Privacy Policy

KOKKOK GARDEN Privacy Policy KOKKOK Garden (hereinafter "Company") establishes and discloses this Privacy Policy in accordance with Article 30 of the Personal Information Protection Act (PIPA) of the Republic of Korea to protect the personal information of data subjects and to promptly and smoothly handle related grievances. Article 1 (Purpose of Processing Personal Information) The Company processes personal information for the following purposes. Personal information being processed shall not be used for purposes other than those listed below, and should the purpose of use change, the Company shall take necessary measures such as obtaining separate consent in accordance with Article 18 of PIPA. ① Member Registration and Management - Confirming intent to register, identification and authentication for membership services, maintaining and managing membership, preventing fraudulent use of services, various notices and notifications, grievance handling ② Provision of Goods or Services - Product delivery, service provision, sending contracts and invoices, content provision, personalized services, identity verification, age verification, payment processing and settlement ③ Marketing and Advertising - Development of new services/products and provision of personalized services, provision of promotional information and event participation opportunities, provision of services and advertising based on demographic characteristics, service validation, access frequency analysis, and statistical analysis of Members' service usage Article 2 (Processing and Retention Period of Personal Information) ① The Company processes and retains personal information within the period agreed upon when collecting personal information from the data subject or within the period prescribed by law. ② The processing and retention period for each category of personal information is as follows: 1. Member Registration and Management: Until membership withdrawal (destroyed within 5 days after withdrawal) Exceptions: - If an investigation is ongoing due to a violation of relevant laws: until completion of the investigation - If outstanding debts remain from service use: until settlement of debts 2. Provision of Goods or Services: Until completion of product/service delivery and payment settlement 3. Retention under the Act on Consumer Protection in Electronic Commerce: - Records relating to contracts or withdrawal of offers: 5 years - Records relating to payment and supply of goods: 5 years - Records relating to consumer complaints or dispute resolution: 3 years - Records relating to labeling and advertising: 6 months 4. Retention under the Protection of Communications Secrets Act: - Website visit records: 3 months Article 3 (Personal Information Items Processed) The Company processes the following personal information items: ① Items collected upon member registration: [Required] Email address, password, name, phone number, gender, date of birth, country [Optional] Skin type ② Information automatically generated/collected during service use: - IP address, cookies, service usage records, visit date/time, misuse records, device information (OS, browser type, etc.) ③ Information collected during payment: - Credit card payment: card company name, partial card number, approval number - Bank transfer: bank name, partial account number ④ Information collected via social login (received from the respective service provider): - Google: email, name, profile picture - Kakao: email, nickname, profile picture - Naver: email, name, profile picture, contact, gender, date of birth, age range Article 4 (Provision of Personal Information to Third Parties) ① The Company processes personal information only within the scope stated in Article 1 and provides personal information to third parties only in cases falling under Articles 17 and 18 of PIPA, such as with consent of the data subject or special provisions of law. ② The Company provides personal information to third parties as follows: - Recipients: Delivery companies (e.g., CJ Logistics, Lotte Express) - Purpose: Product delivery - Items provided: Recipient's name, contact information, delivery address - Retention period: 1 year after delivery completion Article 5 (Entrustment of Personal Information Processing) ① The Company entrusts personal information processing as follows for smooth operations: - Trustee: Payment Gateway (PG) companies - Entrusted tasks: Payment processing and fraud prevention - Retention period: Until termination of the entrustment contract ② When concluding an entrustment contract, the Company specifies matters such as prohibition of processing personal information beyond the entrusted purpose, technical and administrative protective measures, restrictions on re-entrustment, management and supervision of the trustee, and liability for damages in the contract documents in accordance with Article 26 of PIPA. Article 6 (Procedure and Method of Destroying Personal Information) ① The Company destroys personal information without delay when it becomes unnecessary due to expiration of the retention period, achievement of the processing purpose, etc. ② When personal information must be retained under other laws despite the expiration of the retention period or achievement of the processing purpose, the Company transfers the personal information to a separate database (DB) or stores it in a different location. ③ The procedure and method of destroying personal information: - Electronic file format: Permanently deleted using methods that make recovery impossible - Records, printed materials, and other recording media: Shredded or incinerated Article 7 (Rights and Obligations of Data Subjects and Methods of Exercising Them) ① Data subjects may exercise their rights to request access, correction, deletion, or suspension of processing of their personal information from the Company at any time. ② The exercise of rights under Paragraph 1 may be done through writing, email, or fax in accordance with Article 41, Paragraph 1 of the Enforcement Decree of PIPA, and the Company shall take action without delay. ③ Rights under Paragraph 1 may be exercised through a legal representative or an authorized agent of the data subject. ④ The right to access or suspend processing may be restricted under Articles 35(4) and 37(2) of PIPA. ⑤ A request for deletion cannot be made if the personal information is specified as a collection target under other laws. ⑥ The Company verifies whether the person making a request for access, correction/deletion, or suspension of processing is the data subject or a legitimate representative. Article 8 (Measures to Ensure Safety of Personal Information) The Company takes the following measures to ensure the safety of personal information: ① Administrative measures: Establishing and implementing internal management plans, regular employee training, minimizing and training employees who handle personal information ② Technical measures: Managing access rights to personal information processing systems, installing access control systems, encrypting unique identification information, installing and updating security software ③ Physical measures: Access control for server rooms and data storage facilities Article 9 (Matters Regarding Installation, Operation, and Rejection of Automatic Collection Devices) ① The Company uses "cookies" to store and retrieve usage information to provide personalized services to users. ② Cookies are small pieces of information sent by the server (HTTP) operating the website to the user's computer browser and may be stored on the user's hard drive. a. Purpose of cookies: Used to analyze visit and usage patterns, popular search terms, and security access status for each service and website visited by the user, to provide optimized information. b. Installation, operation, and rejection of cookies: Users may refuse cookie storage through the options settings in Tools > Internet Options > Privacy in their web browser. c. Refusing cookie storage may cause difficulties in using personalized services. Article 10 (Personal Information Protection Officer) ① The Company designates a Personal Information Protection Officer as follows to oversee personal information processing and handle grievances and damage relief for data subjects: ▶ Personal Information Protection Officer - Name: [Set in Admin Page] - Position: Representative - Contact: [Set in Admin Page] - Email: [Set in Admin Page] ② Data subjects may direct all inquiries, complaints, and requests for damage relief related to personal information protection to the Personal Information Protection Officer. The Company shall respond to and process data subjects' inquiries without delay. Article 11 (Methods for Seeking Remedies for Rights Infringement) Data subjects may apply for dispute resolution or counseling to the following organizations for remedies for personal information infringement: 1. Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr) 2. Personal Information Infringement Report Center: 118 (privacy.kisa.or.kr) 3. Supreme Prosecutors' Office: 1301 (www.spo.go.kr) 4. National Police Agency: 182 (ecrm.cyber.go.kr) GDPR Notice (for EU/EEA Users) If you are located in the European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR): - Right to access your personal data - Right to rectification of inaccurate data - Right to erasure ("right to be forgotten") - Right to restriction of processing - Right to data portability - Right to object to processing - Right not to be subject to automated decision-making To exercise these rights, contact our Data Protection Officer at the email address listed above. You also have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement. Article 12 (Changes to Privacy Policy) This Privacy Policy is effective from April 1, 2026. Any changes will be announced on the website at least 7 days before the effective date of the changes.