Article 1 (Purpose)

Onetime (hereinafter referred to as "Onetime") establishes this Privacy Policy (hereinafter "this Policy") as follows, in order to protect the personal information (hereinafter "Personal Information") of individuals (hereinafter "Users" or "Individuals") who use the service (hereinafter "Onetime Service") provided by Onetime, and to ensure that any issues related to the protection of users' personal information are handled promptly and smoothly, in compliance with the Personal Information Protection Act, the Act on Promotion of Information and Communications Network Utilization and Information Protection (hereinafter "Information and Communications Network Act"), and other related laws.

Article 2 (Principles of Personal Information Processing)

In accordance with relevant personal information laws and this Policy, Onetime may collect users' personal information, and such collected personal information may be provided to third parties only with the individual's consent. However, if required by law or other legitimate regulatory provisions, Onetime may provide the collected personal information to third parties without prior consent from the individual.

Article 3 (Disclosure of this Policy)

  1. Onetime makes this Policy publicly available on its homepage or on a connected page so that users can easily access and review it at any time.
  2. When disclosing this Policy as stated in clause 1, Onetime will utilize font sizes, colors, and other design elements to ensure that users can easily read and understand the Policy.

Article 4 (Amendment of this Policy)

  1. This Policy may be amended in accordance with changes in personal information-related laws, guidelines, notifications, or due to changes in government policy or the content of Onetime's service.
  2. When amending this Policy as stated in clause 1, Onetime will notify users by one or more of the following methods:
    • Posting a notice in the announcement section on the homepage operated by Onetime or through a separate window.
    • Notifying users via written notice, facsimile, email, or a similar method.
  3. Such notification of the amendments will be provided at least 7 days before the effective date of the amended Policy. However, if the amendment involves significant changes affecting users' rights, notice will be provided at least 30 days in advance.

Article 5 (Information for Membership Registration)

For the purpose of registering for Onetime Service, Onetime collects the following information from users:

  1. Mandatory information: Email address, password, name, nickname, date of birth, and mobile phone number.

Article 6 (Information for Identity Verification)

For the purpose of verifying the identity of users, Onetime collects the following information:

  1. Mandatory information: Mobile phone number, email address, name, date of birth, gender, identity verification values (CI, CD), and mobile carrier.

Article 7 (Information for Providing Onetime Service)

In order to provide its service to users, Onetime collects the following information:

  1. Mandatory information: User ID, email address, name, date of birth, and contact number.
  2. Optional information:
    • For physical product delivery: Name, phone number, and address.
    • For mobile product delivery: Phone number.
    • For processing taxes and related fees: Name, resident registration number, phone number, address, and email address.

Article 8 (Information for Service Usage and Detecting Fraudulent Use)

To perform statistical analysis of service usage and to detect and analyze fraudulent use (fraudulent use refers to acts such as repeatedly re-registering after membership withdrawal to unlawfully obtain economic benefits such as discount coupons or event benefits provided by Onetime, actions prohibited by the Terms of Service, or identity theft), Onetime collects the following information:

  1. Mandatory information: Service usage records, cookies, access location information, and device information.

Article 9 (Methods of Collecting Personal Information)

Onetime collects users' personal information by the following methods:

  1. When users enter their personal information on Onetime's homepage.
  2. When users enter their personal information through services provided by Onetime outside of the homepage, such as via an application.
  3. When users provide their personal information during the use of Onetime's services, such as through customer center inquiries or activities on bulletin boards.

Article 10 (Use of Personal Information)

Onetime uses personal information for the following purposes:

  1. To deliver announcements and for other purposes necessary for the operation of Onetime.
  2. To respond to inquiries, address complaints, and improve services for users.
  3. To provide Onetime's services.
  4. To restrict usage and to prevent and sanction actions that may interfere with the smooth operation of the service, including fraudulent use or any acts by members that violate the law or Onetime's Terms.
  5. To develop new services.
  6. For marketing purposes, such as providing information about events and promotions.
  7. For demographic analysis and analysis of service visits and usage records.
  8. To facilitate the formation of relationships between users based on personal information and interests.

Article 11 (Retention and Use Period of Personal Information)

  1. Onetime retains and uses users' personal information for the period necessary to achieve the purposes for which the personal information was collected and used.
  2. Notwithstanding the preceding clause, Onetime retains records of fraudulent service usage for up to 1 year from the time of membership withdrawal, in accordance with its internal policies, to prevent fraudulent re-registration and usage.

Article 12 (Retention and Use Period of Personal Information According to Law)

Onetime retains and uses personal information in accordance with relevant laws as follows:

  1. Under the Act on the Consumer Protection in Electronic Commerce, etc.:
    • Records related to contracts or withdrawal of applications: 5 years.
    • Records related to payment and supply of goods: 5 years.
    • Records related to consumer complaints or dispute resolution: 3 years.
    • Records related to labeling and advertising: 6 months.
  2. Under the Act on the Protection of Communications Secrets:
    • Website log records: 3 months.
  3. Under the Electronic Financial Transactions Act:
    • Records related to electronic financial transactions: 5 years.
  4. Under the Act on the Protection and Use of Location Information:
    • Records related to personal location information: 6 months.

Article 13 (Principle of Destruction of Personal Information)

Onetime, as a general rule, will promptly destroy users' personal information when it is no longer necessary for the purpose for which it was collected or once the retention/use period has expired.

Article 14 (Procedure for Destruction of Personal Information)

  1. Information entered by users for membership registration, etc., is transferred to a separate database (or a separate filing system in the case of paper documents) after the purpose of processing the personal information has been achieved, and is stored for a specified period according to internal policies and other related laws (see retention and use period), after which it is destroyed.
  2. Onetime destroys personal information that meets the criteria for destruction following the approval procedure by the person responsible for personal information protection.

Article 15 (Method of Destruction of Personal Information)

Onetime deletes personal information stored in electronic files using technical methods that render the records unrecoverable, and for personal information printed on paper, Onetime destroys it by shredding or incineration.

Article 16 (Measures for Transmission of Promotional Information)

  1. When transmitting promotional information for commercial purposes via electronic transmission media, Onetime obtains the explicit prior consent of the user. However, prior consent is not required in any of the following cases:
    1. If Onetime directly collects the recipient's contact information through commercial transactions and, within 6 months of the termination of the transaction, transmits promotional information for similar goods for commercial purposes.
    2. If a telemarketing salesperson, under the Act on Door-to-Door Sales, notifies the recipient of the source of personal information and then makes a telephone solicitation.
  2. Notwithstanding clause 1, if the recipient has indicated a refusal to receive or has withdrawn their prior consent, Onetime will not transmit promotional information for commercial purposes, and will inform the recipient of the result of processing the refusal or withdrawal.
  3. Notwithstanding clause 1, if Onetime transmits promotional information for commercial purposes via electronic transmission media between 9:00 PM and 8:00 AM the next day, Onetime must obtain separate prior consent from the recipient.
  4. When transmitting promotional information for commercial purposes via electronic transmission media, Onetime shall clearly disclose the following information in the promotional message:
    1. The company name and contact information.
    2. Information regarding how to indicate refusal or withdrawal of consent.
  5. When transmitting promotional information for commercial purposes via electronic transmission media, Onetime shall not engage in any of the following actions:
    1. Actions that evade or obstruct the recipient's refusal to receive or withdrawal of consent.
    2. Actions that automatically generate the recipient's contact information, such as telephone numbers or email addresses, by combining numbers, symbols, or letters.
    3. Actions that automatically register telephone numbers or email addresses for the purpose of transmitting promotional information.
    4. Measures intended to conceal the identity of the promotional information sender or the source of the advertisement.
    5. Any actions that deceive the recipient into replying for the purpose of transmitting promotional information.

Article 17 (Right to Access Personal Information and Withdraw Consent)

  1. Users and their legal representatives may access or modify their registered personal information at any time, and may request to withdraw their consent for the collection of personal information.
  2. Users and their legal representatives may request the withdrawal of consent for the collection of their registration information by contacting the designated officer via email, and Onetime will take prompt action without delay.

Article 18 (Correction of Personal Information)

Users may request corrections to any inaccuracies in their personal information by contacting Onetime using the methods outlined in the preceding article.

Article 19 (User's Obligations)

  1. Users must keep their personal information up to date, and they are responsible for any issues arising from providing inaccurate information.
  2. If a user registers using another person's personal information, they may lose their membership and be subject to penalties under relevant personal information protection laws.
  3. Users are responsible for maintaining the security of their email addresses, passwords, etc., and may not transfer or lend them to third parties.

Article 20 (Onetime's Management of Personal Information)

Onetime takes necessary technical and managerial measures to ensure the security and integrity of users' personal information, protecting it from loss, theft, leakage, alteration, or damage.

Article 21 (Handling of Deleted Information)

Personal information that is terminated or deleted at the request of the user or their legal representative is processed in accordance with the "Retention and Use Period of Personal Information" specified by Onetime, and is not made available for any other purposes.

Article 22 (Encryption of Passwords)

Users' passwords are stored and managed using one-way encryption, and verification or changes to personal information can only be made by the user who knows the password.

Article 23 (Measures Against Hacking and Similar Threats)

  1. Onetime endeavors to prevent the leakage or damage of users' personal information due to hacking, computer viruses, or other intrusions into the information and communications network.
  2. Onetime uses up-to-date antivirus software to prevent users' personal information or data from being leaked or damaged.
  3. Onetime employs intrusion prevention systems to enhance security in case of emergencies.
  4. In cases where sensitive personal information is collected or stored, Onetime ensures that such information is transmitted securely over the network through encrypted communications.

Article 24 (Minimization of Personal Information Processing and Training)

Onetime limits the number of personnel involved in the processing of personal information to the minimum necessary and emphasizes compliance with laws and internal policies through managerial measures such as training for those handling personal information.

Article 25 (Measures for Responding to Personal Information Leakage)

Upon becoming aware of any leakage, theft, or loss of personal information (hereinafter "leakage, etc."), Onetime will promptly notify the affected users of all of the following:

  1. The items of personal information that were leaked, etc.
  2. The time at which the leakage, etc. occurred.
  3. The actions that the user can take.
  4. The response measures taken by the information and communications service provider, etc.
  5. The department and contact information where users can seek consultation.

Article 26 (Exceptions to Measures for Responding to Personal Information Leakage)

Notwithstanding Article 25, if there is a legitimate reason, such as being unable to obtain the user's contact information, Onetime may substitute the notification required in Article 25 by posting a notice on its homepage for at least 30 days.

Article 27 (Protection of Internationally Transferred Personal Information)

  1. Onetime does not enter into international contracts that contain provisions violating the Personal Information Protection Act or other related regulations concerning users' personal information.
  2. In order to transfer (including access), outsource processing, or store (hereinafter "transfer") users' personal information abroad, Onetime obtains the user's consent. However, if all the matters in clause 3 of this Article are disclosed in accordance with the Personal Information Protection Act or other related laws, or notified to the user by methods prescribed by presidential decree (e.g., via email), the consent procedure for the transfer, outsourcing, or storage of personal information may be omitted.
  3. In order to obtain consent as described in clause 2, Onetime will notify the user in advance of the following:
    1. The items of personal information to be transferred.
    2. The country to which the personal information is transferred, the date of transfer, and the method of transfer.
    3. The name of the entity receiving the personal information (or, in the case of a corporation, its name and the contact information of the person responsible for managing the information).
    4. The purpose for which the personal information will be used by the recipient and the period for which it will be retained and used.
  4. When obtaining consent to transfer personal information abroad in accordance with clause 2, Onetime will take protective measures in accordance with the Personal Information Protection Act presidential decree or other relevant regulations.

Article 28 (Installation, Operation, and Refusal Regarding Automatic Personal Information Collection Devices)

  1. Onetime uses automatic personal information collection devices (hereinafter "cookies") that store and retrieve user information to provide personalized services. Cookies are small amounts of data sent by the server (HTTP) operating the website to the user's web browser (including PC and mobile) and may also be stored in the user's storage.
  2. Users have the option to choose whether to allow cookies. Therefore, users can configure their web browser settings to allow all cookies, prompt for confirmation whenever a cookie is stored, or refuse the storage of all cookies.
  3. However, if the storage of cookies is refused, some of Onetime's services that require login may be difficult to use.

Article 29 (How to Enable Cookies)

You can configure cookie settings such as allowing or blocking cookies through your web browser's options.

  1. Edge: Settings menu at the top-right of the browser > Cookies and site permissions > Manage and delete cookies and site data.
  2. Chrome: Settings menu at the top-right of the browser > Privacy and security > Cookies and other site data.
  3. Whale: Settings menu at the top-right of the browser > Privacy > Cookies and other site data.

Article 30 (Remedies for Violation of Rights)

  1. Data subjects may apply for dispute resolution or counseling through the Personal Information Dispute Mediation Committee, the Korea Internet & Security Agency Personal Information Infringement Report Center, or other relevant institutions in order to seek redress for any infringement of their personal information rights. For any other complaints or inquiries regarding personal information infringement, please contact the institutions listed below:
    • Personal Information Dispute Mediation Committee: (No area code) 1833-6972 (www.kopico.go.kr)
    • Personal Information Infringement Report Center: (No area code) 118 (privacy.kisa.or.kr)
    • The Supreme Prosecutors' Office: (No area code) 1301 (www.spo.go.kr)
    • The National Police Agency: (No area code) 182 (ecrm.cyber.go.kr)
  2. Supplementary Provisions: Onetime is committed to ensuring the data subject's right to self-determination regarding personal information and will endeavor to provide assistance and redress in cases of personal information infringement. If you require reporting or consultation, please contact the department specified in clause 1.
  3. In cases where a person has suffered damage or loss of rights or interests due to an action or omission by a head of a public institution in response to a request under Article 35 (Access to Personal Information), Article 36 (Correction or Deletion of Personal Information), or Article 37 (Suspension of Processing of Personal Information) of the Personal Information Protection Act, the person may file an administrative appeal in accordance with the Administrative Appeals Act.
    • Central Administrative Appeals Commission: (No area code) 110 (www.simpan.go.kr)

Supplementary Provisions

Article 1: This Policy shall take effect from February 10, 2025.