Privacy and Security

1. The Company collects only the minimum personal information necessary to provide its services. If additional personal information is required to offer personalized services based on users' preferences and interests, the Company will obtain prior consent.
2. Members may refuse consent for optional items without restriction on basic service use; however, some features may be limited. Non-members may refuse consent to the collection and use of personal information, but this may restrict product purchases and service use.
3. The Company does not collect sensitive personal information, including race or ethnicity, religion or philosophical beliefs, country of origin, political opinions, criminal records, health or medical information, or sexual orientation. However, in the course of providing global services, if information classified as "Sensitive Personal Information" under the definitions of local laws (e.g., CPRA) is processed, the Company complies with the protective measures required by such laws. Specific details regarding such processing are clearly provided in the country-specific notices (e.g., Article 8) of this Privacy Policy.

The Company collects and processes the following personal information for the provision of its services.

1. Categories of personal information processed without the consent of the data subject
2. Categories of personal information processed with the consent of the data subject

Personal information processed in accordance with Article 15(1)1 and Article 22(1)7 of the Personal Information Protection Act

2. Legal Basis for Processing Personal Information

The Company processes personal information based on the following legal grounds:

• The data subject's explicit consent
• Necessity for the performance of a contract and the provision of services
• Compliance with legal obligations under applicable laws and regulations
• The Company's legitimate interests, including the prevention of fraudulent use, enhancement of security, ensuring service stability, and improvement of services

• The Company does not process personal information of children under the age of 14 (or under the age of 16 for residents of the EEA and California, USA, or under the minimum age prescribed by the laws of the country of residence).

The Company entrusts the processing of personal information to the following entities for the purpose of providing its services. The Company supervises entrusted parties to ensure compliance with applicable laws and contractual obligations regarding the secure handling of personal information.

1. For the smooth processing of personal information-related work, the Company entrusts the processing of personal information to third parties as follows.

   Entrusted personal information processors

   Service Provider (Data Processor)	Country of Location	Scope of Entrusted Services	Privacy Policy / Sub-processors
   PayPal	United States	- Provision of international payment processing services - Processing of payment approvals, cancellations, and refunds - Processing of transaction information for the application of PayPal's Seller Protection Policy	https://developer.paypal.com/braintree/in-person/reference/paypal-braintree-sub-processors/
   Eximbay	Republic of Korea	- Processing of international card payments and global payment methods - Payment approval, cancellation, refund, and settlement processing - Fraud prevention and payment security management	https://www.eximbay.com/privacy.do
   Klarna	Sweden	- Provision of Buy Now, Pay Later (BNPL) services - Management of payment approvals and payment records	https://creator.klarna.com/terms/publisher-terms
   DHL	Overseas	- Provision of international express delivery services - Overseas shipping and customs clearance coordination for ordered products - Tracking of international shipments for ordered products - Processing of international delivery of ordered products - Logistics service support - Provision of delivery solutions	https://www.dhl.com/us-en/home/footer/privacy-notice.html
   FedEx			https://www.fedex.com/en-us/trust-center/global-privacy-policy.html
   UPS			https://www.ups.com/kr/en/support/shipping-support/legal-terms-conditions/privacy-notice
   Aramex			https://www.aramex.com/kr/en/legal-details/privacy-policy
   Delivered Korea	Republic of Korea		https://www.delivered.co.kr/ko/privacy-policy
   EFS	Overseas		https://efs.asia/script/users/about.php
   Parxl			https://parxl.com/parxl_solution
   Amazon Web Services (AWS)	United States	- Provision of cloud infrastructure for service operations - Management of servers, data storage, backups, and system operations	https://aws.amazon.com/compliance/sub-processors/?nc1=h_ls

2. When entering into entrustment agreements, the Company specifies in contracts and other written documents, in accordance with the Personal Information Protection Act, matters concerning the prohibition of processing personal information beyond the scope of the entrusted purpose, implementation of technical and administrative safeguards, restrictions on re-entrustment, management and supervision of entrusted parties, and liability, including compensation for damages.
3. In the event of any change in the details of the entrusted services or the entrusted parties, the Company shall disclose such changes without delay through this Privacy Policy.
4. Matters concerning the overseas entrustment of personal information processing are set forth in Article 5.

The Company transfers personal information overseas to ensure the smooth provision of services.

In accordance with Article 28-8(2) of the Personal Information Protection Act and other applicable laws and regulations, details regarding overseas transfers are provided below.

Data subjects may refuse the overseas transfer of their personal information; however, refusal may restrict the use of certain services, such as payment processing, delivery, personalized services, and the provision of advertisements.

If a data subject does not wish for their personal information to be transferred overseas, they may withdraw from membership through My Page > Account Settings > Membership Withdrawal.

1. Legal Basis for Overseas Transfer

Article 28-8(1)3 of the Personal Information Protection Act (Where entrustment or storage of personal information is necessary for the performance of a contract)

The data subject's explicit consent

2. Status of Overseas Transfer of Personal Information

① Overseas Transfer Related to Payment Processing and Contract Performance

② Overseas Transfer Related to Delivery Services

③ Overseas Transfer Related to Service Operations, Analytics, and Marketing

1. The Company shall promptly destroy personal information once the purpose of collection and use has been fulfilled, or within 30 days from the date of membership withdrawal.

   However, if applicable laws require the retention and processing of personal information for a certain period, or in the following cases, the Company shall securely retain such personal information for the required period and use it only within the scope of the stated purpose:

   • Where investigations or inquiries are in progress due to violations of applicable laws: Until such investigations or inquiries are completed
   • Where rights and obligations arising from the use of services remain outstanding: Until such rights and obligations are settled.
2. Notwithstanding Paragraph 1, personal information that the Company is required to retain under applicable laws shall be retained until the end of the applicable period as follows:

   ① Act on Consumer Protection in Electronic Commerce, etc.

   • Records related to contracts or withdrawal of subscription: 5 years
   • Records related to payment and supply of goods or services: 5 years
   • Records related to consumer complaints or dispute resolution: 3 years
   • Records on display and advertising: 6 months

   ② Protection of Communications Secrets Act

   • Computer communications log records: 3 months (The most recent access date is excluded for the purpose of verifying service usage periods.)

   ③ Framework Act on National Taxes

   • Books and evidentiary documents regarding all transactions: 5 years
3. In order to minimize potential loss or damage caused by repeated membership withdrawal and re-registration, and to enable account reactivation upon the user's request, personal information that is not subject to statutory retention obligations shall be destroyed immediately upon membership withdrawal. The minimum information necessary for preventing re-registration abuse and protecting accounts may be retained for a limited period and then destroyed.
4. The procedures and methods for the destruction of personal information are as follows:

   ① Destruction Procedure

   The Company selects personal information for which a reason for destruction has arisen and destroys such personal information upon approval by the Company's Chief Privacy Officer.

   ② Destruction Methods

   • Personal information recorded and stored in electronic file formats: Securely deleted using technical methods that render the data irrecoverable
   • Personal information printed on paper: Destroyed by shredding or incineration

(California Consumer Privacy Act, CPRA)

This Article applies to users who reside in the State of California and explains how StyleKorean collects, uses, and shares personal information, as well as the rights of users, in accordance with the California Consumer Privacy Act of 2018 and the California Privacy Rights Act.

1. Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information collected about you.
2. Right to Delete: You have the right to request deletion of personal information collected from you, subject to certain exceptions.
3. Right to Opt-Out of Sale/Sharing: You have the right to opt out of the sale or sharing of your personal information. The Company does not sell personal information.
4. Right to Non-Discrimination: You will not be discriminated against for exercising your privacy rights.
5. Right to Correct: You have the right to request correction of inaccurate personal information.
6. Right to Limit Use of Sensitive Personal Information: You have the right to limit the use and disclosure of sensitive personal information.

(General Data Protection Regulation, GDPR)

This Article applies to residents of the European Economic Area (EEA). StyleKorean processes personal information based on the following legal grounds in accordance with the GDPR.

1. Consent: Processing based on the user's explicit consent (e.g., marketing communications).
2. Contract Performance: Processing necessary for the performance of a contract (e.g., order processing, delivery).
3. Legal Obligation: Processing necessary for compliance with legal obligations.
4. Legitimate Interest: Processing necessary for the Company's legitimate interests, provided such interests are not overridden by the user's rights.

EEA residents have the following rights:

• Right of access to personal information
• Right to rectification of inaccurate information
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent at any time
• Right to lodge a complaint with a supervisory authority

1. The Company uses cookies and similar technologies to provide personalized services and improve user experience. Cookies are small text files stored on the user's device when visiting the website.
2. Types of cookies used:
   • Essential cookies: Required for basic website functionality (login, shopping cart, etc.)
   • Performance cookies: Used to analyze website usage and improve performance
   • Functional cookies: Used to remember user preferences and settings
   • Marketing cookies: Used to deliver relevant advertisements and measure campaign effectiveness
3. Users may manage cookie preferences through their browser settings or the cookie consent banner on the website. Disabling certain cookies may limit access to some features.
4. Users may opt out of behavioral advertising through industry opt-out mechanisms.

1. The Company collects and uses behavioral information (e.g., browsing history, purchase history, search queries) to provide personalized recommendations and improve services.
2. Legal basis: Article 15(1)(4) of the Personal Information Protection Act (Processing necessary for the performance of a contract)
3. Users may opt out of behavioral information collection and use through account settings or by contacting customer support.
4. The Company does not provide behavioral information to third parties without the user's prior consent, except as required by law.

The Company provides personal information to third parties only with the user's consent or where permitted by the Personal Information Protection Act or other applicable laws.

The Company implements the following technical, administrative, and physical safeguards to prevent loss, theft, leakage, forgery, alteration, or damage of personal information.

1. Technical Safeguards
   • Personal information is protected by passwords, and sensitive information is encrypted when stored.
   • Security programs are installed and regularly updated to protect personal information from external threats such as computer viruses, malware, and hacking.
   • Encrypted communication technologies (e.g., SSL) are applied to ensure secure transmission of personal information.
   • Security monitoring, vulnerability assessments, intrusion prevention, and detection systems are regularly operated to identify and respond to suspicious activities.
2. Administrative safeguards
   • Access to personal information is restricted to the minimum number of personnel necessary for business operations, and regular security training is provided to employees handling personal information.
   • Access rights are granted, modified, and revoked in accordance with internal management procedures, and misuse or abuse of access rights is periodically reviewed.
   • Compliance with personal information protection laws is continuously monitored through internal audits and inspections.
   • When personal information processing is outsourced, the Company thoroughly supervises and manages service providers.
3. Physical safeguards
   • Access control procedures are implemented for areas where personal information is stored, such as data centers and document storage rooms, ensuring that only authorized personnel may enter.

1. The Company appoints a Chief Privacy Officer to oversee personal information processing and to handle complaints, inquiries, and remedies related to personal information protection, as follows:
   • Chief Privacy Officer
     • - Name: Junkye Kang
     • - Position: Deputy CTO
     • - Contact: 070-8622-5105, jgkang@siliconii.net
   • Personal Information Protection Department
     • - Department: PA_GL
     • - Contact: 070-8622-5105, stylekorean_cs@siliconii.net
2. Users may contact the Chief Privacy Officer or the relevant department regarding any inquiries, exercise of rights, complaints, or remedies related to personal information protection arising from the use of the Company's services.

If consultation or reporting related to personal information infringement is required, assistance may be obtained from the following institutions:

• Personal Information Infringement Report Center (KISA): (+82) 118 / privacy.kisa.or.kr
• Personal Information Dispute Mediation Committee: (+82) 1833-6972 / www.kopico.go.kr
• National Police Agency Cyber Bureau: (+82) 182 / ecrm.cyber.go.kr

※ These institutions are independent from the Company and provide general consultation related to personal information infringement.

1. The Company may amend this Privacy Policy in accordance with changes in applicable laws or services. Any revisions or updates will be announced on the Company's website. In the case of material changes, prior notice will be provided at least seven (7) days in advance.
2. This Privacy Policy shall take effect as of January 1, 2026.
3. Previous versions of the Privacy Policy may be reviewed below:
   • Effective period: May 20, 2015 - December 31, 2025
     https://www.stylekorean.com/shop/cs_privacy_security.php