Effective April 28, 2025
This Privacy Policy (“Policy”) applies to every website (“Site”), mobile application (“App”) and related online service (collectively, the “Service”) that Infludeo Inc. (“Company”) operates or provides, and to every person worldwide who uses them (“Member”). The Company complies with the Personal Information Protection Act of Korea, the Network Act, the EU GDPR, the U.S. CCPA and all other applicable domestic and foreign privacy laws, and strives to protect Members’ personal information safely and transparently.
This Policy describes:
•
the categories of personal information we collect and the purposes of use;
•
our retention periods and destruction procedures;
•
when we share information with third parties or entrust it to processors;
•
cross‑border transfers;
•
Members’ rights and how to exercise them; and
•
the technical and organisational measures we take to safeguard data.
The Policy may change when we launch new services, or when laws and internal rules change, so please review it periodically. If a material change is made, we will give at least 30 days’ prior notice on the Site or by e‑mail.
Article 1 — Purposes of Processing Personal Information
Category | Specific purposes |
1. Sign‑up & Identity Verification | Issuing/Managing Member IDs; confirming intent to join/leave; age verification; verifying legal‑guardian consent; preventing duplicate or fraudulent sign‑ups |
2. Transaction Management (Purchase/Sale/Settlement) | Ordering & paying for goods (photocards, etc.); Wallet top‑ups; paying sales proceeds; overseas remittances; issuing tax invoices & customs declarations; shipping/returns/reshipment |
3. Customer Support & Dispute Resolution | Handling enquiries & complaints; reviewing refund requests; mediation, litigation & evidence retention; service‑failure response |
4. Service Operation & Security | System development, maintenance & monitoring; detecting fraud & account theft; access‑control; statutory compliance (e.g. AML) |
5. Service Improvement & New Service Development | Analysing usage patterns & statistics; AI‑based recommendations & content creation; UI/UX improvement; testing & QA |
6. Marketing / Promotions (opt‑in) | E‑mail or push notices about events, coupons, new features; personalised ads & benefits; measuring ad effectiveness |
7. Legal Obligations | Accounting & tax; compliance with e‑commerce, customs & consumer‑protection laws; cooperation in fraud/illegal‑activity investigations |
We do not collect sensitive information (e.g., race, ideology, health).
The Service is not directed to children (under 14 in Korea, under 16 elsewhere). If we learn we have collected such data, we delete it and close the account.
Article 2 — Items of Personal Information
The Company observes the retention/use periods set out below. Where another law (e‑Commerce Act, Tax Basic Act, etc.) prescribes a longer statutory period, that period prevails (see section 3).
•
Required information is indispensable for core functions (membership, payment, shipping, etc.).
•
Optional information is collected only for added features (marketing consent, events, etc.). Service access is not restricted if optional data is not provided.
•
The Service is not provided to children (KR < 14 yrs / non‑KR < 16 yrs). If the Company becomes aware that a child’s personal information has been collected, it will delete the data immediately and close the account. Please report any concerns via the contact in Article 10.
1. Items processed without Member consent
Service area | Time of processing | Legal basis | Items | Retention / use* |
Purchase / Payment / Shipping | When a paid service is used | PIPA § 15(1) 4 (contract performance) | Name, email address, mobile number, shipping address, payment‑approval data | 3 months after account deletion or 5 yrs under e‑Commerce Act § 6 (transaction records) |
Settlement & Refunds | When settlement/refund is processed | e‑Commerce Act § 6(1); Tax Basic Act § 85‑3 | Bank account information, ID copy, refund payee information, settlement details | 5 yrs |
Logs & Security (fraud prevention, system access) | When the Service is accessed/used | PIPA § 15(1) 3 (legal duty); Communications Secrets Act § 15‑2 | IP address, access time, device ID, usage logs | 3 months |
Tax / Accounting | When revenue is paid or taxes filed | Tax Basic Act § 85‑3 | Transaction amounts, tax invoices, cash‑receipt information | 5 yrs |
2. Items processed with Member consent
Type | Time collected | Items | Retention |
Required | Sign‑up | Email address, SNS data, user identifier, mobile number, country, encrypted CI & DI | 1 month after deletion |
Required | Wallet top‑up / Payment / Settlement / Refund | User ID, mobile number, bank account, wallet balance, ID copy, transaction history, payment information | 5 yrs¹² |
Required | Returns / Reshipment | Email address, mobile number, shipping address, tax ID | 5 yrs |
Required | Service use | IP address, device ID, OS/browser, access logs, cookies, fraud‑detection indicators | 1 yr |
Required | Enquiry submission | Email address, user ID, mobile number | 3 yrs after resolution |
Optional | Marketing‑consent request | Email address, push token | Until withdrawal/deletion |
Optional | Event participation | Only the items explicitly announced in the event notice (e.g., name, contact, shipping address, SNS info) | Until withdrawal or 3 months after event end |
•
Only the fields announced on each event’s participation page are collected/used.
¹ e‑Commerce Act § 6 (Retention of transaction records)
² Tax Basic Act § 85‑3 (Tax evidence retention)
3. Longer statutory periods (override default periods above)
•
e‑Commerce Act § 6: 5 yrs (payments & supply), 3 yrs (consumer dispute records)
•
Electronic Financial Transactions Act § 22(2): 5 yrs (electronic financial transaction records)
•
Communications Secrets Act § 15‑2: 3 months (logs, tracing data)
•
Tax Basic Act § 85‑3: 5 yrs (tax evidence)
Article 3 — Provision to Third Parties
1.
The Company shall not provide any personal information to third parties unless a member has given explicit consent or there is a legal basis for such provision. The Company does not sell, rent, or exchange personal information.
2.
As of April 21, 2025, the Company does not provide members’ personal information to any third party, whether on a regular or ad‑hoc basis.
3.
In the following exceptional cases, only the minimum necessary personal information may be provided to third parties:
•
When requested by investigative agencies, courts, prosecutors, or other public authorities under applicable laws (e.g., the Criminal Procedure Act or the Customs Act).
•
When a member has separately consented to participate in a specific partner service or event.
•
When disclosure is necessary to protect life, property, or public health from a grave threat (PIPA §18(2)).
4.
In such cases, unless a statutory exception applies, the Company will notify members in advance of the recipient, purpose, items to be provided, and retention period, and will obtain the member’s separate consent.
5.
Current List of Third‑Party Disclosures
Recipient | Purpose | Items Handled | Retention Period |
(None at present) | – | – | – |
If any new third‑party disclosures occur, the Company will update this Privacy Policy and provide notice in advance—or, in urgent situations, without undue delay thereafter.
Article 4 — Entrustment of Personal Information Processing
1.
The Company entrusts the processing of personal information—such as service provision, customer support, and payment processing—to specialized processors in accordance with Article 26 of the Personal Information Protection Act (PIPA).
2.
Contracts with processors stipulate:
•
prohibition of any processing beyond the agreed purpose;
•
required technical and administrative safeguards;
•
management, supervision, and liability for damages by processors and any sub‑processors.
The Company regularly audits processors’ compliance with these requirements.
3.
The Company shall promptly notify members via this Privacy Policy of any changes to processors, the scope of processing, or processing purposes.
4.
If a longer statutory retention period applies, that period shall prevail. Once it expires, personal information shall be promptly destroyed. Upon termination of the entrustment contract, processors shall immediately destroy or return all personal information.
5.
Domestic processors (overseas processors are listed in Article 5):
Processor | Task | Items Handled | Retention Period / Use |
Amazon Web Services, Inc. | Infrastructure hosting / backup | Encrypted service data (logs & database) | Until account deletion or end of contract |
Eximbay Co., Ltd. | Payment‑gateway (PG) | Card BIN, transaction log, IP address, payer ID | 5 yrs (e‑Commerce Act) |
AB180 Co., Ltd. | Usage‑log & behavioural analytics | Service logs, device data, cookies | Until deletion or end of contract |
Korea Post; Brinko Co., Ltd.; Pasto Co., Ltd. | Domestic & international shipping | Name, mobile number, address (tax ID if required) | 3 months after delivery |
Channel Corporation Co., Ltd. | Customer support (CS) | Name, email, enquiry text & logs | Until deletion or end of contract |
Flare Labs Co., Ltd. | Information & advertising message delivery | Email, mobile number | Until deletion or end of contract |
Toss Payments | Payment & payout agency | Name, bank account information, payment/refund history | 5 yrs (e‑Commerce Act) |
NHN Cloud Corp. | SMS transmission | Mobile number | Until deletion or end of contract |
Moin Inc. | Overseas settlement processing | Name, bank account information, settlement amount | 5 yrs (Tax Basic Act) |
•
PIPA Article 26 (entrustment to processors)
•
“e‑Commerce Act” = Electronic Commerce Consumer Protection Act
•
“Tax Basic Act” = Framework Act on National Taxes
Article 5 — Overseas Transfer of Personal Information
The Company transfers personal information overseas (through consignment) as follows to operate its global infrastructure and provide payment/analytics services. Members have the right to refuse such transfers; however, refusal may limit access to payment or log‑analysis features. Should the status of any transfer change, the Company will promptly notify members via this Policy. To refuse an overseas transfer, submit a “Refuse overseas transfer” request via [My Page → Delete Account] or by emailing hello@infludeo.com.
Transferee (Contact) | Country | Timing / Method of Transfer | Purpose | Items Transferred | Retention | Legal Basis* |
PayPal Pte. Ltd
(privacyofficer@paypal.com) | USA | Encrypted API transmission at payment | Overseas payment processing | Name, e‑mail, address, country, phone | 10 years from payment | PIPA Article 28‑8 (1) 3(a) — outsourcing/overseas storage for contract performance |
Amplitude Inc
(privacy@amplitude.com) | USA | TLS‑encrypted transfer of usage logs | Analysis of usage logs & service improvement | Service usage logs, device identifier | Until user withdrawal or contract termination | PIPA Article 28‑8 (1) 3(a) — outsourcing/overseas storage for contract performance |
Vercel Inc
(privacy@vercel.com) | USA | Encrypted transmission via CDN upon service request | Operation of web‑application deployment infrastructure | IP address, cookie/session ID, error logs | Until user withdrawal or contract termination | PIPA Article 28‑8 (1) 3(a) — outsourcing/overseas storage for contract performance |
Stripe, Inc.(privacy@stripe.com) | USA | Encrypted API transmission at payment | Overseas payment processing | Name, e‑mail, address, country, phone | 10 years from payment | PIPA Article 28‑8 (1) 3(a) — outsourcing/overseas storage for contract performance |
* “Personal Information Protection Act” Article 28‑8 (1) 3(a) (outsourcing/overseas storage necessary for contract performance)
Article 6 — Destruction of Personal Information
1.
The Company securely destroys personal information collected when the purpose of its collection and use has been achieved or upon a member’s withdrawal (30 days after a withdrawal request or upon forced withdrawal). In accordance with applicable laws, the Company retains personal information for the following periods before securely destroying it:
•
For the prevention of fraudulent activity, personal information submitted at the time of service registration is retained for one (1) month following service withdrawal.
•
The Company retains certain information as required by relevant laws.
2.
Personal information stored in electronic form is deleted irreversibly, and personal information stored in printed or other physical form is destroyed by shredding or incineration.
3.
The Company separately retains the personal information of accounts that have requested withdrawal with the user’s consent. Such information is retained for one (1) month and then destroyed upon final completion of the withdrawal process.
Article 7 — Rights of Data Subjects
1.
Members may view or modify their personal information by logging in to the service and accessing the “My Info” section under My Page. However, the ID generated at the time of registration cannot be changed.
2.
Members may exercise their rights regarding personal information, subject to the limitations and requirements prescribed by applicable laws. For example, under domestic law, members may request the suspension of processing, the deletion of personal information, or the withdrawal of consent to its collection and use.
3.
If provided information contains errors, members may request its correction. However, if at the time of the correction request it is determined that no inaccuracy existed before or after the correction and that the request was made by the member to commit fraudulent acts, the Company may cancel the correction request and immediately inform the member of the reasons.
4.
Data subjects may exercise the rights set forth in this Article by contacting hello@infludeo.com.
Article 8 — Operation and Management of Automatic Collection Devices and Right to Refuse Installation/Operation
The Company uses cookies to store usage information and retrieve it as needed to provide individualized services. For details, please refer to our Cookie Policy.
1.
Definitions of Cookies, SDKs, and Other Automatic Collection Devices
a.
Cookie: A small text file that a website’s server stores on the member’s PC or mobile browser.
b.
SDK, Pixel Tags, etc.: Technologies embedded in a mobile app or web page to automatically collect device information.
c.
The Company employs both third‑party analytics and marketing tools (e.g., Google Analytics, Amplitude, Meta Pixel) and its own cookies in parallel.
2.
Collected Items and Purpose of Use
Classification | Main Collected Items | Purpose of Use (Examples) | Retention and Usage Period* |
Required Cookies | Session ID, login token, shopping cart ID | Maintain login state, process orders, identify customer service requests | Until browser session ends |
Functional Cookies | Language and display settings, recent searches | Personalize UI, improve accessibility | 12 months |
Analytics Cookies (Third‑Party) | Visited URLs, browser/OS, device ID, click/scroll history | Improve service quality, analyze traffic and errors | 14 months (Google Analytics default) |
Marketing/Targeted Advertising Cookies (Third‑Party) | Advertising ID, referral path, conversion data | Deliver tailored ads, measure ad performance | 12 months |
•
Cookie expiration may be shortened or extended according to the policies of the tool provider or the Company’s internal policy.
3.
Collection and Use of Behavioral Information & Right to Opt‑Out
a.
In accordance with the “Online Tailored Advertising Guidelines,” the Company collects only the minimum necessary behavioral information and does not collect or use any sensitive data (e.g., race, health, religion).
b.
Members may refuse tailored advertising and analytics cookies at any time via the methods described in the [Cookie Policy], including installing the Google Analytics Opt‑out Add‑on, adjusting Meta Ads settings, or changing browser settings (blocking or deleting all cookies). Please note that blocking required cookies may limit access to core functions such as payment and login.
4.
How to Block Cookies/SDK (Major Browsers)
•
Chrome: Settings ► “Privacy and security” ► Cookies and other site data
•
Safari (iOS): Settings ► Safari ► “Block All Cookies”
•
Android App: Settings ► Google Advertising ID ► Disable ad personalization
For other browsers and operating systems, please see the detailed instructions in the [Cookie Policy].
5.
Inquiries and Exercise of Rights
Complaints or requests for remediation related to cookie refusal may be directed to the Chief Privacy Officer (Article 10) or to hello@infludeo.com. We will respond and take action within seven (7) business days.
Article 9 — Technical and Managerial Measures for the Protection of Personal Information
The Company may take reasonable security measures to prevent the loss, theft, leakage, alteration, or damage of personal information when processing it. To this end, the Company may implement the following technical and managerial safeguards:
1.
In principle, members’ personal information is protected by passwords and encryption. Nevertheless, if a member accesses the Internet from a public location or by other means, there remains a significant risk that their password or personal information may be disclosed to third parties. Therefore, it is crucial that members take every precaution to safeguard their own personal information. Members are responsible for managing their personal information and preventing its disclosure or provision to others. The Company shall not be liable for any issues arising from a member’s negligence or from the inherent risks of Internet use.
2.
Members’ personal information is secured through passwords and encryption. Files and data in transit are encrypted, and sensitive data is further protected by dedicated security features.
3.
To guard against damage from computer viruses, the Company utilizes antivirus software and updates it on a regular basis.
4.
To prevent the leakage or compromise of members’ personal information due to hacking, computer viruses, or other security breaches, the Company operates an intrusion prevention system 24 hours a day.
The Company recognizes the importance of personal information protection and restricts the number of employees with access to personal information to the absolute minimum necessary. The Chief Privacy Officer (CPO) provides regular education and training to employees to ensure the safeguarding of members’ personal information. In addition, the Company conducts periodic audits to verify that relevant personnel comply with this Privacy Policy, and, if any violations are discovered, directs the responsible employee to correct the issue and takes other appropriate measures.
Article 10 — Personal Information Protection Officer
1.
The Company has appointed the following Personal Information Protection Officer, and the department responsible for processing personal information is committed to doing its utmost to safeguard customers’ valuable personal information.
2.
If you have any inquiries, opinions, or complaints regarding the handling of personal information, please contact us by email or telephone at the contact information below. The Company will make every effort to respond promptly and diligently.
3.
In order to handle complaints and provide remedies related to personal information processing, the Company has designated the following Personal Information Protection Officer:
•
Name: Jayden CHOI
•
Position: Chief Privacy Officer
•
4.
Data subjects may direct any requests for damage relief, complaint handling, or other issues arising from their use of the Company’s services to the Chief Privacy Officer or the relevant department. The Company will respond and take appropriate action.
Article 11 — Remedies
For Korean users, you may contact: KISA (privacy.kisa.or.kr, 118), Personal Information Dispute Mediation Committee (kopico.go.kr, 1833‑6972), Supreme Prosecutors’ Office Cybercrime (spo.go.kr, 1303), or National Police Agency Cyber Bureau (cyber.go.kr, 182).
English Name | Korean Name | URL | Phone |
Korea Internet & Security Agency (KISA) | 한국인터넷진흥원 | 1433‑25 | |
Personal Information Infringement Reporting Center | 개인정보침해신고센터 | 118 | |
Personal Information Dispute Mediation Committee | 개인정보분쟁조정위원회 | 1833‑6972 | |
Supreme Prosecutors’ Office Cyber Crime Investigation Team | 대검찰청 사이버범죄수사단 | 1303 | |
National Police Agency Cyber Terror Response Center | 경찰청 사이버안전국 | 182 |
Article 12 — Policy Changes
This Privacy Policy is effective as of April 28, 2025. We will announce any amendments to this Policy in advance on our website. For material changes that may significantly affect members’ rights or obligations, notice will be provided at least 30 days prior to the effective date.