Kooky Personal Information Handling Policy

Article 1. Purpose

1. In providing ‘Kooky’ services (hereinafter referred to as ‘Service’), the Lighters Company Co., Ltd (hereinafter referred to as ‘Company’) values members' personal information and strives to effectively manage and safely protect their personal information.
2. The company complies with laws and regulations related to personal information protection, such as the Act on Promotion of Information and Communication Network Utilization and Information Protection.
3. Through the personal information handling policy, the company informs you of the use and method of personal information provided by members and what measures are being taken to protect personal information.
4. The company posts on the Kooky service screen so that members can easily view this policy at all times.

Article 2. Items and methods of collecting personal information

1. The company considers that the members agreed to the collection and use of personal information if they choose to do so by preparing a consent procedure for the use of service terms and personal information when registering as a member.
2. The company can collect personal information as follows for the provision of services such as membership counseling, service application, and contract execution.
   (1) Common to Members
   - Required items: Email account, password (encrypted and stored so that it cannot be decrypted), profile name, mobile number, service version, OS, OS version, device model name, terminal unique ID (ID randomly assigned to a member's terminal), usage language, Time Zone
   - Selections: Purchase history of paid services such as country or region, gender, name and phone number stored in the terminal address book, profile picture (including meta information), status message, item and product, location information
3. The company can automatically generate and collect service usage records, access logs, cookies, access IP information, IDs, and payment records during service use.
4. The company collects personal information in the following ways:
   (1) Member registration, service inquiry, event application, delivery request, etc
   (2) Gathering through the generation information collection tool

Article 3. Purpose of collection and use of personal information

The company uses the collected personal information for the following purposes:

1. Implementation of a Service Delivery Agreement
   -Content provision, deliveries
2. Member management
   -Prevention of illegal use and unauthorized use of members due to the use of membership services, confirmation of duplicate subscriptions, confirmation of intention to join, preservation of records for dispute settlement, handling complaints, and delivery of notices
3. Leverage for marketing and advertising
   -Developing new services and providing customized services, providing services and advertising according to statistical characteristics, validating services, identifying access frequencies, and providing statistics, event and advertising information and participation opportunities for members

Article 4. Sharing and provision of personal information

1. The company uses the user's personal information within the scope notified by "2. Purpose of Collection and Use of Personal Information", and does not use it beyond the same scope or disclose the user's personal information to the outside in principle without the user's prior consent. However, exceptions are made in the following cases.
   (1) If users have agreed to the disclosure in advance
   (2) Where there is a request from an investigative agency in accordance with the provisions of statutes or in accordance with the procedures and methods prescribed by statutes for the purpose of investigation
2. Personal information is provided to third parties as follows only if the member agrees.
   -Prevention of illegal use and unauthorized use of members due to the use of membership services, confirmation of duplicate subscriptions, confirmation of intention to join, preservation of records for dispute settlement, handling complaints, and delivery of notices
3. Leverage for marketing and advertising
   (1) When collecting personal information from the data subject, the "company" processes and holds personal information within the period of retention and use of personal information obtained by consent or within the period of retention and use of personal information under laws and regulations.
   (2) Specific personal information processing and retention periods are as follows.
   - Customer registration and management: From the date of application for registration of the customer to the date of termination of the member
   - Records on the handling of complaints or disputes by consumers: 3 years
   - Records on the collection/processing, use, etc. of credit information: 3 years
   - Records of payment and supply of goods, etc.: 5 years
   - Records concerning withdrawal of contracts or subscriptions: 5 years
   - Record on display/advertisement: 6 months, record on access: 1 year
   (3) Holding and Use Period: Personal information shall be held and used within one year after the end of the transaction between the person and the recipient, and after the transaction, it shall be held and used only within the scope necessary for investigation of financial accidents, dispute resolution, civil petitions, and fulfillment of legal obligations.

Article 5. Consignment of collected personal information

1. In order to improve the service, the company entrusts and operates personal information to an external specialized company, and in order to ensure the safety of consignment management, it clearly stipulates the service provider's personal information, confidentiality of personal information, prohibition of third parties, and liability in case of accidents.
2. The details of the company's personal information consignment processing agency and consignment work are as follows.
   -AMAZON Web Service
   Transfer, process, and store personal information acquired or generated by users to cloud services
   * However, AMAZON Web Service only manages the server physically and does not access your personal information in principle.
3. If the details of the entrusted work or the trustee changes, we will disclose it through this personal information handling policy without delay.

Article 6. Period of retention and use of personal information collected

1. If a member withdraws from the membership or is deleted due to false personal information, the collected personal information will be completely deleted and processed to be unavailable for any purpose.
2. The member's personal information is destroyed without delay when the purpose of collecting and using personal information is achieved in accordance with Article 7 (1) of this Personal Information Handling Policy. However, if it is necessary to preserve personal information in accordance with the company's internal policy or the provisions of the relevant laws and regulations, the personal information may be kept for the period specified below.
   (1) According to the internal policy, the information below will be destroyed after storing it for a year.
   - fraudulent usage records
   - Encrypt your email account (to send a reminder and respond to CS after leaving)
   (2) According to the internal policy, the information below will be destroyed after 6 months of storage.
   - Encrypts and stores device-specific IDs and mobile phone numbers (to comply with fan club community regulation and prevent duplicate subscriptions)
   (3) According to the Act on Consumer Protection in e-commerce, the following items are destroyed after being stored for a certain period of time. (Preservation period in parentheses)
   - Records on contract or withdrawal of subscription, etc. (5 years)
   - Records of payment and supply of goods, etc. (5 years)
   - Records of the handling of consumer complaints or disputes (3 years)
   - Record of display/advertisement (6 months)
   (4) According to the Framework Act on National Taxes, books and evidential documents on all transactions prescribed by the tax law are kept for five years and destroyed.
   (5) According to the Electronic Financial Transactions Act, records related to electronic financial transactions are kept for five years and destroyed.
   (6) According to the Communication Secret Protection Act, service visit records are destroyed after 3 months of storage.
   (7) When collecting personal information of children's members under the age of 14, the legal representative information according to the consent is kept and destroyed until the child is over the age of 14.

Article 7. Procedures and methods for destroying personal information

1. In principle, the company destroys the information without delay after the retention period has elapsed or the purpose of collecting and using personal information has been achieved.
2. Destruction procedure
   In principle, the information entered for membership registration, etc. is destroyed without delay when the purpose of collecting and using personal information is achieved, and it is not used for any purpose other than being held unless it is by law.
3. A method of destruction
   The printed personal information is destroyed by shredding or burning, and the personal information stored in the form of an electronic file is deleted using a technical method that cannot be reproduced.

Article 8. Rights of Members and Method of Exercise thereof

1. Members may check, inquire, or modify their personal information (including legal representatives if they are members under the age of 14) at any time, and may request cancellation of subscription or suspension of processing personal information. However, some or all of the services may be restricted in such be restricted.
2. Members can inquire and modify their personal information directly on [My Profile] within the service. In addition, members can terminate the use contract at any time through [withdrawal of members] in the service, and all personal information of the members will be deleted if they cancel. However, in cases falling under Article 6 (2) of the Personal Information Handling Policy, it may be stored for a certain period of time in accordance with the relevant statutes.
3. If a member requests correction or deletion of his or her personal information, the company will take necessary measures without delay after confirming his or her identity. In addition, personal information such as deletion of a member account may be destroyed at the judgment of the person in charge of personal information management in cases falling under each subparagraph of Article 20 (1) (Restriction on Use, etc.).
4. If you request correction of an error in personal information, the personal information will not be used or provided until the correction is completed. In addition, if the wrong personal information has already been provided to a third party, we will notify the third party of the results of the correction so that the correction can be made.
5. The company processes personal information terminated or deleted at the request of a member in accordance with Article 6 of the Personal Information Handling Policy and does not allow access or use for other purposes.
6. The exercise of rights under paragraphs (1) and (2) may be conducted in writing, e-mail, etc. through an agent, such as a legal representative of the data subject or a person delegated. In this case, you must submit a power of attorney in accordance with attached Form 11 of the Enforcement Rules of the Personal Information Protection Act.

Article 9. Technical and management measures for personal information protection

In order to ensure that personal information is not lost, stolen, leaked, tampered with or damaged in handling personal information of members, the company is taking the following technical and management measures.

1. Technical measures
   (1) The company is doing its best to prevent members' personal information from being leaked or damaged by hacking or computer viruses. In preparation for personal information damage, data are frequently backed up, the latest vaccine program is used to prevent leakage or damage of users' personal information, and personal information can be safely transmitted on the network through encrypted communication. In addition, we use intrusion prevention systems to control unauthorized access from outside, and we strive to have all possible technical devices to ensure system security.
2. Administrative measures
   (1) The company's personal information-related employees are limited to the person in charge, and a separate password is assigned and updated regularly, and the compliance with the personal information handling policy is always emphasized through occasional training for the person in charge.
   (2) The company has a person in charge of personal information management to always check the implementation of the personal information handling policy, and to correct problems immediately if they are found. However, the company is not responsible for any problems caused by the leakage of personal information due to the user's carelessness or Internet problems.

Article 10. Matters concerning the installation/operation and rejection of an automatic personal information collection device

The company installs/operates cookies to help users get a faster web experience, and users can reject them.

1. What is a cookie?
   (1) A cookie is a very small text file that the server used to run the website sends to the user's browser. Cookies are stored in a storage device of the user's device.
   (2) Cookies do not collect personal identification information, and users can refuse or delete cookies any time.
2. Purpose of use of cookies
   (1) Through cookies, the company can store user-specified settings or operators' preferred pages to support a faster and more convenient web environment for users.
   (2) Through cookies, the company can easily grasp the user's taste/interest field and use it to provide appropriate services for the user.
3. Install/operate and reject cookies
   (1) Users have the option of installing cookies.
   (2) Users can also allow all cookies by setting options in their web browser, check each time a cookie is saved, or refuse to save all cookies. However, if you refuse to install cookies, it may be inconvenient to use the web and difficult to use some services that require login.
   (3) How to set it up by browser- Internet Explorer: Tools menu at the top of a web browser > Internet Options > Privacy > Settings- Chrome: Settings menu at the right of a web browser > Display advanced settings at the bottom of the screen > Content Settings button > Cookies

Article 11. Link Site

1. The company can provide members with links to other companies' websites or materials through the service. In this case, the "personal information handling policy" of the site is not related to the "personal information handling policy" of the service, so please check the "personal information handling policy" of the newly visited site.

Article 12. Person in charge of personal information management

The company designates a person in charge of personal information management who is in charge of collecting opinions on personal information and handling complaints.

1. Person in charge of personal information management
   (1) Company/Service: Lighters Company Co., Ltd
   (2) Name: Kim Hami
   (3) Position: CEO
   (4) E-Mail : hami@kooky.io
2. Customer service
   (1) Company/Service: Lighters Company Co., Ltd
   (2) Department in charge: Service operation team
   (3) E-Mail : hello@kooky.io
3. Working hours of the person in charge of personal information management
   (1) 10:00 to 19:00 on weekdays and 12:00 to 13:00 on breaks
   (2) It is closed on Saturdays, Sundays, and holidays.
4. Other reporting or counseling agencies for personal information infringement
   (1) Personal Information Infringement Report Center (https://privacy.kisa.or.kr/ Phone number: 118)
   (2) Cyber Investigation Division of the Supreme Prosecutors' Office (http://www.spo.go.kr / Phone number: 02-3480-2000)
   (3) National Police Agency Cyber Safety Bureau (http://www.cyber.go.kr / Phone number: 182)

Article 13. Revision of Personal Information Handling Policy

1. When the company changes the personal information handling policy, it shall notify the reason for the change and the application date through the notice in the service from 7 days before the application date to the application date. However, if there is an important change in the rights or obligations of the user, it shall be notified at least 30 days in advance.
2. If the company notifies the change in accordance with paragraph (1) and does not express its intention to reject it by the date of application of the change, but does not explicitly express its intention to reject it, the user shall be deemed to have agreed to the change.
3. Notwithstanding paragraph (2), if the company collects additional personal information from the user or provides it to a third party, it shall go through a separate process of consent from the user himself.

Article 14. Use of Youtube API

1. The company's API client uses the Youtube API. See also: https://policies.google.com/privacy
2. Note: Security setting access page

This Personal Information Handling Policy will be applied from July 10, 2020.
- Announcement date: July 2, 2020
- Effective date: July 10, 2020