Privacy policy of Sesame Lab Corp.

Article 1 Purpose of processing personal information

The company processes personal information for the following purposes. The personal information processed shall not be used for purposes other than the followings, and if the purpose of use changes, Company will take necessary measures such as obtaining separate consent subject to Article 18 of the Personal Information Protection Act.

① Membership registration and management

Personal information will be processed for the purposes of confirming the intention to subscribe as a member, identification and authentication according to the provision of membership services, maintenance and management of membership, prevention of illegal or improper use of services, and various notifications and notices.

② Service provision

We will process personal information for the purpose of providing services, content, and customer services and improvement of services.

③ Grievance handling

Personal information will be processed for the purpose of confirming the identity of the complainant, confirming the complaints, contacting and notifying for fact-finding, and notifying the results of processing.

④ The fulfillment of the claim-obligation relationship when such relationship remains due to service use and supply of goods, etc.

⑤ Re-subscription and exclusion of illegal or improper use

⑥ Restriction to subscription of illegal users and the person who has used the service improper way

Article 2 Processing and retention period of personal information

① The Company shall process and retain personal information within the retention period and use of personal information in accordance with laws and regulations or within the period of retention agreed upon when collecting personal information from the data subjects.

② Each personal information processing and retention period will be as follows.

1. Membership subscription and management, grievance handling: Until withdrawal from membership Provided, however that, in the case of any of the following reasons, it shall be until the end of the reason

A. If an investigation or investigation in violation of related laws is in progress, it will be until the end of the investigation or examination

B. Until settlement of the claim-obligation relationship related to service use

2. Fulfillment and payment for the provision of goods or services: Until the completion of supply of goods and services, payment of fees, and settlement.

However, in the events of any of the following reasons or based on relevant laws and regulations; until the end of the period

A. Records on transactions such as marks, advertisements and contents of the contracts and execution thereof subject to the 「Act On The Consumer Protection in Electronic Commerce, etc.」

• Records related to marks and advertisement: 6 months
• Records related to cancellation of contracts or subscription, payment for and supply of goods, etc.: 5 years
• Records related to resolution of consumer complaints or dispute : 3 years

B. Storage of communication confirmation data pursuant to Article 41 of the 「Enforcement Decree of the Protection of Communication Secrets Act」

• Subscribers' telecommunication date and time, start/end time, other party's subscriber number, frequency of use, The data on tracing a location of information communications apparatus: 1 year
• Computer communication, Internet log record data, the data on tracing a location of connectors: 3 months

3. Re-subscription verification and exclusion of illegal or improper use: Up to 60 days from the date of membership withdrawal or disqualification

4. Restriction on subscription of illegal or improper users: 1 year from the date of the cheating ends

5. Personal information outsourced to Company in accordance with outsourcing agreement : Until the end of outsourcing agreement.

Article 3 Personal information items to be processed

The Company processes the following personal information items.

1. When subscribing as a member: name, e-mail address, address, picture, mobile phone number, SNS ID and password

2. When using the service : name, e-mail address, address, picture, mobile phone number, SNS ID and password

3. Data automatically generated when using the service

Service usage record, OS information, hardware information

4. Settlement and debt collection

Name, date of birth, gender, mobile phone number, credit card information (card number, expiration date, date of birth, first two digits of password, business registration number only for corporate cards)

5. Re-subscription verification and exclusion of illegal use, restrictions on subscription of illegal or improper users

SNS ID and password

Article 4 Processing of personal data of child under 14 years of age

① When collecting personal information for children under the age of 14, the Company shall collects the minimum extent personal information necessary to perform the service with the consent of a legal representative.

• Required items: Name, relationship, and contact information of the legal representative

② The Company shall obtains separate consent from legal representative of child under 14 years of age, when collecting children's personal information for the promotion of the Company's products.

③ When collecting personal information of children under the age of 14, the Company may require children to have minimum information, such as the name and contact information of their legal representative. And Company shall confirm whether the legal representative has provided his or her consent through any of the following means:

• Having the legal representative indicate whether he or she consents on the website that specifies the consent items, and informing the legal representative via mobile text message that the information and communications service provider confirmed the indication of consent;
• Having the legal representative indicate whether he or she consents on the website that specifies the consent items, and receiving credit, debit, etc. card information of the legal representative's;
• Having the legal representative indicate whether he or she consents on the website that specifies the consent items, and verifying the identity of the legal representative via the identity verification process on the legal representative's mobile phone, etc.;
• Issuing or delivering the document that specifies the consent items to the legal representative directly or via mail or fax, and having the legal representative submit the document after signing and affixing seal on the document with respect to the consent items;
• Sending an electronic email that specifies the consent items and having the legal representative send an e-mail with an indication of consent;
• Informing the legal representative of the consent items and receiving the legal representative's consent via phone call, or providing the legal representative with the means (e.g., web address) to confirm the consent items and obtaining the legal representative's consent via a phone call;
• Other method of informing the legal representative of the consent items and confirming the legal representative's indication of consent in a comparable manner to described above.

Article 5 Provision of Personal Information to Third Party

① The company shall processes personal information of the data subject only within the scope specified for the purpose of processing personal information, and provides personal information to third parties only if it falls under Articles 17 and 18 of the Personal Information Protection Act, such as consent of the data subject and special provisions of the law and otherwise the Company shall not provide personal information of the data subject to any third party.

② The company may provide personal information to related agencies without the consent of the information in the event of an emergency, such as a disaster, infectious disease, urgent life or physical risk, or urgent property loss

Article 6 Destruction of personal information

① The company shall destroy personal information without delay when unnecessary, such as the expiration of the personal information retention period or achievement of the processing purpose.

② Notwithstanding the retention period of personal information agreed by the user has elapsed or the purpose of processing has been achieved, if personal information must be kept in accordance with other laws and regulations, it may be transferred to a separate database (DB) or the storage location to store may be changed.

③ The procedure and method of destroying personal information are as follows.

1. Destruction procedure

The company selects the personal information for which the reason to destroy has occurred, and destroys the personal information with the approval of the company's personal information protection manager.

2. Destruction method

The company will use a technical method that cannot reproduce the recorded personal information in the form of electronic files. Personal information recorded and stored in paper documents will be shredded to destroy.

Article 7 Destruction of personal information of long-term non-use members

① The Company will destroy the personal information of users who have not used information and communications services for one year. Provided, That, it may be stored and managed separately from other users' personal information until the retention period designated otherwise by other statutes.

② The company shall notify to the dormant user that their personal information is to be separately sorted and stored by 30 days before the dormancy conversion and the dormancy date, by either of an email or a text message.

③ If user does not want to switch to dormant account, the user may log in to the service before switching to a dormant account. In addition, even if the user switch to a dormant account, user may use the normal service by restoring the dormant account according to the user's consent when logging in. The information subject may exercise the right to view personal information and request correction at any time to the Company.

Article 8 Rights and duties of data subjects and legal representative, and methods of exercise

① The data subject may exercise the right to the company at any time, such as requesting access to, correction, deletion, and suspension of processing of personal information.

② The rights may be exercised in writing or via e-mail according to the relevant laws and regulations, and the company will take actions without delay.

③ The rights pursuant may be exercised through the agents such as legal representative of the data subjects or through a person who has been delegated. In this case, user shall submit a power of attorney in accordance with the form of Attachment 11 of the 'Regulations of the Personal Information Protection Act (No. 2020-7)'

④ The rights of the data subjects for requests to view and suspend personal information may be restricted according to related laws (Paragraph 4 of Article 35, Paragraph 2 of Article 37 of Personal Information Protection Act, etc.)

⑤ Requests for correction and deletion of personal information shall not be demanded if the personal information is specified as the object of collection in accordance with other relevant laws.

⑥ The company shall verify whether the person who makes the request for reading, correction and deletion, processing suspension is the person himself or the legal representative.

Article 9 Measures to ensure the safety of personal information

The company takes the following technical, administrative, and physical measures to ensure safety so that personal information is not lost, stolen, divulged, altered or damaged in processing user's personal information.

1. Managerial methods : Establishment and implementation of internal management plans, Operation of a dedicated organization, regular employee training

2. Technical methods :Limited access to personal information, Installation of access control system, encryption of personal information, installation and renewal of security programs

3. Physical method : Control of access to computer rooms, data storage rooms, etc

Article 10 Installation and operation of an automatic collection tool for personal information and the denial thereof

① Company uses cookies that store and frequently call in user's information to identify users for the purpose of providing customized services for each user.

② Cookies are very small text files to be sent to the browser of the users by the server of website of the Company and will be stored in hard-disks of the users' computer.

1. Purpose of use of cookies: It is used to provide optimized information to users by identifying the types of visits and usage of each service and website visited by users, popular search terms, security access, etc.

2. Installation, operation, and rejection of cookies: User may refuse to save cookies by setting the options on the Tools > Internet Options > Personal Information menu at the top of the web browser.

3. Refusing to save cookies may make it difficult to use customized services.

Article 11 Personal Information Protection Officer

① The Company designates the officer and a handling staff who are generally responsible for personal information protection and for handling users complaints and damage remedy related to personal information processing.

• Personal Information Officer
  Name: Kim Do Hyun
  Position: Representative Director
  Phone: 02-6953-6807
• Personal Information Management Department : Management Department
  Person in Charge : Seo, Myeongsik
  Phone : 02-6953-6807

② Users can inquire the person in charge of personal information protection and the department in charge about all kinds of inquiries, complaint handling, damage relief related to personal information protection etc. that occurred while using the company's services. The company will respond to process users' inquiries without delay.

Article 12 Review request of personal information

The Company operates a customer center for smooth communication with users, and the contact information is as below.

• Department name: Management Department
• Person in Charge : Seo, Myeongsik
• Phone : 02-6953-6807, e-mail support@thesesamelab.com, Fax 02-6919-1591

Article 13 Remedy for infringement on rights and interests

① If the rights and interests of personal information are infringed on, user may contact the Personal Information Infringement Report Center, Supreme Prosecutors' Office Cyber Investigation Division, and National Police Agency Cyber Security Bureau, etc.

1. Personal information dispute mediation committee/ 1833-6972 (www.kopico.go.kr)

2. Personal Information Infringement Report Center / privacy.kisa.or.kr / 118 without prefix

3. Supreme Prosecutors' Office Cyber Investigation Division / www.spo.go.kr / 1301 without prefix

4. Cyber Security Bureau of the National Police Agency / police.go.kr / 182 without prefix

② The company tries to protect the information subject's right to self-determination of personal information, and tries to provide counseling and remedy for damage caused by personal information infringement, and if user needs to report or consult, please contact the department in charge below.

• Department name: Management Department
• Person in Charge : Seo, Myeongsik
• Phone : 02-6953-6807, e-mail support@thesesamelab.com, Fax 02-6919-1591

③ A user who has been violated by a disposition or omission made by the head of a public institution for requests under Article 35 (Reading Personal Information), Article 36 (Correction and Deletion of Personal Information), and Article 37 (Suspension of Processing of Personal Information) of Personal Information Protection Act, may request an administrative trial as prescribed by the Administrative Appeals Act.

• Central Administrative Appeals Commission: 110 (www.simpan.go.kr)

Article 14 Compliance with GDPR

① The company complies with the European Union General Data Protection Regulation and the laws of each member state. When providing services to users in the European Union, the followings may be applied.

1. The company shall use the collected personal information only for the purposes stipulated in Article 1, and inform the user in advance and seek for consent. In addition, in accordance with applicable laws such as GDPR, the company may process users' personal information corresponding to any of the following cases.

A. data subject's consent

B. For the conclusion and execution of a contract with the data subject

C. For compliance with legal obligations

D. When processing is necessary for the material interest of the data subject

E. In pursuit of legitimate interests of the company (except when the interests, rights, or freedoms of the data subject are more important than those of the company)

② The company carefully protects the personal information of users. In accordance with applicable laws such as the GDPR, users may request that their personal information be transferred to another manager, and may request refusal to process their data. In addition, users have the right to file a complaint with the privacy authority.

③ The company may use personal information to provide marketing such as events and advertisements, and seeks for user's consent in advance. Users can withdraw their consent at any time if they do not want to.

④ If user contacts Company in writing, phone or e-mail through the customer center, we will take actions without delay.

⑤ If user requests correction of errors in personal information, we will not use or provide the personal information concerned to others until the correction is completed.

Article 15 Matters concerning changes to the Privacy Policy

① This Privacy Policy shall be applied from 2022. 8. 17.

② Previous Privacy Policy can be found below.

• 2022. 2. 1. ~ 2022. 8. 17.. Applied (click)