Privacy Policy
General Data Protection Policy
This Privacy
Policy explains how Yupoong,Inc (http://design.yupoong.com, “the Company”)
processes the personal data of its users, including without limitation, the
options that a user selects for the collection, use and disclosure of his or
her certain information.
For the purpose
of data protection of its users, the Company records processing activities
(Article 30 of GDPR), designates a Data Protection Officer (DPO) to operate its
business in accordance with GDPR (Article 37), and trains its employees for
data protection (Article 39).
The Company
formulates legal framework to process personal data (Articles 6) and has the
explicit consent to the data processing from a data subject (Article 7).
Additionally, in
case of overseas transfer of the data, the Company concludes a contract under
Standard Contractual Clauses adopted by a supervisory authority and approved by
the Commission (Article 46.2 (c)), and has the explicit consent of a data
subject (Article 49).
The Company
allows a data subject to exercise his or her rights guaranteed by GDPR as
follows: the right to receipt of his or her data (Articles 13 and 14), the
right of access (Article 15), the right to rectification (Article 16), the
right to erasure (Article 17), the right to restriction of processing (Article
18), the right to data portability (Article 20), the right to object (Article
21) and the right regarding automated individual decision-making including
profiling (Article 22).
The Company is in
compliance with the obligations of data protection by design and by default
(Article 25) and implements technical and organizational measures reasonably
necessary to prevent the data from leakage and breach (Article 32). It notifies
a personal data breach to the supervisory authority within 72 hours after
having become aware of it (Article 33) and communicates a personal data breach
to a data subject without undue delay if the personal data breach is likely to
result in a high risk to the rights and freedoms of natural persons (Article
34).
About Privacy Notice
The Company
notifies a data subject of the Privacy Notice within the reasonable period not
later than one month in order to explain the methods and procedures of
processing his or her data including his or her certain data if it collects
such personal data from the data subject or any third party discloses such
personal data (Article 12, 13, and 14)
The Company
notifies its users of this Privacy Notice as follows:
Contacting Us
If the user has
general questions about his/her account or how to contact customer service for
assistance, has questions specifically about this Privacy Policy, or use of his/her
personal information, cookies or similar technologies, the user contacts our
Data Protection Officer, In-ho Bae, Vice President, by email at flexfit_md@yupoong.co.kr.
The data controller of
personal information is the Company. If the user contacts us to assist him/her,
for safety of users and our safety, the Company may need to authenticate
identity of the user before fulfilling the request.
Collection of Information
The Company collects
and retains information about users such as:
• Information collected automatically
by the Company:
- Records of service
use and access, information on access IP, device identification number, OS
information (country, language), etc.
- Log information
such as IP address, log data, use time, search words input by users, internet
protocol address, cookies and web beacons, etc.
Method of collection
The Company collects
the information of the users in the following manner (Under GDPR 6(1)(a)):
• Collection through
websites with the prior consent of the users
Use of Information
The Company uses
information to provide, analyze, administer, enhance and personalize services
and marketing efforts, and to communicate with users on these and other topics.
For example, the Company uses information to:
• To detect and deter unauthorized
or fraudulent use of or abuse of the services
• To improve the
existing services and develop new services
• To use the users’
information with their prior consent; or
• To comply with
applicable law or legal obligations
Disclosure of Information
• Service Providers: The Company uses other companies, agents or contractors (hereinafter referred to as "Service Providers") to perform a range of services on our behalf or to assist the Company with the provision of better services to users. The Company only provides them with the information they need for entrusted tasks, and we use our best efforts to ensure that user’s information is used only for the entrusted purpose and kept secure by supervising their safe processing thereof. Below are the Service Providers we rely on and their entrusted tasks as of August of 2024:
Service Provider | Entrusted Task | Storage and Use Period of User’s Information |
Infrastructure and IT operation services | As long as a user's access to the website continues to be desired and allowed and a corresponding agreement with each entrusted party is effective | |
Log information analysis |
• Partners: Users may
have a contractual relationship with one or more of our Company’s Partners, in
which case the Company may share certain information with them in order to
coordinate with them on providing the service to users and providing
information about the availability of the service.
• Promotional offers:
The Company may offer joint promotions or programs that, in order for user
participation, will require the Company to share user’s personal information
with third parties. In fulfilling these types of promotions, the Company may
share user’s personal information in connection with fulfilling the incentive.
In addition, these third parties are also responsible for their own privacy
policies.
• Protection of the
Company and others: The Company and its Service Providers may disclose and
otherwise use user’s personal and other information where the Company or its
Service Providers reasonably believe such disclosure is needed to (a) satisfy
any applicable law, regulation, legal process, or governmental request, (b)
enforce applicable terms of use, including investigation of potential
violations thereof, (c) detect, prevent, or otherwise address illegal or
suspected illegal activities, security or technical issues, or (d) protect
against harm to the rights, property or safety of the Company, its users or the
public, as required or permitted by law.
• Business transfers: In
connection with any reorganization, restructuring, merger or sale, or other
transfer of assets, the Company will transfer information, including personal information,
provided that the receiving party agrees to respect user’s personal information
in a manner that is consistent with this Privacy Policy.
Whenever in the
course of sharing information, the Company transfers personal information to
countries outside of the European Economic Area and other regions with
comprehensive data protection laws, the Company will ensure that the
information is transferred in accordance with this Privacy Policy and as
permitted by the applicable laws on data protection.
Personal information
transferred may be saved electronically on servers operated by the Company’s
Service Providers for record keeping purposes and other purposes as set out in
this Privacy Policy.
Need to disclose Personal Information
The personal
information provided by users is the requirement for the service use contract
between a user and the Company so that the Company provides the users with
great services. The users may be restricted to use the Company’s services
unless they give consent to the collection of required personal information
while they can use the Company’s services except the services which require the
consent to the collection of the optional information if they refuse to give
consent to the collection of such optional information.
Overseas Transfer of Information
The Company can
disclose users’ personal information to the companies located outside of the EU
for any purpose specified in this Privacy Policy. The Company takes reasonable
measures for the companies where personal information is transmitted, retained
or processed in order to protect such information. The Company discloses the
users’ personal information in accordance with the documents including standard
clauses of personal data protection approved or adopted by the recipient of
personal data or European Committee (Under GDPR 46).
User’s right
The users or
their legal representatives, as subjects of the information, can exercise the
following rights regarding the collection, use and disclosure of personal
information by the Company:
• the right to access by
the data subject (Under GDPR 15);
• the right to
rectification (Under GDPR 16)
• the right to erasure
(Under GDPR 17)
• the right to
restriction of processing (Under GDPR 18)
• the right to data
portability (Under GDPR 20)
• the right to object
(Under GDPR 21)
• the right regarding
automated individual decision-making, including profiling (Under GDPR 22); and
• the right to request
the withdrawal of prior consent (Under GDPR 7(3))
In order to
exercise any of the foregoing rights, the users submit written documents using
Data Subject Form provided by the Company to the Company (or DPO, agent) or
contact by email, and the Company will immediately take actions for the request
by the data subject. Provided, that, however, the Company may refuse such
request if and to the extent there are reasonable grounds prescribed in the law
or equivalent thereto.
Upon the request
from a data subject, the Company takes actions as follows:
• To take actions for a
data subject’s request after asking proof of his or her ID (or his or her legal
representative);
• To ask if a subject
requires the information to be provided in writing or whether he or she will
accept it in an electronic form;
• To have a standard
process for the Company to effectively inspect all relevant systems and to
communicate with other departments;
• To notify a data
subject if there is no information that he or she has requested;
• To formulate
reasonable criteria to determine whether to correct or disclose personal information
if the personal information requested by a data subject includes the
information of other individuals; provided however, such information can be
disclosed if the other individuals explicitly give the consent thereto. The
Company should consider the impact of such disclosure and the possible breach
of others’ personal information if no explicit consent is available, in which
case, it should document the justification of such disclosure;
• To take actions in
accordance with the request of a data subject in such a manner as he or she can
understand, including the requirements under Article 15 of GDPR;
• To make no available
the transfer system which can be traceable in case of providing a data subject
with the information he or she has requested. Such information should be
disclosed in a safe electronic means if individually agreed upon with the data
subject; or
• To document the
actions which have been taken for the request of a data subject
Also, the users
or their legal representatives have the right to lodge a complaint with a
supervisory authority (Under GDPR 13(2)(d), GDPR 14(2)(e)).
Security
The Company takes
the security of personal information seriously. It has the following security
measures to prevent the unauthorized access to, or disclosure, use or change of
the personal information (Under GDPR 32).
• Take appropriate
security measures to protect against unauthorized access to or unauthorized
alteration, disclosure or destruction of data these include internal reviews of
our data collection, storage and processing practices.
• restrict access to
personal information to YUPOONG employees, agents who need to know that
information in order to operate, develop or improve the service
Checklist to Respond to Data Leakage and Breach
It is specified
in Articles 33 and 34 of GDPR that in case of a personal data breach, the
controller should without undue delay notify the personal data breach to a data
subject and a supervisory authority. To this end, the Company responds to
personal data leakage and breach before and after the occurrence of an
incidence in accordance with the following checklist:
• Preparing for a data
breach
- To know how to
recognize a data breach;
- To have
prepared a response plan for addressing any personal data leakage and breach
that occur;
- To have
allocated responsibility for managing breaches to a dedicated person or team;
and
- To train staff
to knows how to escalate a security incident to the appropriate person or team
in its organization to determine whether a breach has occurred
• Response to a data
breach
- To have in
place a process to assess the likely risk to individuals as a result of a
leakage;
- To have a
process to notify the supervisory authority of a breach within 72 hours of
becoming aware of it;
- To have Breach
Notification Form to be submitted to the Supervisory Authority if a data
leakage and breach occur;
- To have a
process to inform an affected data subject about a breach without undue delay;
- To know what
information about a breach the Company must provide to data subjects, and to
provide advice to help them protect themselves from its effects; and
- To document all
breaches
• Process of report and
notification of data leakage
- To contact the
relevant supervisory authority of a breach within 72 hours after having become
aware of it;
- To directly
contact the individuals affected by a breach if it is likely to result in a
high risk to their rights and freedoms; and
- To have Breach
Notification Form to the Supervisory Authority and Breach Notification Form to
the Data Subject
Children
The Company does
not collect any information of the children under 13 or those of minimum age
under law. The Company’s service is not intended for, nor does the Company
believe they are appealing to, children.
Profiling
The Company may
use the users’ personal information to create individual or collective profiles
(hereinafter referred to as “profiling”) for the purpose of identifying how to
provide the users with better services, for example, providing the users with
customized content of services by analyzing what attracts the users most
regarding the Company and the services rendered by the Company, and how the users
use the services. In addition, the Company uses the personal information for
the following purposes: to create user clusters to identify the users’ interest
in the Company’s services; to analyze the market and statistics or; to enhance
the Company’s services (all websites, etc.). It may integrate the data provided
by all its websites and applications with the users’ personal information that
the Company receives. The processing of personal information for profiling is
carried out in line with the guarantees and measures specified in applicable
law (Under GDPR 22).
Retention Policy
For the purpose
of protecting its users’ personal information, the Company complies with the
principle of Data Minimization where the processing of personal information
should be appropriate and limited to the extent solely necessary for the
purposes for which the data are processed (GDPR 5.1.(c)). To this end, the
Company abides by the following retention policy:
• Users’ personal information
protected by the Company’s retention policy are subject to the all personal information
processed by the Company;
• Personal information
are retained for no longer than is necessary for the purposes for which the
personal information are processed. The Company will destroy the personal information
one year after the expiry of such period. However, the personal information may
be stored for longer periods insofar as the personal information will be
processed solely for archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes subject to implementation
of the appropriate technical and organizational measures required by this
Regulation in order to safeguard the rights and freedoms of the data subject
(Article 5.1 (e) of GDPR);
• The Company abides by
the methods set forth in the ‘Security’ of this Privacy Policy to delete
physical and digital data;
• The Data Protection
Officer designates the strict retention period regarding the storage of users’
personal information and does not retain the data more than the period which
requires the data. The Company monitors the compliance regarding the data
retention on a regular basis and deletes the data, if no longer necessary, in a
safe manner (Recital Article 39 of GDPR);
• The Company schedules
regular review of stored data to determine whether the information is still
required;
• The Company forthwith
takes the actions set forth in the ‘User’s right’ of this Privacy Policy if a user
exercises his or her right guaranteed by GDPR as a data subject;
• The Company is in
compliance with relevant regulations such as GDPR, etc. in relation to the
retention of users’ personal information;
• The Company makes sure
that all employees are aware of the data retention policy prescribed in this
Privacy Policy and GDPR;
• The Company sets this
Privacy Policy by documenting a GDPR data retention policy. This Privacy Policy
may need to be provided to regulators in the event of an audit or investigation
of a complaint of a user or an employee; and
• This Privacy Policy
may be used as the data proving that the Company complies with the requirements
of GDPR.
Privacy Policy Regarding Company’s Employees
The Company
trains and monitors its staff members including the ones in the HR team who
handle personal information of the Company’s employees as well as the staff
members involving user’s personal information, in order for them to process
personal information in compliance with GDPR (Article 39 of GDPR). The Company
documents training-related details (date, time, list of employees to be
trained, list of participants, training content, training conductor, DPO’s
role) of training for employees.
The Company
delivers this Privacy Policy in a hard copy form or electronically. Staff
members who process personal information have rights, etc. to request
correction of fault information in relation to personal information concerned
to the employer.
Modification of Privacy Policy
The Company has
the right to amend or modify this Privacy Policy from time to time, in which
case, the Company will make a public notice of it through bulletin board of its
website (or through individual notice in writing or by fax or e-mail) and have
the consent of the users if required by relevant law.
Cookies
The Company may
collect collective and impersonal information through 'cookies' or 'web
beacons'.
Cookies are
substantially small text files to be sent to the browser of the users by the
server used for the operation of the Company’s websites and are stored in
hard-disks of the users' computers.
Web beacons are a
small quantity of code which exists on websites and e-mail. By using web
beacons, the Company can identify whether a user has interacted with certain
webs or the contents of email.
These functions
are used for evaluating, improving services and customizing user experience so
that the Company provides way improved services for the users.
The items of
cookies to be collected by the Company and the purpose of such collection are
as follows:
• Required cookies: This
kind of cookies is indispensably necessary for the users to use the functions
of the Company’s website. No services can be provided for a user unless he or
she accepts these cookies. These cookies do not collect any information which
can be used for marketing or store the sites that the users have visited.
• Performance cookies:
This kind of cookies collects information of how the users use the Company's
website such as the webpages most frequently visited by the users. Such data
helps to optimize the Company’s website so that the users can search more
conveniently on its website. Such cookies do not collect any information
regarding users’ identification. All or any information collected by this kind
of cookies are anonymous since the information is collectively processed.
• Functionality cookies:
This kind of cookies is used to store the set-ups so as to provide services and
improve the user experience. No information collected by these cookies
identifies individual user.
The users have an
option for cookie installation: accepting all cookies, making each cookie
confirmed whenever it is saved, or refusing the storage of all cookies.
However, such refusal by a user may result in the limit to the part of the
Company's services.
The latest update date: AUG 29, 2024