JIRO Co., Ltd. (hereinafter referred to as the “Company”) complies with the Credit Information Use and Protection Act, the Act on Promotion of Information and Communications Network Utilization and Information Protection, the Personal Information Protection Act, the Protection of Communications Secrets Act, and other applicable laws and regulations, in order to protect the freedoms and rights of data subjects and to lawfully manage personal information.
Pursuant to Article 30 of the Personal Information Protection Act, the Company hereby establishes and discloses this Privacy Policy to provide data subjects with guidelines on the procedures and standards for the processing and protection of personal information, and to ensure that related grievances can be handled promptly and smoothly.
The Company collects and uses personal information only to the minimum extent necessary for the provision of services, in accordance with the Personal Information Protection Act.
The Company processes the following personal information items without the consent of the data subject:
Legal Basis | Purpose of Processing | Items Processed | Retention Period |
Personal Information Protection Act, Article 15(1)(2) (special provisions under law); Act on the Consumer Protection in Electronic Commerce, Article 6 (Preservation of Transaction Records) | Records related to contracts or withdrawal of subscription | Records related to contracts or withdrawal of subscription Consumer identification information, contract/withdrawal records | 5 years |
Personal Information Protection Act, Article 15(1)(2) (special provisions under law); Act on the Consumer Protection in Electronic Commerce, Article 6 (Preservation of Transaction Records) | Records of payment and supply of goods, etc. | Records of payment and supply of goods, etc. | 5 years |
Personal Information Protection Act, Article 15(1)(2) (special provisions under law); Act on the Consumer Protection in Electronic Commerce, Article 6 (Preservation of Transaction Records) | Records of consumer complaints or dispute resolution | Consumer identification information, dispute resolution records | 3 years |
Personal Information Protection Act, Article 15(1)(4) (performance of contract) | Membership registration, identity verification and member management, handling civil complaints, delivery of notices, responding to inquiries, service improvement, service guidance | [Required] Name, email, country | Until membership withdrawal (provided, if retention is required by relevant laws, until the end of such period) |
Personal Information Protection Act, Article 15(1)(4) (performance of contract) | External account login (Google, Apple, Kakao, Naver) | [Required] Name, email, browser language | Until membership withdrawal (provided, if retention is required by relevant laws, until the end of such period) |
Personal Information Protection Act, Article 15(1)(4) (performance of contract) | Provision of creator sales services, settlement | [Optional] Bank account number, bank name, account holder name, business registration information | Until membership withdrawal (provided, if retention is required by relevant laws, until the end of such period) |
(2) The Company processes the following personal information items with the consent of the data subject.
Purpose of Processing | Items Processed | Retention Period |
Notifications of feature updates, promotions, and newsletters | [Optional] Email, mobile phone number, user ID | Until membership withdrawal (unless retention is required by applicable laws, in which case until the end of the statutory retention period) |
The Company, as a general rule, does not process the personal information of children under the age of 14. However, if the consent of a legal representative is obtained, the Company may process the personal information of users under the age of 14.
The Company processes users’ personal information only within the scope specified in the purposes of processing, and provides personal information to third parties only in cases falling under Article 17 and Article 18 of the Personal Information Protection Act, such as with the user’s consent or where special provisions under law apply. Except in such cases, the Company does not provide the personal information of data subjects to third parties.
In accordance with the Guidelines on Processing and Protection of Personal Information in Emergency Situations jointly announced by relevant government ministries, the Company may provide personal information to relevant authorities without the data subject’s consent in cases of emergency, including disasters, infectious diseases, incidents or accidents posing imminent risk to life or body, or urgent risk of property loss. For details, please refer to this link.
To provide services to users, the Company entrusts the processing of personal information and related tasks as described below. In cases where the entrusted tasks are further subcontracted, details of the subcontractor and the scope of the subcontracted tasks shall be disclosed through the subcontractor’s privacy policy.
Trustee | Entrusted Tasks |
Amazon Web Services Inc. | System development and operation for membership management and service provision; bulk email delivery |
Google LLC | Real-time chat and user authentication services |
Stibee Co., Ltd. | Automated emails, newsletters, and event email delivery |
Modusign Co., Ltd. | Electronic contract services |
Korea PortOne Co., Ltd. | Payment processing and settlement management |
Toss Payments Co., Ltd. | Payment system provision |
When entering into an outsourcing agreement, the Company specifies in the contract or other written documents matters regarding prohibition of personal information processing for purposes other than the performance of the entrusted tasks, implementation of technical and administrative safeguards, restrictions on re-entrustment, management and supervision of the trustee, liability for damages, and other responsibilities in accordance with Article 26 of the Personal Information Protection Act, and supervises the trustee to ensure safe processing of personal information.
In accordance with Article 26(6) of the Personal Information Protection Act, if the trustee re-entrusts the Company’s personal information processing tasks, the trustee must obtain the Company’s consent.
If the details of the entrusted tasks or the trustee are changed, the Company shall disclose such changes without delay through this Privacy Policy.
In cases where personal information processing tasks are outsourced overseas, such matters are guided under 5. Collection and Transfer of Personal Information Abroad (Outsourcing of Processing Tasks).
The Company transfers personal information collected from service users overseas as described below, and provides the following notice in accordance with Article 28-8(2) of the Personal Information Protection Act.
If you refuse the overseas transfer of personal information, you will be unable to use the Services. If you do not wish your personal information to be transferred overseas, you may withdraw your membership via the Service website ([Profile > Account]) or request membership withdrawal by contacting the Customer Center (contact@stock.dropshot.io).
Legal Basis | Recipient (Country, Contact) | Timing and Method of Transfer | Items Transferred | Purpose of Use | Retention and Use Period |
Personal Information Protection Act, Article 28-8(1)(3) (Entrustment and Retention) | Amazon Web Services Inc. | Automatic transfer upon membership registration | Name, email, mobile phone number | System development and operation for membership management and service provision | Until membership withdrawal |
Personal Information Protection Act, Article 28-8(1)(3) (Entrustment and Retention) | Google LLC | Automatic transfer upon membership registration | Name, email | Real-time chat and user authentication | Until membership withdrawal |
When personal information becomes unnecessary, such as upon expiration of the retention period or achievement of the processing purpose, the Company shall promptly destroy the relevant personal information.
If the retention period consented to by the data subject has expired or the processing purpose has been achieved, but retention is still required under other applicable laws, the Company shall store such personal information separately by transferring it to a different database (DB) or by changing the storage location.
Items of personal information retained and the legal grounds for such retention under other laws can be found in 1. Purpose of Processing, Items Processed, and Retention and Use Period of Personal Information.
Procedures and Methods of Destruction
Procedure: The Company identifies personal information subject to destruction and, with the approval of the Company’s Personal Information Protection Officer, destroys such information.
Method: Personal information recorded and stored in electronic file format shall be destroyed using technical or physical methods that render the records irrecoverable. Personal information recorded and stored in paper documents shall be destroyed by shredding or incineration.
Data subjects may, at any time, exercise their rights (“Rights Exercise”), including requests to access, transfer, correct, delete, suspend processing of, or withdraw consent regarding their personal information.
In accordance with Article 41(1) of the Enforcement Decree of the Personal Information Protection Act, Rights Exercise may be conducted by directly accessing or correcting information through the methods described below, or by submitting a request in writing (3F, 302–303 Hoesung Building, 168 Yeoksam-ro, Gangnam-gu, Seoul), or via email (contact@stock.dropshot.io). The Company shall take prompt action in response.
Data subjects and legal representatives may log in to the Service and directly view, correct, delete, suspend processing of, or withdraw consent to personal information under “Contact Us” in the website, or request access through the same menu.
Data subjects may, at any time, request rejection of automated decision-making or explanations thereof through “Contact Us” on the website.
Rights Exercise may also be carried out through a legal representative or a delegate authorized by the data subject. In such cases, a power of attorney in the form prescribed in Annex 11 of the Guidelines for the Processing of Personal Information must be submitted.
The right of a data subject to request access to or suspension of processing of personal information may be restricted pursuant to Articles 35(4) and 37(2) of the Personal Information Protection Act.
If other laws specify that certain personal information must be collected, requests for deletion of such information cannot be accepted.
The Company shall verify that the person exercising the rights is either the data subject or a duly authorized representative.
Data subjects may exercise their rights by contacting the following department. The Company shall respond within 10 days of receipt of such a request (or without delay in the case of a request for transfer).
Department in charge of requests for access to personal information
Department: Dev Team
Address: 3F, 168 Yeoksam-ro, Gangnam-gu, Seoul
Contact: contact@stock.dropshot.io
The Company takes the following measures to ensure the security of personal information.
Administrative measures: establishment and implementation of an internal management plan, regular employee training, and operation of a dedicated organization.
Technical measures: management of access rights to personal information processing systems, installation of access control systems and other related protective measures, isolation/blocking of network access where appropriate, encryption of personal information, retention and inspection of access logs, installation and updating of security programs, and vulnerability assessment and remediation of personal information processing systems.
Physical measures: access control to server rooms and document storage areas, storage of paper documents and removable media in secured locations with locking devices, disaster and emergency protection measures, and control over the removal and return of removable storage media.
In the course of service use, the Company processes behavioral information using cookies to identify individuals in order to provide optimized services and benefits to data subjects. The Company also processes behavioral information collected through automatic personal information collection devices installed in third-party websites and applications.
A cookie is a small piece of information sent from the server (http) used for website operation to the data subject’s browser.
To provide online customized advertisements and related services, the Company collects and uses behavioral information through automatic personal information collection devices installed in third-party websites and applications.
The Company collects only the minimum behavioral information necessary to provide optimized and customized services and benefits, and does not collect sensitive behavioral information—such as information regarding ideology, beliefs, education, medical history, etc.—that may infringe upon an individual’s rights, interests, or privacy.
The Company collects behavioral information as follows.
Grounds | Items of Behavioral Information Collected | Method of Collection | Purpose of Collection | Retention & Usage Period, and Method of Disposal |
Article 15(1)(1) of the Personal Information Protection Act | Login session ID, account identification token, session identifier, browser and device identifiers, visit path, access time, behavioral data, customer service session ID, conversation identifier | Automatically collected from personal information collection devices installed on third-party websites and applications | Service improvement (e.g., maintaining login status, remembering customer environment), functionality testing | Destroyed one month after collection |
The Company collects only the minimum behavioral information necessary to calculate service access and usage statistics, and does not collect sensitive behavioral information—such as ideology, beliefs, education, or medical history—that may infringe upon the rights, interests, or privacy of individuals.
Data subjects may configure their browser options to allow or block cookies.
▶ Allow/Block Cookies in Web Browsers
Chrome: Click the “⋮” icon at the top right of the browser > New Incognito Window (Shortcut: Ctrl+Shift+N)
Edge: Click the “…” icon at the top right of the browser > New InPrivate Window (Shortcut: Ctrl+Shift+N)
▶ Allow/Block Cookies in Mobile Browsers
Chrome: Tap the “⋮” icon at the top right of the mobile browser > New Incognito Tab
Safari: Device Settings > Safari > Advanced > Block All Cookies
Samsung Internet: Tap the “Tabs” icon at the bottom of the mobile browser > Turn on Secret Mode > Start
※ The menu names and steps may vary depending on the browser version.
For inquiries regarding behavioral information, including questions, exercising the right to opt-out, or reporting damages, please contact:
Personal Information Protection Department
Department: Dev Team
Contact: karam@jirocorp.io
The Company makes every effort to prevent users’ personal information from being damaged or compromised. The Company has designated a Personal Information Protection Officer who is responsible for overseeing the processing of personal information, as well as a department to handle complaints related to the Personal Information Protection Act and requests to access personal information, as follows.
However, despite the Company’s implementation of legally required technical, physical, and administrative safeguards for the protection of personal information, the Company shall not be liable for damages caused by the user’s own negligence or by incidents occurring in areas beyond the Company’s control.
Personal Information Protection Officer
Name: Karam Yu
Position: CTO
Contact: karam@jirocorp.io
Department in charge of personal information protection
Department: Dev Team
Contact: karam@jirocorp.io
If you need to report or seek consultation regarding personal information infringement, please contact the following institutions:
Personal Information Dispute Mediation Committee: http://www.kopico.go.kr, ☎ 1833-6972
Personal Information Infringement Report Center: http://privacy.kisa.or.kr, ☎ 118
Supreme Prosecutors’ Office, Cyber Investigation Division: http://www.spo.go.kr, ☎ 1301, 02-3480-2000
National Police Agency, Cyber Bureau: http://www.police.go.kr, ☎ 182
In accordance with Articles 35, 36, and 37 of the Personal Information Protection Act, a person whose rights or interests have been infringed due to a disposition or omission by the head of a public institution may file an administrative appeal under the Administrative Appeals Act.
Central Administrative Appeals Commission: ☎ 110, http://www.simpan.go.kr
This Privacy Policy shall apply from the effective date. If the Company makes changes to this Privacy Policy, the Company will notify users of the timing of the changes and the revised contents through a pop-up notice on the website (or via individual notifications).