Article 1 (Purpose)


ECOVITA (hereinafter referred to as the "Company") complies with the Personal Information Protection Act, the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. (hereinafter referred to as the "Information and Communications Network Act"), and other related laws to protect the personal information (hereinafter referred to as "personal information") of individuals (hereinafter referred to as "users" or "individuals") who use the services (hereinafter referred to as "company services") provided by the company. To handle the personal information protection issues of service users promptly and smoothly, the company establishes the following privacy policy (hereinafter referred to as "this policy").



Article 2 (Principles of Personal Information Processing)

In accordance with relevant personal information-related laws and this policy, the company may collect personal information from users. The collected personal information may be provided to third parties only if the user consents. However, in cases where it is legally mandated, the company may provide the collected personal information to third parties without prior user consent.



Article 3 (Disclosure of This Policy)



The company discloses this policy through the homepage of the company or a link from the homepage so that users can easily check this policy at any time.

The company uses font size, color, etc., so that users can easily check this policy.

Article 4 (Changes to This Policy)



This policy may be revised according to changes in personal information-related laws, guidelines, notices, or government or company service policies.

In case of any revisions to this policy, the company shall notify users by one of the following methods:

Through a notice on the homepage of the company

By written, fax, email, or similar methods

The company shall notify users at least 7 days before the effective date of the revised policy. However, if there is a significant change in user rights, the company shall notify users at least 30 days before the effective date.

Article 5 (Information for Membership Registration)

The company collects the following information for user membership registration for company services:



Mandatory Information: Email address, password, and nickname

Article 6 (Information for Identity Verification)

The company collects the following information for user identity verification:



Mandatory Information: Email address

Article 7 (Methods of Collecting Personal Information)

The company collects users' personal information through the following methods:



By users entering their personal information on the company's website

By users entering their personal information through services other than the homepage provided by the company, such as applications

By users entering their personal information during the use of the company's services, such as customer service consultations, bulletin board activities, etc.

Article 8 (Use of Personal Information)

The company uses personal information in the following cases:



For delivering notices necessary for company operations

For replying to inquiries, processing complaints, and improving services for users

For providing the company's services

For preventing and sanctioning acts that hinder the smooth operation of the services, including service usage restrictions, in case of users violating laws or company terms of service

Article 9 (Retention and Use Period of Personal Information)



The company retains and uses users' personal information for the period necessary to achieve the purpose of collecting and using personal information.

Notwithstanding the preceding paragraph, the company retains records of fraudulent use for up to 1 year after the time of withdrawal to prevent fraudulent membership and use according to internal policies.

Article 10 (Retention and Use Period of Personal Information According to Laws)

The company retains and uses personal information as follows in accordance with relevant laws:



According to the Act on Consumer Protection in Electronic Commerce, Etc.

Records of contracts or withdrawal of offers: 5 years

Records of payments and supply of goods: 5 years

Records of consumer complaints or dispute resolution: 3 years

Records of advertising and display: 6 months

According to the Protection of Communications Secrets Act

Website log records: 3 months

According to the Electronic Financial Transactions Act

Records of electronic financial transactions: 5 years

According to the Act on the Protection and Use of Location Information

Records of personal location information: 6 months

Article 11 (Principle of Personal Information Destruction)

The company destroys users' personal information without delay when the purpose of processing personal information is achieved, the retention and use period has elapsed, or when the information is no longer needed.



Article 12 (Personal Information Destruction Procedures)



Information entered by users for membership registration, etc., is transferred to a separate database (in the case of paper, to a separate document box) after the purpose of processing personal information is achieved. It is stored for a certain period in accordance with internal policies and other related laws before being destroyed.

The company destroys personal information after obtaining approval from the personal information protection officer when destruction reasons arise.

Article 13 (Personal Information Destruction Methods)

The company deletes personal information stored in electronic file formats using technical methods that make the records unrecoverable, and destroys personal information printed on paper by shredding or incineration.



Article 14 (Measures for Sending Advertising Information)



The company receives the explicit prior consent of the user when transmitting commercial information for profit using electronic transmission media. However, the company may transmit commercial information for profit without prior consent in the following cases:

If the company has directly collected the contact information from the recipient through a transaction relationship and intends to transmit commercial information for profit regarding goods similar to those traded with the recipient within six months from the date the transaction ended.

In the case of telephone solicitation under the Door-to-Door Sales Act, where the caller verbally informs the recipient of the source of the personal information.

Even in the case of the preceding paragraph, the company does not transmit commercial information for profit if the recipient has expressed a refusal to receive it or has withdrawn prior consent, and informs the recipient of the processing results of refusal or withdrawal.

The company obtains separate prior consent from the recipient when transmitting commercial information for profit using electronic transmission media between 9 PM and 8 AM the next day, despite the provisions of paragraph 1.

The company clearly indicates the following information in the commercial information when transmitting commercial information for profit using electronic transmission media:

Company name and contact information

Information on how to express refusal or withdraw consent to receive commercial information

The company does not take the following measures when transmitting commercial information for profit using electronic transmission media:

Taking measures to avoid or interfere with the recipient's refusal to receive or withdraw consent to receive commercial information

Automatically generating and registering recipient contact information using numbers, symbols, or characters for the purpose of transmitting commercial information for profit

Concealing the identity of the sender or the source of the advertisement for the purpose of transmitting commercial information for profit

Taking deceptive measures to induce responses for the purpose of transmitting commercial information for profit

Article 15 (Protection of Children's Personal Information)



To protect the personal information of children under 14 years of age, the company allows only users over 14 years of age to register for membership.

Despite the provisions of paragraph 1, if the user is a child under 14 years of age, the company shall obtain the consent of the child's legal guardian for the collection, use, and provision of the child's personal information.

In the case of paragraph 2, the company shall collect additional information such as the name, date of birth, gender, duplicate membership confirmation information (ID), and phone number of the legal guardian.

Article 16 (Withdrawal of Consent for Personal Information Collection)



Users and legal guardians may view or modify their personal information at any time, and may request the withdrawal of their consent to the collection of personal information.

To withdraw consent to the collection of personal information, users and legal guardians may contact the personal information protection officer or the person in charge by mail, telephone, or email. The company shall promptly take action.

Article 17 (Correction of Personal Information)



Users may request the company to correct errors in their personal information through the methods specified in the preceding article.

In such cases, the company shall not use or provide the personal information until the correction is completed, and if the incorrect personal information has already been provided to a third party, the company shall promptly notify the third party of the correction so that the correction can be made.

Article 18 (User's Obligations)



Users must keep their personal information up to date, and are responsible for any problems caused by the inaccurate information entered by the user.

If a user registers for membership using another person's personal information, the user may lose their membership qualification or be punished under relevant personal information protection laws.

Users are responsible for maintaining the security of their email address, password, etc., and may not transfer or lend them to third parties.

Article 19 (Company's Management of Personal Information)

The company takes necessary technical and managerial measures to secure the safety of personal information to prevent loss, theft, leakage, alteration, or damage of personal information.



Article 20 (Processing of Deleted Information)

The company processes personal information deleted or terminated by a user or legal guardian according to the retention and use period specified in the "Retention and Use Period of Personal Information" section and ensures that it cannot be accessed or used for other purposes.



Article 21 (Password Encryption)

User passwords are stored and managed in an encrypted form using a one-way encryption method, and personal information can only be confirmed or changed by the user who knows the password.



Article 22 (Measures Against Hacking, etc.)



The company takes all possible measures to prevent personal information from being leaked or damaged due to hacking, computer viruses, etc.

The company uses the latest antivirus programs to prevent the leakage or damage of users' personal information or data.

The company does its best to ensure security by using intrusion prevention systems in case of an emergency.

The company ensures that sensitive personal information (if collected and retained) can be safely transmitted over the network using encryption communications.

Article 23 (Minimization and Training of Personal Information Processing Staff)

The company minimizes the number of personal information processing staff, and takes managerial measures such as training on compliance with laws and internal policies to emphasize compliance.



Article 24 (Measures Against Personal Information Leakage, etc.)

If the company becomes aware of the loss, theft, or leakage (hereinafter referred to as "leakage, etc.") of personal information, the company shall promptly inform the user of the following matters and report the incident to the Korea Communications Commission or the Korea Internet & Security Agency:



The personal information items that have been leaked, etc.

The time when the leakage, etc., occurred

The actions that users can take

The company's response measures

The department and contact information where users can file complaints or inquiries

Article 25 (Exceptions to Measures Against Personal Information Leakage, etc.)

Despite the provisions of the preceding article, if there is a valid reason, such as the inability to contact the user, the company may substitute the notification required by the preceding article by posting it on the company's website for at least 30 days.



Article 26 (Protection of Personal Information Transferred Abroad)



The company does not enter into international contracts that violate the Personal Information Protection Act or other relevant laws regarding users' personal information.

The company shall obtain the consent of users when providing (including cases where it is accessed), outsourcing, or storing users' personal information abroad (hereinafter referred to as "transfer"). However, if all of the items listed in the third paragraph of this article are disclosed in accordance with the Personal Information Protection Act or other relevant laws, or if they are notified to the user by email or other methods prescribed by presidential decree, the company may not need to go through the consent procedure for the outsourcing or storage of personal information.

In order to obtain the consent described in the second paragraph, the company shall notify users in advance of all of the following items:

The personal information items to be transferred

The country to which the personal information is being transferred, the transfer date, and the transfer method

The name of the person receiving the personal information (in the case of a corporation, the name of the corporation and the contact information of the information management officer)

The purpose of use and retention period of the personal information by the recipient

When transferring personal information abroad with the consent of users in accordance with the provisions of the second paragraph, the company shall take protective measures in accordance with the provisions of the Personal Information Protection Act and other relevant laws.

Article 27 (Matters Concerning the Installation, Operation, and Rejection of Automatic Collection Devices for Personal Information)



The company uses personal information automatic collection devices (hereinafter referred to as "cookies") to store and retrieve usage information in order to provide personalized services to users. Cookies are small pieces of information sent by the server operating the website to the user's web browser (including both PC and mobile) and may be stored in the user's storage space.

Users have the option to allow or block cookie installation. Therefore, users can set options in their web browser to allow all cookies, to check each time a cookie is saved, or to block all cookies.

However, if cookies are blocked, some services of the company that require login may be difficult to use.

Article 28 (Cookie Installation Permission Designation Method)

Cookie permission, blocking, and other settings can be configured through web browser option settings.



Edge: Settings Menu in the top right corner of the web browser > Cookies and site permissions > Manage and delete cookies and site data

Chrome: Settings Menu in the top right corner of the web browser > Privacy and security > Cookies and other site data

Whale: Settings Menu in the top right corner of the web browser > Privacy protection > Cookies and other site data

Addendum

Article 1 This policy shall be effective as of January 1, 2024.