Privacy Policy

2019.6.1

Empo Inc. (hereinafter referred to as “the Company”) has the following policy to protect user's personal information and handle user's inconveniences in accordance with related laws such as the "Personal Information Protection Act", "The Act on the Promotion of Information and Communications Network Use and Information Protection, etc." When the Company revises its privacy policy, it will post it on its website or the Empo App or announce it individually.

Article 1 (Purpose of Processing Personal Information)

The Company processes personal information necessary for using services for the following purposes. The personal information processed will not be used for purposes other than the following purposes, and if the purpose of use is changed, the Company will take necessary measures such as obtaining each user’s consent.

(1) General

(a) Identity/age/account information verification;

(b) Identity verification for financial transactions;

(c) Securing communication channels for handling complaints, resolving disputes and fulfilling statutory obligations;

(d) Announcements on services, customer satisfaction survey;

(e) Event / gift winning result notification, gift delivery, customer appreciation event information;

(f) Statistical analysis and utilization of service usage;

(g) Providing services based on demographic characteristics, improving service quality, providing customized services, developing new services, providing customized reports and advertising;

(h) Wrongful use prevention, incident investigation, security policy establishment.

(2) Identity verification: [an additional consent process may be carried out by identity verification institutions during the verification process];

(3) Empo’s “EMPEE” Service: EMPEE's data usage based on auser’s information;

(4) Empo’s “EMPER” Service: research and analysis to improve service quality through checking the amount of EMPER’s data provision and connection of other devices based on a user’s information;

(5) Usage Report: providing customized report based on the amount of remaining Empo data and transaction history information;

(6) Reward: cash transaction using the account information entered by users (when Empo users send their own data), customer service regarding Empo reward services;

(7) Data usage inquiry: providing information on auser's data usage and provision, customized reports, research and analysis to improve service quality, etc.;

(8) Issuance of cash receipt;

(9) 1: 1 inquiry service: service user management, customer support, analysis to improve services;

(10) (Optional) Receive Advertising / Marketing: providing advertising / promotion for the Company or its partner’s' products / services.

- Must be treated as optional.

[Note] The following information can be created / collected in the process of using services or processing of personal information, and can be used for the following purposes.

1. Information generated through customer counseling and complaint handling related to service provision;
2. Service usage history (transaction settings and historical information such as terms and conditions of use, date and time of use, etc.), billing, payment history, usage suspension / termination record, abnormal usage record, access log: customer service related to service provision, complaint processing, etc.

Article 2 (Items of Collected Personal Information)

The Company collects personal information required for the use of services provided by the Company (hereinafter referred to as "services") in the minimum range. In the case of services used for the first time, the Company can ask users to enter required information, and if it already has the information, it can omit the input or provide input convenience for the users. In addition, the Company provides 'cancellation' or 'withdrawal' functions for most of the servicec, providing a way to cancel and delete the collection and use of personal information that has already been agreed at any time. However, some essential services may not be available for cancellation. If useres withdraw their consent to collection and use of a particular service, they will not be able to use the service, but there is no problem in using other services.

1. General: name, password (PIN), mobile phone number, email address;
2. Identity verification: gender, duplicate registration confirmation information (DI), connection information (CI), i-PIN number, information on Korean / foreigners

[In case of identity verification, an additional consent process may be conducted by identity verification institutions];

1. Empo’s “EMPEE” service: device number (MAC address), IP address (private), data usage record;
2. Empo’s “EMPER” service: data usage history;
3. Usage report: data usage records, information on the use of services after sign up, and connection information (CI);
4. Reward Application: PayPal account informaiton or bank account number / financial institution / SWIFT code / address, name (account holder);
5. Data usage inquiry: data usage history;
6. Issuance of cash receipts: name, mobile phone number or business registration number, cash receipt card number;
7. 1: 1 inquiry service: email address;
8. (Optional) Receive advertising / marketing: mobile phone number and email address (Receiving advertisement / marketing information can optionally be agreed, and users can choose to receive the information by text and push notification. Please refer to the additional agreement).

In addition, the following personal information items may be automatically generated and collected during the use of services.

1. Model name and manufacturer of mobile phone, OS version, and telecommunications company: to improve statistical analysis and service quality improvement;
2. Mobile phone device number (Android_ID): to collect encrypted information to identify a user’s device;
3. Accessing IP address: to cooperate with investigations on suspicious transactions and illegal users and provide location based service;
4. AD identifier(GAID, IDFA): to distinguish between users and user devices in marketing promotions;
5. GAID: Google Advertising ID;
6. IDFA: Identifier For Advertisers;
7. Online behavioral information: to provide customized services.

[Note] When users requests reward, their name and account number may remain in the financial transaction record as this information is essential for money transfer and must be preserved according to relevant laws and regulations. If the recipient is no longer an Empo user, the information will be retained only in the financial transaction details and used only for customer counseling and complaint processing.

Article 3 (Provision of Personal Information to a Third Party)

The Company provides the personal information necessary for the use of Empo service (hereinafter referred to as "services") to its partners for the following purposes. The processed information will not be used for purposes other than the following purposes, and if the purpose of use is changed, the Company will take necessary measures such as obtaining additional consent.

The Company provides only the minimum personal information necessary to use services to third parties. In the case of the services used for the first time, the Company can ask users to enter the necessary information, and if italready has the information, it can omit the input or provide input convenience for users.

In addition, the Company provides 'Cancel' or 'Withdrawal' function for most services to provide a way to cancel and delete the provision of personal information to third parties that has already been agreed at any time. However, some essential services may not be available for cancellation. If users withdraw their agreement to provide a third party in a particular service, they will not be able to use affiliated services, but they will be informed that they do not have any problems with the use of other services.

Instructions for providing input convenience: if information already entered in the services is needed for the use of other affiliated services, the Company will try to make it more convenient for users by filling it in in advance. If the pre-filled information is incorrect, please contact our Customer Service and request an revision.

In addition, the information will not be provided to partners until users finally decide whether to proceed, such as by clicking on the “Continue” button on the screen. Pre-filled information varies from screen to screen, and the purpose of 'provision' is not listed separately as it can seen on the screen.

[Copy of Untitled](https://www.notion.so/84e49a76d8a64163bb3c3cb7949902b8)

[Note] If the retention period is not stated, the provided information will be used until 1) the achievement of purpose of the provision, 2) the membership withdrawals, and 3) the retention period according to the related laws and regulations.

Article 4 (Processing and Retention Period of Personal Information)

The Company processes personal information within the period of holding personal information according to laws and regulations or within the period agreed to when collecting personal information from the information subject.

The Company shall promptly destroy users’ personal information when theyrequest withdrawal of membership or withdraw their consent to collection and use of personal information or when the retention period has passed. However, the following information may be retained for the period specified below.

(1) Membership registration and management: from the registration to withdrawal of membership (However, in case of the following reasons, until the end of the cases);

(a) If an investigation / probe is in progress due to violation of related laws and regulations, until the end of the investigation / probe;

(2) Provision of goods / services: until supply of goods / services and payment / settlement of fee are completed;

(However, until the end of the period, in case of the following)

(a) Electronic Financial Transaction Act

- Record of electronic financial transaction records: 5 years

(b) Act on the Consumer Protection in Electronic Commerce, etc.

- Records of contract or subscription withdrawal, payment, supply of goods, etc.: 5 years

- Records of consumer complaints or disputes: 3 years

(3) The Company’s internal policy to prevent wrongful use;

(a) Records of wrongful use: 3 years

(4) Advertising / marketing: from the date of consent to collection and use of personal information for advertising and marketing purposes till the date of withdrawal of consent ormembership (The Company guides users to confirm it every 2 years after the consent);

(5) When users have not used services for more than 1 year, their accounts may be classified as dormant accounts and the use of the accounts can be restricted.

(a) After being classified as a dormant account, user’s information will be destroyed after 6 months if the conditions of Article 4, Paragraph 1, 2 and 3 are not met.

[Note] Even if users delete the Empo App from their smartphone, their personal information will remain undeleted unless the users’ membership withdrawal requests are made. If they want to remove theinformation, request for membership withdrawal shall be made from the 'Settings' menu.

Article 5 (Entrustment of Personal Information)

(1) The Company entrusts part of its operations of personal information to third-party businesses in order to provide better services.

(a) Identity verification using mobile phone;

(i) Entrusted company: Amazon Web Service SNS

(ii) Entrusted operation: identity verification via user’s mobile number

(b) Sending SMS.

(i) Entrusted company: Amazon Web Service SNS

(ii) Entrusted operation: notification of service usage, login status check, etc.

(2) When entering into an entrustment contract, the Company shall specify in the contract the matters concerning the prohibition of personal information processing other than the purpose of performing consignment work, technical and administrative protection measures, restrictions on re-entrustment, management, supervision, and responsibility on the entrustee in accordance with Article 26 of the Personal Information Protection Act. The Company regularly supervises whether entrustees handle personal information securely.

(3) If the contents of the entrustment or the entrustee changes, the Company will disclose it through this privacy policy.

Article 6 (Rights, Duties of Information Subjects and Legal Representatives and their Exercise Methods)

(1) The information subject (hereinafter referred to as “the Subject”) can exercise the following privacy rights at any time to the Company.

(a) Request to access personal information and request for notification;

(b) Request for correction if there is an error;

(c) Request for removal of personal information and withdrawal of consent;

(d) Request for suspension of processing personal information;

(e) Request for notification of use and provision of credit information.

(2) The exercise of rights under Paragraph 1 can be done in writing, by telephone, e-mail, or fax, and the Company will take action without delay.

(3) If the Subject requests correction or deletion of personal information, the Company will not use or provide theinformation until the correction or deletion is completed.

(4) The exercise of rights under Paragraph 1 can be done through the representative of the Subject including legal representatives and an authorized attorney. In this case, a power of attorney pursuant to Form 11 of the Enforcement Rules of the Personal Information Protection Act must be submitted.

(5) The Subject shall not infringe personal information and privacy of others handled by the Company in violation of related laws and regulations.

(6) When the Company processes personal information collected from other than the Subject, unless there is justifiable reason, within 3 daysfrom the request of the Subject, it informs the Subject of the fact that they have the right to request the collection source, processing purpose, and suspension of processing of the information.

(7) If the Company denies the request from the Subject underParagraph 1  pursuant to Paragraph 4 Article 20 of the Personal Information Protection Act, it shall inform the Subject of the grounds and the reason of the rejection within 3 days of the request unless there is a justifiable reason.

[Note] How to withdraw consent

The Empo App provides an easy way to verify and withdraw user’s consent at any time, except for required consent.

(1) In case of advertising / marketing consent, users can turn text and push notifications on and off in 'Settings'> 'Notification settings’. If both are off, it is assumed that the consent has been withdrawn.

(2) In case of membership withdrawal, all consents are automatically withdrawn, including required consent.

Article 7 (Destruction of Personal Information)

(1) The Company destroys personal information immediately when the retention period of personal information has elapsed or the purpose of processing has been achieved.

(2) When the Company needs to keeppersonal information according to other acts and regulations while the personal information retention period agreed by the Subject has passed or the purpose of processing has been achieved, theinformation should be transferred to a separate database or stored in a different place.

(3) The procedures and methods of personal information destruction are as follows.

(a) Destruction procedure: the Company selects personal information for which the reason for destruction occurs and destroys personal information according to the following method.

(b) Destruction method: the Company destroys personal information stored in the form of electronic files to prevent recovery or reproduction, and destroys personal information recorded on paper documents by shredding or incineration in accordance with relevant acts and regulations.

Article 8 (Actions Taken to Protect Personal Information)

The Company takes the following measures to ensure the safety of personal information.

(1) Administrative measures: establish and implement an internal management plan, regular private information security education for employees, etc.

(2) Technical measures: access authority management of personal information processing system, access control system installation, encryption of unique identification information, security program installation, etc.

Article 9 (Privacy Officer)

The Company appoints a person who comprehensively takes charge of personal information processingand deals with  the Subject’s complaints and remedial compensation in relation to personal information processing.

Privacy Officer

Name: Choi, Han Dong

Position: Security Engineer

Email: security@empoapp.com

Article 10 (Remedy for Infringement)

The Subject can contact the organizations shown below to seek remedial compensation or consultation for privacy infringements.

The following organizations are independent from the Company. Users may contact the organizations when they are not satisfied with the Company's own privacy complaints or damage relief results, or need further assistance.

- Report Center for Personal Information Breach (Korea Internet & Security Agency)

- In charge of: reporting consultation on personal information infringement

- Website: privacy.kisa.or.kr

- Phone number: +82-118

- Address: 3rd floor, 9, Jinheung-gil, Naju-si, Jeollanam-do, Republic of Korea (58324)

- Personal Information Dispute Mediation Committee

- In charge of: application for mediation of personal information disputes, group dispute mediation

- Website: [www.kopico.go.kr](http://www.kopico.go.kr/)

- Phone number: +82-1833-6972

- Address: 4th floor, 209, Sejong-daero, Jongno-gu, Seoul, Republic of Korea (03171)

- Cyber Crime Investigation, Supreme Prosecutors' Office: +82-area code -1301 ([www.spo.go.kr)](about:blank)

- ([https://cyberbureau.police.go.kr/crime/sub1.jsp?mid=010101)](https://cyberbureau.police.go.kr/crime/sub1.jsp?mid=010101))

- Cyber Terror Response Center, National Police Agency (https://cyberbureau.police.go.kr/crime/sub1.jsp?mid=010101)

Article 11 (Enforcement of Privacy Policy)

This Privacy Policy will be effective  as of July 1, 2019.