludeo.com.

Article 8 — Operation and Management of Automatic Collection Devices and Right to Refuse Installation/Operation

The Company uses cookies to store usage information and retrieve it as needed to provide individualized services. For details, please refer to our Cookie Policy.
1.
Definitions of Cookies, SDKs, and Other Automatic Collection Devices
a.
Cookie: A small text file that a website’s server stores on the member’s PC or mobile browser.
b.
SDK, Pixel Tags, etc.: Technologies embedded in a mobile app or web page to automatically collect device information.
c.
The Company employs both third‑party analytics and marketing tools (e.g., Google Analytics, Amplitude, Meta Pixel) and its own cookies in parallel.
2.
Collected Items and Purpose of Use
Classification
Main Collected Items
Purpose of Use (Examples)
Retention and Usage Period*
Required Cookies
Session ID, login token, shopping cart ID
Maintain login state, process orders, identify customer service requests
Until browser session ends
Functional Cookies
Language and display settings, recent searches
Personalize UI, improve accessibility
12 months
Analytics Cookies (Third‑Party)
Visited URLs, browser/OS, device ID, click/scroll history
Improve service quality, analyze traffic and errors
14 months (Google Analytics default)
Marketing/Targeted Advertising Cookies (Third‑Party)
Advertising ID, referral path, conversion data
Deliver tailored ads, measure ad performance
12 months
Cookie expiration may be shortened or extended according to the policies of the tool provider or the Company’s internal policy.
3.
Collection and Use of Behavioral Information & Right to Opt‑Out
a.
In accordance with the “Online Tailored Advertising Guidelines,” the Company collects only the minimum necessary behavioral information and does not collect or use any sensitive data (e.g., race, health, religion).
b.
Members may refuse tailored advertising and analytics cookies at any time via the methods described in the [Cookie Policy], including installing the Google Analytics Opt‑out Add‑on, adjusting Meta Ads settings, or changing browser settings (blocking or deleting all cookies). Please note that blocking required cookies may limit access to core functions such as payment and login.
4.
How to Block Cookies/SDK (Major Browsers)
Chrome: Settings ► “Privacy and security” ► Cookies and other site data
Safari (iOS): Settings ► Safari ► “Block All Cookies”
Android App: Settings ► Google Advertising ID ► Disable ad personalization
For other browsers and operating systems, please see the detailed instructions in the [Cookie Policy].
5.
Inquiries and Exercise of Rights Complaints or requests for remediation related to cookie refusal may be directed to the Chief Privacy Officer (Article 10) or to hello@infludeo.com. We will respond and take action within seven (7) business days.

Article 9 — Technical and Managerial Measures for the Protection of Personal Information

The Company may take reasonable security measures to prevent the loss, theft, leakage, alteration, or damage of personal information when processing it. To this end, the Company may implement the following technical and managerial safeguards:
1.
In principle, members’ personal information is protected by passwords and encryption. Nevertheless, if a member accesses the Internet from a public location or by other means, there remains a significant risk that their password or personal information may be disclosed to third parties. Therefore, it is crucial that members take every precaution to safeguard their own personal information. Members are responsible for managing their personal information and preventing its disclosure or provision to others. The Company shall not be liable for any issues arising from a member’s negligence or from the inherent risks of Internet use.
2.
Members’ personal information is secured through passwords and encryption. Files and data in transit are encrypted, and sensitive data is further protected by dedicated security features.
3.
To guard against damage from computer viruses, the Company utilizes antivirus software and updates it on a regular basis.
4.
To prevent the leakage or compromise of members’ personal information due to hacking, computer viruses, or other security breaches, the Company operates an intrusion prevention system 24 hours a day.
The Company recognizes the importance of personal information protection and restricts the number of employees with access to personal information to the absolute minimum necessary. The Chief Privacy Officer (CPO) provides regular education and training to employees to ensure the safeguarding of members’ personal information. In addition, the Company conducts periodic audits to verify that relevant personnel comply with this Privacy Policy, and, if any violations are discovered, directs the responsible employee to correct the issue and takes other appropriate measures.

Article 10 — Personal Information Protection Officer

1.
The Company has appointed the following Personal Information Protection Officer, and the department responsible for processing personal information is committed to doing its utmost to safeguard customers’ valuable personal information.
2.
If you have any inquiries, opinions, or complaints regarding the handling of personal information, please contact us by email or telephone at the contact information below. The Company will make every effort to respond promptly and diligently.
3.
In order to handle complaints and provide remedies related to personal information processing, the Company has designated the following Personal Information Protection Officer:
Name: Jayden CHOI
Position: Chief Privacy Officer
4.
Data subjects may direct any requests for damage relief, complaint handling, or other issues arising from their use of the Company’s services to the Chief Privacy Officer or the relevant department. The Company will respond and take appropriate action.

Article 11 — Remedies

For Korean users, you may contact: KISA (privacy.kisa.or.kr, 118), Personal Information Dispute Mediation Committee (kopico.go.kr, 1833‑6972), Supreme Prosecutors’ Office Cybercrime (spo.go.kr, 1303), or National Police Agency Cyber Bureau (cyber.go.kr, 182).
English Name
Korean Name
URL
Phone
Korea Internet & Security Agency (KISA)
한국인터넷진흥원
1433‑25
Personal Information Infringement Reporting Center
개인정보침해신고센터
118
Personal Information Dispute Mediation Committee
개인정보분쟁조정위원회
1833‑6972
Supreme Prosecutors’ Office Cyber Crime Investigation Team
대검찰청 사이버범죄수사단
1303
National Police Agency Cyber Terror Response Center
경찰청 사이버안전국
182

Article 12 — Policy Changes

This Privacy Policy is effective as of April 28, 2025. We will announce any amendments to this Policy in advance on our website. For material changes that may significantly affect members’ rights or obligations, notice will be provided at least 30 days prior to the effective date.
Previous versions are archived [link].