Lunchlunch Co., Ltd. (hereinafter referred to as "the Company") complies with the provisions of the "Personal Information Protection Act" and other relevant laws and regulations to protect the freedom and rights of users, and handles personal information lawfully and securely. In accordance with Article 30 of the "Personal Information Protection Act," the Company establishes and discloses this privacy policy to guide users on the procedures and standards for the processing of personal information and to promptly and smoothly handle related complaints.
Article 1 (Purposes of Personal Information Processing)
① The Company processes user personal information for the following purposes. The processed personal information will not be used for purposes other than the stated purposes, and if the purpose of use is changed, the Company will take necessary measures, such as obtaining separate consent in accordance with Article 18 of the "Personal Information Protection Act."
1. Membership registration and management
- Personal information is processed for the purpose of confirming the intention of membership registration, mobile phone ownership authentication for providing membership services, maintaining and managing membership qualifications, preventing unauthorized use and fraudulent activities, and sending various notices and notifications.
2. Provision of goods or services
- Personal information is processed for the overall management of service-related matters such as personal environment settings, generation of virtual asset wallet addresses, verification of virtual asset transfer records, sending and receiving virtual assets, asset inquiries on exchanges, settlement and reconciliation of virtual asset deposit and withdrawal transactions, intermediation of virtual asset exchange services, ensuring service stability, providing secure services, identity verification, fee payments, and restricting acts in violation of laws and service terms of use.
3. Event and marketing information guidance
- Personal information is processed for the purpose of providing various events, marketing and advertising information, and introducing new services and service improvements.
4. Complaint handling
- Personal information is processed for the purpose of confirming the identity of complainants, handling complaints, contacting and notifying for factual investigations, notifying the results of processing, providing remedies for damages, changing member information, and releasing dormant (suspended) accounts.
5. Provision of data for legal obligations
- Personal information is processed for providing data in response to requests from investigative agencies, courts, tax authorities, etc., and providing data in response to damage reports as required by law.Article 2 (Processing and Retention Period of Personal Information)
① The Company processes and retains personal information within the period specified by law or the period agreed upon by the user when collecting personal information.
② The processing and retention periods for each category of personal information are as follows:
1. Membership registration and management: Until withdrawal.
2. Provision of goods or services: Until the completion of supplying goods or services and the payment/settlement of related costs (up to 3 months for partner inquiry services for business partnerships, starting from the date of inquiry reception).
3. Event and marketing information notification: 3 months after the completion of the respective event (until the withdrawal of consent for receiving marketing information).
4. Handling complaints: Until the period required by relevant laws.
5. Provision of data for legal obligations: Until the conclusion of the relevant case.
③ User's personal information is destroyed without delay once the purpose of processing under Article 1 and the processing and retention period under
Article 2, paragraph 2 is achieved. However, in the following cases, personal information may be processed and retained until the end of the respective reason, and if the processing and retention period differs, the longest period shall apply:
1. In cases falling under the reasons specified in the following items of related laws, until the end of the respective period:
2. In cases where investigations or inspections are being conducted due to violations of relevant laws, until the end of the investigation or inspection.
3. In cases where there is an existing creditor-debtor relationship based on the use of services, until the settlement of the respective rights and obligations.
4. In cases where legal disputes, such as lawsuits, between the user and the Company are ongoing, until the finalization of the relevant procedures.
Article 3 (Items of Processed Personal Information)
The Company processes the following personal information items for the purpose of providing services to users:
Article 4 (Provision of Personal Information to Third Parties)
① The Company processes user's personal information only within the scope specified for the purpose of processing personal information and does not provide it to third parties without the user's consent. ② However, personal information may be provided to third parties in the following cases: when the user directly agrees to provide personal information for using services of external partner companies, when the Company is obligated to submit personal information in accordance with relevant laws, when urgent situations such as disasters, infectious diseases, urgent risks to life or body, urgent property losses occur and it is necessary to provide personal information to resolve them.
Article 5 (Outsourcing of Personal Information Processing)
① The Company entrusts the following personal information processing tasks to ensure smooth handling of personal information:
② When entering into an outsourcing agreement, the Company explicitly states in the contract or other documents the matters regarding the prohibition of personal information processing beyond the purpose of subcontracting, technical and administrative protective measures, restrictions on re-outsourcing, management and supervision of subcontractors, liability for damages, etc., in accordance with Article 26 of the Personal Information Protection Act. The Company also monitors whether subcontractors handle personal information securely. ③ In the event of a change in the content of outsourced tasks or subcontractors, the Company will promptly disclose such information through this Privacy Policy.
Article 6 (Transfer of Personal Information to Overseas)
① The Company may transfer the user's information to overseas locations for the purposes and provision of services as specified in this Privacy Policy. ② When transferring personal information overseas, the Company shall specify in this Privacy Policy the items of personal information subject to transfer, the country to which the personal information is transferred, the date and method of transfer, the name of the recipient (including the name and contact information of the information management officer in the case of a corporation), the purpose of using and retaining the personal information by the recipient, and the retention and use period of the personal information, in accordance with Article 39-12(3) of the Personal Information Protection Act. ③ The Company may take appropriate measures to protect personal information in accordance with the laws of the country where the personal information is transmitted, stored, or processed, and may be subject to personal information protection laws that differ from domestic laws.
Article 7 (Procedure and Method of Personal Information Destruction)
① The Company shall promptly destroy the personal information when it becomes unnecessary, such as the expiration of the retention period or the achievement of the processing purpose. ② If it is necessary to continue to retain the personal information pursuant to the provisions of the laws and regulations, even after the expiration of the retention period agreed upon by the user or the achievement of the processing purpose, as set forth in Article 2 (Processing and Retention Period of Personal Information) and Article 8 (Measures for the Destruction of Personal Information of Non-Users), the Company shall separately store and manage such personal information by moving it to a separate database (DB) or storing it in a different location. ③ The procedure and method of personal information destruction are as follows:
1. When personal information is to be destroyed, the Company selects the personal information that has become unnecessary due to the expiration of the retention period or the achievement of the processing purpose, and carries out the destruction process through system automatic deletion or approval by the personal information protection officer.
2. The method of destruction follows the following guidelines:Personal information stored in electronic file format is permanently deleted to prevent the recovery of records (provided that if permanent deletion is technically difficult due to the characteristics of the technology, the personal information is anonymized and measures are taken to make it unrecoverable)Personal information recorded or stored on paper documents or other physical media is shredded or incinerated.
Article 8 (Measures for the Destruction of Personal Information of Non-Users)
① The Company destroys the information of users who have not used the service for a period of one year. ② However, even after the expiration of the retention period stipulated by other laws and regulations, the Company may store and manage the personal information of other users separately from the personal information of non-users. ③ The Company notifies the users of the fact of personal information destruction, the expiration date, and the items of personal information to be destroyed, 30 days prior to the destruction of personal information, through email, text messages, or other methods that can be notified to the users. ④ If you do not want your personal information to be destroyed, you can log in to the service before the expiration date.
Article 9 (Rights, Obligations, and Exercise Methods of Users and Legal Representatives)
① Users may exercise their rights to access, correct, delete, and request the suspension of processing of personal information from the Company at any time. However, the exercise of the rights to access, correct, delete, and request the suspension of processing of personal information may be restricted in accordance with the provisions of Article 35(4), Article 36(1), Article 37(2), and other relevant laws regarding the protection of personal information. ② The exercise of user rights can be done through electronic mail, telephone, or other means according to Article 41(1) of the Enforcement Rules of the Personal Information Protection Act, and the Company will promptly take appropriate measures in response. ③ The exercise of rights under paragraph 1 may be conducted through a legal representative or an authorized agent of the user. In this case, the user must submit a power of attorney in accordance with the format of Annex 11 of the "Guidelines on the Processing of Personal Information" (No. 2020-7). ④ Users and legal representatives can access or correct personal information by logging into the service and navigating to "Settings > Profile Management > Account Information." ⑤ If the deletion or correction of personal information is requested when it is clearly specified as the subject of collection under other laws, such deletion may not be possible. ⑥ The Company verifies whether the requester of the right to access, correction, deletion, or suspension of processing is the user themselves or a lawful representative.
Article 10 (Measures to Ensure the Security of Personal Information)
① The Company takes the following measures to ensure the security of personal information:
1. Administrative measuresEstablishment and implementation of internal management plans: The Company designates a person responsible for personal information protection and establishes and implements internal management plans for the secure handling of personal information.Minimization of personal information handlers and conducting information protection education: The Company designates and operates a minimum number of employees who handle personal information and conducts education and inspections on information protection for the personal information handlers.
2. Technical measuresPreparation of technical measures against hacking: The Company installs security programs to prevent the leakage or damage of personal information caused by hacking or computer viruses and conducts regular inspections and updates of security programs to manage and protect personal information securely.Access control to the personal information processing system: The Company establishes and operates access control measures for systems processing personal information by granting, changing, and revoking access permissions, and utilizes intrusion prevention systems to control unauthorized access from external sources.Encryption of personal information: The Company applies secure encryption algorithms to store and manage important personal information such as user passwords.
3. Physical measuresDesignation and operation of restricted and controlled areas: The Company designates and operates places such as computer rooms that handle important information, including user's personal information, as restricted and controlled areas for protection.Access control for unauthorized individuals: The Company establishes and operates procedures for access control to restricted areas, preventing the leakage and damage of user's personal information.
Article 11 (Installation, Operation, and Refusal of Automatic Collection Devices for Personal Information)
① The Company uses 'cookies' to store and retrieve user information for the purpose of providing personalized services. ② Cookies are small text files sent by the server operating the website to the user's browser and can also be stored on the user's computer hard disk.
1. Purpose of using cookies: Cookies are used to store user preferences and provide a faster web environment, as well as for service improvement to enhance user convenience. This allows users to easily utilize the services.
2. Installation and operation of cookies: Users have the option to choose whether to allow cookie installation. Therefore, users can set their web browsers to accept all cookies, confirm each time a cookie is saved, or refuse the storage of all cookies. However, if the storage of cookies is refused, it may cause difficulties in using personalized services.
3. Method for configuring the installation and operation of cookies (example):
Mobile device settings: i. Android OS: (based on the default browser) Access the internet icon > Menu > 'Settings' > 'Privacy and Security' > Cookie level settings. ii. iOS: 'Settings' app > 'Safari' > 'Privacy and Security' > Cookie level settings.
Article 12 (Collection, Use, Provision, and Refusal of Behavior Information)
① The Company collects and uses behavior information to provide optimized services to users and does not provide personalized advertisements.
1. The Company collects the following behavior information: a. Items of collected behavior information: Service menu usage history, search history. b. Method of collecting behavior information: Automatically generated and stored through log analysis tool (Google Analytics) when users use the service. c. Purpose of collecting behavior information: Service improvement and development based on user interest analysis. d. Retention and use period and subsequent information processing method: Immediately deleted after user withdrawal.
2. The Company only collects the minimum necessary behavior information for service improvement and does not collect sensitive behavior information that may significantly infringe upon individual rights, interests, or privacy, such as beliefs, family and relatives' relationships, educational and medical history, or other social activities.
3. Users can refuse the use of Google Analytics by disabling it through the Google Analytics Opt-out Browser Add-on (https://tools.google.com/dlpage/gaoptout).
4. Users can contact the following contact information to inquire about behavior information, exercise the right to refuse, or report damages related to behavior information.
Article 13 (Personal Information Protection Manager and Request for Access to Personal Information)
① The Company has designated a person in charge to oversee the handling of personal information to protect user's personal information, handle user complaints, and provide remedies related to the processing of personal information. The contact details of the responsible person are as follows:
▶ Customer Service Manager
Name: Yunjae Lee
Email: [email protected]
Website: www.lunchlunch.xyz
App: Settings > Support and Feedback
② Users can contact the customer service manager for any inquiries, complaints, or remedies regarding personal information protection related matters arising from the use of the Company's services. The Company will respond and handle the user's inquiries accordingly.
Article 14 (Remedies for Privacy Rights Violation)
Users can apply for dispute resolution, counseling, or other remedies related to personal information disputes by contacting the Personal Information Dispute Mediation Committee or the Korea Internet & Security Agency Personal Information Infringement Report Center. For reporting and counseling on other personal information infringements, please contact the following organizations:
1. Personal Information Dispute Mediation Committee: 1833-6972 (without area code) (www.kopico.go.kr)
2. Personal Information Infringement Report Center: 118 (without area code) (privacy.kisa.or.kr)
3. Supreme Prosecutors' Office: 1301 (without area code) (www.spo.go.kr)
4. National Police Agency: 182 (without area code) (ecrm.cyber.go.kr)
Article 15 (Changes to the Privacy Policy)
This privacy policy is effective as of March 22, 2024.