Personal Information Processing Policy

MOIN, Inc.(hereinafter referred to as the "Company") complies with the provisions of the Personal Information Protection Act and related laws and regulations to protect the freedom and rights of data subjects, and processes and manages personal information lawfully and securely. In accordance with Article 30 of the Personal Information Protection Act, this Privacy Policy is established and disclosed to inform data subjects of the procedures and standards for handling personal information and to facilitate the prompt and smooth resolution of related grievances. This Privacy Policy applies equally to all services operated by the Company and may be revised from time to time due to changes in relevant laws, government guidelines, or Company policies. In the event of any changes to the Privacy Policy, the updated details will be posted on the Company's website.

Article 1 (Purpose of Processing Personal Information)

The Company processes personal information for the following purposes. The personal information being processed will not be used for purposes other than those specified below. If the purpose of use changes, the Company will take necessary measures, such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act.

  1. Membership Registration and Management Personal information is processed for purposes such as membership registration, use of membership-based services, identity verification, individual identification, prevention of misuse or unauthorized use, and confirmation of intent to register.
  2. Provision of Services and Transaction-Related Purposes Personal information is processed to determine whether to establish a transaction relationship, to establish, maintain, fulfill, and manage such relationships, to investigate financial incidents, resolve disputes, handle complaints, and comply with legal obligations related to the services provided by the Company.
  3. Promotion and Solicitation of Products and Services Personal information is processed to develop new services, provide customized services, deliver services and advertisements based on demographic characteristics, verify the effectiveness of services, distribute prizes, conduct customer appreciation events, provide convenience and participation opportunities for members, analyze access frequency, and compile statistics on members' use of services.
  4. Purposes Related to Online Transactions Personal information is processed for purposes such as tracking and searching the details of electronic financial transactions, establishing security policies, and preventing incidents in accordance with Articles 21 and 22 of the Electronic Financial Transactions Act.
  5. Statistical Analysis, Scientific Research, and Public Record Preservation Personal information may be pseudonymized and processed for purposes such as statistical analysis, scientific research, and public record preservation in accordance with Article 28-2 of the Personal Information Protection Act.

Article 2 (Processing and Retention Period of Personal Information)

  1. The Company processes and retains personal information within the retention and usage period stipulated by relevant laws or as agreed upon when collecting personal information from the data subject. In accordance with Article 21 of the Personal Information Protection Act, personal information will be destroyed without delay if the retention period expires or the processing purpose is achieved, rendering the information unnecessary.
  2. The processing and retention periods for each category of personal information are as follows:
    1. Membership Registration and Management Personal information collected for the purpose of membership registration and management is retained and used from the date of membership registration until the date of membership withdrawal. However, in the following cases, personal information will be retained until the corresponding reason no longer applies:
      1. If an investigation or inquiry related to a violation of applicable laws is ongoing, until the investigation or inquiry is completed.
      2. If there are outstanding claims or debts related to the use of member services, until the claims or debts are settled.
    2. Service Provision and Transaction-Related Purposes Personal information is retained and used for the above purposes from the date of consent for collection and usage until five years after the transaction termination date. After the transaction termination date, personal information will be retained and used only for purposes such as investigating financial incidents, resolving disputes, handling complaints, complying with legal obligations, and the Company’s risk management.
    3. Promotion and Solicitation of Products and Services Personal information is retained and used from the date of consent for collection and usage until three months after the transaction termination date or until consent is withdrawn. After the date of consent withdrawal, personal information will be retained and used only for purposes related to Article 1, such as investigating incidents, resolving disputes, handling complaints, and complying with legal obligations.
    4. Purposes Related to Online Transactions Personal information related to online transactions is retained and used in accordance with the retention periods specified in Article 12 of the Enforcement Decree of the Electronic Financial Transactions Act, as follows:
      1. Records of the type and amount of electronic financial transactions, consent for withdrawals, information about counterparties of electronic financial transactions, connection logs of electronic devices, changes to applications or terms of electronic financial transactions, and records of electronic financial transactions exceeding 10,000 KRW per transaction: 5 years.
      2. Records of transaction approvals related to the use of electronic payment methods, records of error correction requests and their outcomes, and records of electronic financial transactions not exceeding 10,000 KRW per transaction: 1 year.
    5. Statistical Analysis, Scientific Research, and Public Record Preservation Pseudonymized personal information will be retained and used only until the period (or point in time) necessary to achieve the purpose established in the pseudonymization plan.

Article 3 (Categories of Personal Information Processed)

The Company processes the following personal information to the minimum extent necessary for providing its services.

  1. Personal Information Processed Without the Consent of the Data Subject The Company processes the following personal information without the consent of the data subject based on legal grounds:
Legal BasisCategoryCollected Information
Personal Information Protection Act Article 15(1)(4) (Performance of a Contract)Membership Registration and ManagementName, date of birth, email address, ID, password, mobile phone number, mobile carrier information
Personal Information Protection Act Article 15(1)(4) (Performance of a Contract)Service Provision and Transactions[When Sending Money] Name, English name, contact information, address, email address, purpose of remittance, recipient information (name, date of birth, financial institution name, account number, address, and contact information), relationship with the recipient [When Receiving Money] Recipient name, financial institution name, account number, contact information, email address
Personal Information Protection Act Article 15(1)(2) (Compliance with Legal Obligations) Act on Reporting and Using Specified Financial Transaction Information Article 5-2Membership Registration and ManagementName, identity verification certificate, date of birth, purpose of transaction, source of funds, gender, contact information (home, workplace, mobile), email address, account information (financial institution name, account number, account holder's name), unique identification number (resident registration number, driver’s license number, alien registration number, passport number), domestic residence registration number, nationality, occupation, address (workplace, home), workplace name, representative information (relationship, identification number)
Personal Information Protection Act Article 15(1)(2) (Compliance with Legal Obligations) Act on Reporting and Using Specified Financial Transaction Information Article 5-3(1)(2)Service Provision and Transactions[When Sending Money] Sender's name, sender's account number, address, unique identification number (resident registration number, alien registration number, passport number), recipient name, recipient account number
Personal Information Protection Act Article 15(1)(2) (Compliance with Legal Obligations) Act on Reporting and Using Specified Financial Transaction Information Article 5-2Service Provision and Transactions[When Receiving Money] Name, identity verification certificate, date of birth, purpose of transaction, source of funds, gender, contact information (home, workplace, mobile), email address, account information (financial institution name, account number, account holder's name), unique identification number (resident registration number, driver’s license number, alien registration number, passport number), domestic residence registration number, nationality, occupation, address (workplace, home), workplace name, representative information (relationship, identification number)
Personal Information Protection Act Article 15(1)(2) (Compliance with Legal Obligations) Electronic Financial Transactions Act Article 21(1)&(2), Article 22(1)Purposes Related to Online TransactionsID, login date and time, IP address, MAC address, HDD device information, OS information, app token information, device identification information (UUID, SSAID)
  1. Personal Information Processed with the Consent of the Data Subject The Company processes the following personal information with the consent of the data subject in accordance with Article 15(1)(1) and Article 22(1)(7) of the Personal Information Protection Act:
Collection PurposeCollected Information
Promotion and Solicitation of Products and Services[Optional Information] Name, date of birth, address, phone number, nationality, email address, SNS account, gender, login date and time, device information, login logs, cookie information, IP address

Article 4 (Processing of Personal Information of Children Under 14 Years Old)

The Company allows membership registration or the collection of personal information only for individuals aged 14 or older. As a general rule, the Company does not collect personal information from children under the age of 14, which requires the consent of their legal representatives for collection and use.

Article 5 (Provision of Personal Information to Third Parties)

  1. The Company processes personal information within the scope specified in Article 1 and does not process or provide personal information to third parties beyond its original scope without prior consent from the data subject. However, personal information may be used for purposes other than the intended purpose or provided to third parties in the following cases, unless such use or provision would unfairly infringe on the interests of the data subject or a third party:
    1. When separate consent is obtained from the data subject.
    2. When required by other laws.
    3. When it is deemed necessary to protect the life, body, or property interests of the data subject or a third party urgently
    4. When it is urgently required for public health or safety
  2. To provide seamless services, the Company provides personal information to third parties to the minimum extent necessary, with the consent of the data subject under Article 17(1)(1) of the Personal Information Protection Act:
RecipientPurpose of ProvisionProvided InformationRetention Period
Domestic Financial InstitutionsExecution of withdrawals and payments for overseas remittancesUser information (financial institution name, name, account number, address, identity verification number, remittance amount, remittance date, payment amount, payment date, phone number), recipient information (financial institution name, name, account number, phone number)Until the purpose is achieved or as specified by applicable laws.
Korea Financial Telecommunications & Clearings InstituteExecution of withdrawal transactions and account verificationUser information (financial institution name, name, account number, gender, date of birth, nationality, mobile phone number, email address)Until the purpose is achieved or as specified by applicable laws.
Foreign Banks, Remittance Intermediaries, and Payment Settlement AgentsOverseas remittances and cross-border electronic paymentsName, English name, date of birth, nationality, gender, address, mobile phone number, email address, occupation, unique identification information (resident registration number, driver's license number, foreign registration number, passport number), account information (financial institution name, account number, account holder name), transaction purpose, source of funds, transaction date/time, transaction counterpart information (name, unique identification information, account information, address, contact)Until the purpose is achieved or as specified by applicable laws.
  1. The Company may provide personal information to relevant authorities without the consent of the data subject in the following cases:
Legal BasisRecipientPurpose of ProvisionProvided InformationRetention Period
Personal Information Protection Act Article 17(1)(2), Article 15(1)(2), Foreign Exchange Transactions Act Article 21Bank of Korea, Financial Supervisory Service, Ministry of Economy and FinanceForeign exchange transaction managementOverseas remittance and payment details (name, unique identification information, transaction date/time, currency, amount, counterpart, address, account information)Until the purpose is achieved or as specified by applicable laws.
Personal Information Protection Act Article 17(1)(2), Article 15(1)(2), Act on Reporting and Using Specified Financial Transaction Information Article 9Korea Financial Intelligence UnitAnti-money laundering monitoringName, ID type, unique identification information, date of birth, gender, transaction date/time, transaction amountUntil the purpose is achieved or as specified by applicable laws.
  1. In accordance with the "Guidelines for Processing and Protecting Personal Information in Emergency Situations" announced jointly by government agencies, the Company may provide personal information to relevant agencies without the consent of the data subject, in the event of an emergency, such as a disaster, infectious disease, an incident or accident causing imminent life or bodily danger, or urgent property loss.

Article 6 (Procedures and Methods for the Destruction of Personal Information)

  1. The Company will promptly destroy personal information when the retention period expires, the purpose of processing has been achieved, or the information is no longer needed.
  2. If personal information needs to be retained under other laws, even after the retention period or the purpose of processing has been achieved, the relevant personal information (or personal information file) will be moved to a separate database (DB) or stored in another location.
  3. The procedures and methods for the destruction of personal information are as follows:
    1. Destruction Procedure The Company selects personal information for destruction based on the reasons for destruction and destroys it after obtaining approval from the person responsible.
    2. Destruction Method Personal information stored in electronic files will be destroyed in a way that prevents the records from being restored. Personal information stored in paper documents will be either shredded using a shredder or incinerated.

Article 7 (Criteria for Additional Use and Provision)

  1. The Company may, in accordance with Article 15(3) and Article 17(4) of the Personal Information Protection Act, and taking into account the provisions of Article 14-2 of the Enforcement Decree of the Personal Information Protection Act, use and provide personal information without the consent of the data subject.
  2. In order to use or provide personal information without the consent of the data subject, the Company has considered the following matters:
    1. Whether the purpose for the additional use or provision of personal information is related to the original purpose of collection.
    2. Whether, based on the circumstances of the collection or processing practices, it is foreseeable that the personal information will be additionally used or provided.
    3. Whether the additional use or provision of personal information will unduly infringe on the rights and interests of the data subject.
    4. Whether necessary measures such as pseudonymization or encryption have been taken to ensure the security of the information.

Article 8 (Entrustment of Personal Information Processing)

  1. To facilitate the efficient processing of personal information, the Company entrusts certain tasks to third parties as follows:
Entrusted PartyEntrusted TaskRetention and Use Period
SweetTracker Co., Ltd.Operation of SMS and notification systemUntil the purpose is achieved
Amazon Web Services, Inc.Cloud service operation and email systemUntil the purpose is achieved
Joy Corporation Co., Ltd.Operation of chat inquiry systemUntil the purpose is achieved
Infobank Co., Ltd.Operation of SMS and notification systemUntil the purpose is achieved
Kwangju Bank Co., Ltd.Verification of account holder identityUntil the purpose is achieved
Hecto Financial Co., Ltd.Verification of account holder identityUntil the purpose is achieved
Kiwoong Information & Communication Co., Ltd.Verification of real-name informationUntil the purpose is achieved
  1. When entering into entrustment contracts, the Company complies with Article 26 of the Personal Information Protection Act. The contracts explicitly stipulate matters such as the prohibition of processing personal information for purposes other than the performance of the entrusted task, implementation of safety measures, restrictions on re-entrustment, management and supervision of the entrusted party, and liability for damages. The Company also monitors whether the entrusted parties process personal information securely.
  2. In accordance with Article 26 (6) of the Personal Information Protection Act, if an entrusted party re-entrusts the company’s personal information processing tasks to another entity, the Company’s prior consent must be obtained.
  3. If there are changes to the contents of entrusted tasks or the entrusted parties, such changes will be disclosed through this Personal Information Processing Policy.

Article 9 (International Transfer of Personal Information)

In accordance with Article 28-8 (1)(3) of the Personal Information Protection Act, the company transfers personal information abroad only when necessary for the execution and fulfillment of a contract with the user, and only when outsourcing or storing personal information. If the user does not wish to have his/her information transferred abroad, the user may withdraw his/her consent, and the procedure for this is outlined in Article 10. However, withdrawing consent may restrict the access to certain services.

Details

Article 10 (Rights, Duties, and Methods of Exercise of Data Subjects)

  1. The data subject has the right to request access to their personal information processed by the Company.
  2. If the data subject finds any personal information that is inaccurate or unverifiable, they may request the Company to correct or delete it. However, if the personal information is specified as required by another law or regulation, the request for deletion may not be granted.
  3. The data subject may request the Company to stop processing their personal information. Requests for access, cessation of processing, or withdrawal of consent may be restricted in the following cases as per Articles 35(4) and 37(2) of the Personal Information Protection Act:
    1. If there is a special provision in law or it is unavoidable to comply with legal obligations
    2. If there is a risk of harm to another person's life, body, property, or other interests
    3. If failing to process personal information makes it difficult to provide the contracted services to the data subject, and the data subject has not explicitly indicated an intention to terminate the contract
  4. To exercise their rights, the data subject may contact the Company in writing, by email (support@themoin.com), or by fax, in accordance with Article 41(1) of the Enforcement Decree of the Personal Information Protection Act. The Company will take prompt action upon receiving such requests.
  5. The Company will verify that the person requesting access, correction, deletion, or cessation of processing is the data subject themselves or a legitimate representative.

Article 11 (Measures to Ensure the Security of Personal Information)

In accordance with Article 29 of the Personal Information Protection Act, the Company takes the following administrative, technical, and physical measures to ensure the security of personal information:

  1. Administrative Measures
    • Establishment and implementation of internal management plans
    • Operation of dedicated organizations: Operation of specialized personnel responsible for information security and personal information protection
    • Minimization of personal information access rights and regular employee training: Implementation of personal information management measures by designating and limiting the employees who handle personal information, and conducting regular personal information protection training
  2. Technical Measures
    • Access control for personal information processing systems: Implementing access control measures for personal information by granting, changing, or revoking access rights to the personal information processing systems
    • Installation of access control systems: Unauthorized access from external sources is controlled using intrusion prevention systems
    • Encryption of personal information: Personal identification information, passwords, and other authentication information are encrypted for storage and management, and data is encrypted during transmission. Additionally, file-locking functions are used for added security
    • Technical measures against hacking: Security programs are installed and periodically updated and checked to prevent data breaches or damage caused by hacking or computer viruses. Systems are installed in areas where external access is restricted, with technical and physical monitoring and blocking measures
  3. Physical Measures Access control to computer rooms, document storage rooms, etc.

Article 12 (Installation, Operation, and Refusal of Automatic Collection Devices of Personal Information)

The Company uses "cookies" to store and retrieve usage information to provide individualized services to users. A cookie is a small piece of information sent from the server (http) operating the website to the user's computer browser and is sometimes stored on the user's PC hard disk or mobile device.

  1. Purpose of Cookie Usage: The Company uses cookies for user authentication, provision of customized services, and improving usability while the customer is accessing the website.
  2. Installation, Operation, and Refusal of Cookies: The data subject can configure settings to allow or block cookies through the web browser options. However, refusing to store cookies may cause difficulties in using customized services.
    • Allow/Block Cookies in Web Browsers:
      • Chrome: Web browser settings > Privacy and security > Clear browsing data
      • Edge: Web browser settings > Cookies and site permissions > Manage and delete cookies and site data
    • Allow/Block Cookies in Mobile Browsers:
      • Chrome: Mobile browser settings > Privacy and security > Clear browsing data
      • Safari: Mobile device settings > Safari > Advanced > Block all cookies
      • Samsung Internet: Mobile browser settings > Clear browsing history > Clear browsing data

Article 13 (Remedies for Infringement of Rights of Data Subjects)

  1. The data subject may apply for dispute resolution or consultation with the Personal Information Dispute Mediation Committee, the Personal Information Infringement Reporting Center of the Korea Internet & Security Agency (KISA), or other relevant institutions to receive relief from personal information infringement. For other matters related to personal information infringement or consultation, please contact the following organizations:
    1. Personal Information Dispute Mediation Committee: (Toll-free) 1833-6972 (www.kopico.go.kr)
    2. Personal Information Infringement Reporting Center: (Toll-free) 118 (privacy.kisa.or.kr)
    3. Supreme Prosecutor's Office: (Toll-free) 1301 (www.spo.go.kr)
    4. National Police Agency: (Toll-free) 182 (ecrm.police.go.kr)
  2. The Company ensures the right of the data subject to self-determination regarding personal information and strives to provide consultation and relief for personal information infringements. If reporting or consultation is needed, please contact the responsible organization below:
    • Personal Information Protection Customer Consultation and Reporting
    • Responsible Organization: Information Security Team
    • Contact Information: 070-4367-0113/compliance@themoin.com

Article 14 (Personal Information Protection Officer and Department for Handling Complaints)

  1. The Company has designated a Personal Information Protection Officer to oversee and take responsibility for all tasks related to personal information processing. The officer is also responsible for handling data subjects' complaints and providing relief for any damages related to personal information. The designated Personal Information Protection Officer is as follows:
    • [Personal Information Protection Officer]
      • Name: Hongseok Suh (CPO)
      • Department: Development Team, Information Security Team
      • Phone: 070-4367-0113
      • Fax: 0504-393-9687
      • Email: compliance@themoin.com
  2. Data subjects may contact the Personal Information Protection Officer and the relevant department for any inquiries, complaints, or relief related to personal information protection arising from the use of the Company's products and services. The Company will respond and process inquiries without delay.

Article 15 (Changes to the Personal Information Processing Policy)

  1. In the event of any changes to the Personal Information Processing Policy, the Company will publish the changes and the effective date on the website.
  2. This Personal Information Processing Policy will be effective as of January 20, 2025.
  3. Previous versions of the Personal Information Processing Policy can be found below:
    • October 1, 2021
    • January 22, 2024