Privacy Policy(August 30, 2024)
Last updated : August 30, 2024
<Hits Inc.> (hereinafter referred to as 'the Company') establishes and discloses the following privacy policy in accordance with Article 30 of the Personal Information Protection Act to protect the personal information of the information subject and to handle related grievances promptly and smoothly.
○ This privacy policy applies to all mobile and desktop applications, online websites, and all interactions between you and the company (e.g., customer service inquiries) provided by the company.
○ This privacy policy will be applied from August 30, 2024.
1. Purpose of Collection and Use of Personal Information
The company processes personal information for the following purposes. The personal information being processed will not be used for any purposes other than the following, and if the purpose of use changes, necessary measures such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act will be implemented.
Membership Registration and Management Personal information is processed for the purpose of confirming the intention of membership registration, identification for the provision of membership services, maintenance and management of membership qualifications, prevention of unauthorized use of services, and various notifications and communications. The specific purposes of collecting and using personal information follow Article 3, Paragraph 1.
Service Provision Personal information is processed for the use of labspace, creation of new projects, participation, service purchase, and payment, etc. The specific purposes of collecting and using personal information follow Article 3, Paragraph 1.
2. Period of Processing and Retaining Personal Information
① The company processes and retains personal information within the personal information retention and use period according to the laws or the period agreed upon by the information subject when collecting personal information.
② The period of processing and retaining personal information is as follows:
The company deletes all personal information of the user two years from the last date of service use or when the preservation period according to the law has elapsed. The company deletes personal information of users upon withdrawal of membership after a preservation period of 180 days from the date of withdrawal or the preservation period according to the law for the purpose of preventing misuse of services. However, even after all preservation periods have elapsed, if any of the following reasons apply, personal information will be deleted when such reasons are resolved:
If an investigation or inquiry according to the violation of laws is in progress, at the end of the investigation or inquiry
If there remains any debt or credit relationship due to service use, at the end of such debt or credit relationship
If the provision of goods or services has not been completed, upon completion of the provision of goods or services and payment and settlement of the price
③ Personal information that must be retained for a certain period according to the law and the relevant laws are as follows:
Preservation Item
Basis for Legislation
Preservation Period
Records of contracts or withdrawal of offers
Act on the Consumer Protection in Electronic Commerce, Etc.
5 years
Records of payment and supply of goods, etc.
5 years
Records on consumer complaints or dispute resolution
3 years
Records on advertisement
6 months
Account books and documents for all transactions defined by tax law
National Tax Service Basic Act
5 years
Service visit records
Protection of Communications Secrets Act
3 months
3. Categories of Personal Information Processed
① The company collects and processes the following categories of personal information:
Purpose of Collection and Use
Collected Items
Retention Period
Membership Registration and Management
Name, Date of Birth, Email, Password, Mobile Phone Number, Company Name (or Corporation Name)
Until 2 years from the last date of service use or as prescribed by relevant laws.
Identity Verification
Name, Date of Birth, Gender, Nationality (Domestic/Foreign), Mobile Carrier Information, Mobile Phone Number, Encrypted User Identification Value (CI), Duplicate Registration Information (DI)
Until 2 years from the last date of service use or as prescribed by relevant laws.
Service Purchase and Payment
Orderer's payment information (credit card information, card company name, etc.), payment authorization number, bank of account, account number, account holder's name, mobile phone number
Until 2 years from the last date of service use or as prescribed by relevant laws.
Issuance of Tax Invoice
Business Registration Number
Until 2 years from the last date of service use or as prescribed by relevant laws.
Issuance of Cash Receipt
Cash receipt application information (telephone number or business registration number registered with the National Tax Service)
Until 2 years from the last date of service use or as prescribed by relevant laws.
Cancellation and Refund
Bank of account, account number, account holder's name, email, orderer's payment information (credit card information, card company name, etc.)
Until 2 years from the last date of service use or as prescribed by relevant laws.
Customer Service Use
Personal information included in inquiries and consultation content, caller number, consultation content, information for identity verification (mobile phone number, etc.)
Until 2 years from the last date of service use or as prescribed by relevant laws.
Statistics Compilation and Research
Name, Date of Birth, Gender, Nationality (Domestic/Foreign), Service Use and Payment Records, Pseudonymized Information
Until 2 years from the last date of service use or as prescribed by relevant laws.
Service and Personalized Service Provision
Behavioral information (online user activity information that can analyze interests, preferences, and tendencies, such as service usage history, purchases/payments, and search history), website access time, access IP, cookies, device type, OS type and version, etc.
Until 2 years from the last date of service use or as prescribed by relevant laws.
Provision of service promotions, targeted advertisements, announcements of new services and events, newsletters, etc.
Name, date of birth, gender, frequency of access, service usage and payment history, website access time.
Until 2 years from the last date of service use or as prescribed by relevant laws.
② In the process of using the service or processing the service provision work, the following information may be automatically generated or additionally collected:
IP Address, cookies, access log, visit date, service usage record, bad usage record
4. Matters Concerning the Provision of Personal Information to Third Parties
① The company processes personal information only within the scope specified in Article 1 (Purpose of Processing Personal Information) and Article 3 (Items of Personal Information Processed) Paragraph 1, and does not use or disclose the personal information of customers beyond this scope without prior consent. However, exceptions are made in accordance with Articles 17 and 18 of the Personal Information Protection Act in the following cases:
When the customer has given prior consent
When there are special provisions in the law or it is inevitable to comply with legal obligations
When it is inevitable for public institutions to perform their duties as specified in the law, etc.
When necessary for the investigation of crimes, prosecution and maintenance of prosecutions, and performance of court duties
When the customer or their legal representative is unable to express their intentions or it is impossible to obtain prior consent due to an unknown address, etc., and it is clearly necessary for the urgent interest of the customer or third party's life, body, and property
② The company is currently not providing personal information to third parties.
5. Matters Concerning the Consignment of Personal Information Processing
① The company consigns personal information processing tasks for smooth personal information task processing as follows:
Entrusted Party: Amazon Web Services Inc.
Scope of Work: Operation and management of cloud servers
Period of Entrustment: Until membership withdrawal or termination of the entrustment contract
Entrusted Party: Google LLC
Scope of Work: Google Analytics, Gmail, Firebase, Google Tag Manager
Period of Entrustment: Until membership withdrawal or termination of the entrustment contract
Entrusted Party: Microsoft Corporation
Scope of Work: Clarity
Period of Entrustment: Until membership withdrawal or termination of the entrustment contract
Entrusted Party: Channel Corp.
Scope of Work: Management and operation of consultation channels
Period of Entrustment: Until membership withdrawal or termination of the entrustment contract
Entrusted Party: Sentry
Scope of Work: Error information collection
Period of Entrustment: Until membership withdrawal or termination of the entrustment contract
Entrusted Party: 스티비 주식회사
Scope of Work: Newsletter distribution
Period of Entrustment: Until membership withdrawal or termination of the entrustment contract
Entrusted Party: Feat Corp.
Scope of Work: FeatPaper
Period of Entrustment: Until membership withdrawal or termination of the entrustment contract
Entrusted Party: (주)다날
Scope of Work: Online product payment
Period of Entrustment: Until membership withdrawal or termination of the entrustment contract
Entrusted Party: PayPal Pte. Ltd
Scope of Work: Online product payment
Period of Entrustment: Until membership withdrawal or termination of the entrustment contract
② When entering into a consignment contract, the company specifies in the contract documents, such as prohibiting processing of personal information other than for the purpose of performing consigned work according to Article 26 of the Personal Information Protection Act, technical and administrative protection measures, restrictions on re-consignment, management and supervision of the trustee, and responsibilities for damages, and supervises whether the trustee processes personal information safely.
③ If the content of the consigned work or the trustee changes, we will immediately disclose it through this privacy policy.
6. Transfer of Personal Information Overseas
The company transfers or manages personal information overseas for service provision and to enhance user convenience as follows:
Recipient Name and Contact: Amazon Web Service Inc., [email protected]
Transfer Country: Japan, United States
Time and Method of Transfer: Transmission through the network at the time of service use
Personal Information Items Transferred: Collection items as stated in the privacy policy
Purpose of Use by Recipient: Operation and management of cloud servers
Retention and Use Period by Recipient: Until membership withdrawal or termination of the entrustment contract
Recipient Name and Contact: Google, [email protected]
Transfer Country: United States
Time and Method of Transfer: Transmission through the network at the time of service use
Personal Information Items Transferred: Collection items as stated in the privacy policy
Purpose of Use by Recipient: Google Analytics, Gmail, Firebase, Google Tag Manager
Retention and Use Period by Recipient: Until membership withdrawal or termination of the entrustment contract
Recipient Name and Contact: Microsoft Corporation
Transfer Country: United States
Time and Method of Transfer: Transmission through the network at the time of service use
Personal Information Items Transferred: Collection items as stated in the privacy policy
Purpose of Use by Recipient: Clarity
Retention and Use Period by Recipient: Until membership withdrawal or termination of the entrustment contract
Recipient Name and Contact: Sentry, [email protected]
Transfer Country: United States
Time and Method of Transfer: Transmission through the network at the time of service use
Personal Information Items Transferred: Collection items as stated in the privacy policy
Purpose of Use by Recipient: Error information collection
Retention and Use Period by Recipient: Until membership withdrawal or termination of the entrustment contract
Recipient Name and Contact: PayPal Pte. Ltd
Transfer Country: United States
Time and Method of Transfer: Transmission through the network at the time of service use
Personal Information Items Transferred: Collection items as stated in the privacy policy
Purpose of Use by Recipient: Payment processing and information management
Retention and Use Period by Recipient: Until membership withdrawal or termination of the entrustment contract
7. Destruction Procedure and Method of Personal Information
① When personal information becomes unnecessary, such as when the personal information retention period has expired or the processing purpose has been achieved, the company will immediately destroy the personal information.
② If personal information needs to be retained continuously despite the expiration of the personal information retention period agreed by the information subject or the achievement of the processing purpose, due to other laws, such personal information will be moved to a separate database (DB) or stored in a different place.
③ The procedure and method of personal information destruction are as follows:
Destruction procedure
The company selects personal information that has a reason for destruction, and after obtaining approval from the company's personal information protection officer, destroys the personal information.
Destruction method
Information in electronic file format is destroyed using a technical method that cannot reproduce the record.
Printed personal information is shredded with a shredder or destroyed by incineration.
8. Measures for the Inactivation of Personal Information
① The company converts users who have not used the service for one year into dormant accounts and separately stores and manages personal information. Separately stored personal information is destroyed without delay after being stored for one year.
② The company notifies dormant prospective members of the fact of separate storage and the date of dormancy, the items of personal information stored separately, through email, text, or other possible methods to the user 30 days before the transition to dormancy.
③ If you do not wish to transition to a dormant account, you can simply log in to the service before the transition to a dormant account. Even if it has been converted to a dormant account, you can restore the dormant account and use the service normally according to the user's consent by logging in.
9. Rights of the Information Subject and Legal Representative and Method of Exercising Them
① Customers can exercise their rights to request access, correction, deletion, and suspension of processing of personal information to the company at any time.
② The exercise of rights according to Paragraph 1 can be done through a written, electronic mail, or facsimile (FAX) to the company according to Article 41, Paragraph 1 of the Enforcement Decree of the Personal Information Protection Act, and the company will take action without delay. Customers can also directly view, correct, or withdraw through the "Member Information Change" page after undergoing the identity verification process.
③ The exercise of rights according to Paragraph 1 can be done through a legal representative of the information subject or an agent such as a person who has been delegated. In this case, you must submit a power of attorney according to the form in Annex 11 of the Notice on Personal Information Processing Method (No. 2020-7).
④ The right to request access and suspension of processing can be restricted according to Article 35, Paragraph 4, and Article 37, Paragraph 2 of the Personal Information Protection Act.
⑤ The request for correction and deletion of personal information cannot be requested if the personal information is specified as a collection target in other laws.
⑥ The company verifies whether the person making the request for access, etc., is the person or a legitimate representative.
10. Measures for Securing the Safety of Personal Information
The company has implemented the following measures to ensure the security of personal information:
Regular Self-Audits: The company conducts regular (quarterly) self-audits to ensure the security of personal information handling.
Minimization and Training of Personal Information Handlers: The company designates and limits the number of employees handling personal information to minimize and manage personal information effectively.
Establishment and Implementation of Internal Management Plan: The company has established and implements an internal management plan for the safe processing of personal information.
Technical Measures Against Hacking: The company installs security programs and conducts regular updates and checks to prevent personal information leaks and damage due to hacking or computer viruses, controlling access from external sources and monitoring and blocking both physically and technically.
Encryption of Personal Information: Users' personal information, including passwords, is encrypted and stored, with critical data further protected by encryption or file locking features, ensuring only the individual can access their information.
Preservation and Anti-Tampering of Access Records: Access records to the personal information processing system are retained and managed for at least one year, with additional security measures to prevent tampering, theft, or loss. For processing of over 50,000 subjects' personal information, sensitive information, or unique identifiers, records are kept for more than two years.
Restriction of Access to Personal Information: Access rights to the personal information processing database system are strictly controlled through assignment, modification, and deletion, with intrusion prevention systems used to control unauthorized access from outside.
Use of Locking Devices for Document Security: Documents and storage media containing personal information are kept in a secure location with locking devices.
Control of Unauthorized Access: Physical storage locations containing personal information have separate access control procedures established and operated to prevent unauthorized access.
11. Installation, Operation, and Rejection of Devices for Automatic Personal Information Collection
① The company uses cookies to provide personalized and customized services by storing and retrieving customer information as needed.
② Cookies are small text files sent by the server, used to operate websites, to customers' browsers and stored on the customers' computer hard drives. These cookies are used to maintain customer preferences and provide customized services upon visiting the website.
③ Cookies do not actively or automatically collect personally identifiable information, and customers can refuse or delete cookies at any time. However, refusing cookies may result in difficulties in using some of the company's services requiring login.
④ Customers can configure their browsers to accept or reject cookies:
Select [Internet Options] from the [Tools] menu.
Click on the [Privacy] tab.
Set the [Privacy Handling Level] as desired.
12. Matters Concerning the Processing of Anonymized Information
The company may process personal information collected for statistical creation, scientific research, or public interest record preservation by deleting part of the information or replacing it in whole or in part, making it impossible to identify specific individuals without additional information. Necessary technical, managerial, and physical measures are taken to ensure the safety of such anonymized information and prevent it from being lost, stolen, leaked, forged, altered, or damaged. The company maintains records to manage the purposes of processing anonymized information and the recipients of such information when provided to third parties.
13 Personal Information Protection Officer
① The company has designated the following personal information protection officer to take overall responsibility for the tasks related to the processing of personal information, to handle complaints and remedy damage related to personal information processing.
Name: Jae Chang Lim
Department: Platform Business Division
Contact: +82-2-6953-0317
Email: [email protected]
② Information subjects can inquire about all personal information protection-related inquiries, complaints, and damage remedy that occur while using the company's service to the personal information protection officer and the department in charge. The company will respond and handle the inquiries of the information subject without delay.
14. Criteria for Judgment of Additional Use and Provision
The company may use or provide personal information additionally without the consent of the information subject in accordance with Article 15, Paragraph 3, and Article 17, Paragraph 4 of the 「Personal Information Protection Act」, considering the matters according to Article 14 of the 「Enforcement Decree of the Personal Information Protection Act」. Accordingly, the company has considered the following matters to use or provide personal information additionally without the consent of the information subject.
▶ Whether the purpose of additional use or provision of personal information is related to the original collection purpose
▶ Whether additional use or provision is predictable in consideration of the circumstances of collecting personal information or processing practices
▶ Whether the additional use or provision of personal information unfairly infringes on the interests of the information subject
▶ Whether necessary
measures such as pseudonymization or encryption have been taken for security assurance
※ The judgment criteria for considering additional use or provision are voluntarily determined and disclosed by the company
15. Change of Privacy Policy
If there is an addition, deletion, or modification of the contents of the current privacy policy, it will be announced through the 'Notice' on the homepage at least 7 days in advance. However, if there are significant changes to the customer's rights, it will be announced at least 30 days in advance, and customer consent may be obtained again if necessary.
16. Remedy for Infringement of Rights and Interests of Information Subjects
Information subjects can apply for dispute resolution or consultation, etc., to the Personal Information Dispute Mediation Committee and the Korea Internet & Security Agency Personal Information Infringement Report Center to receive remedy for personal information infringement. In addition, inquiries about other personal information infringement reports and consultations can be made to the following institutions.
Personal Information Dispute Mediation Committee: www.kopico.go.kr
Privacy Call Center: privacy.kisa.or.kr
Supreme Prosecutors' Office: http://www.spo.go.kr
National Police Agency: http://ecrm.cyber.go.kr
Those who have been infringed upon their rights or interests due to the disposition or inaction of the head of a public institution according to the provisions of Article 35 (Access to Personal Information), Article 36 (Correction and Deletion of Personal Information), and Article 37 (Suspension of Processing, etc.) of the 「Personal Information Protection Act」 can file for administrative litigation according to the Administrative Litigation Act.
※ For more details on administrative litigation, please refer to the website of the Central Administrative Appeals Commission (http://www.simpan.go.kr ).
Last updated