STOY (referred to as the “Company” hereinafter) collects the following personal information from the users when the users initially subscribe as a member or when the services are used and establishes and complies with the policies for protection of the personal information of users in accordance with the relevant statutes such as 『Act on Promotion of the Use of Information Communication Networks and Protection of Information』, 『Act on Protection of Personal Information』 and others.
The Company will collect and use only the ‘minimum information necessary’ and the users retain the right not to consent to the collection and use of ‘the personal information other than the minimum information necessary.’
The Company collects and uses the personal information as follows to enable the users to use the “STOY Wallet” services.
Article 1. (Purpose for Collection and Use of Personal Information)
The Company processes the personal information for the following purposes and does not use the personal information being processed for any purposes other than the followings but if the purpose of use should be changed, the Company will take the appropriate actions necessary such as by receiving a separate consent of the users in accordance with the related statutes and others.
1. Particulars of Personal Information Collected
∙ At the time of subscription as a member or use of services: ID, password, name, gender, date of birth, country information, e-mail address, mobile phone number, information about the legal representatives in the case of children under 14 years of age (name and date of birth of the legal representative, encrypted identity information of the same person and information for verification of redundant subscription)
∙ Information automatically collected during the use of services: Record of service use, access logs, transaction records, IP information, cookies, record of malign or fraudulent uses, information related to mobile devices (model, carrier, OS, size of screen, language and country information, advertising ID, device ID information and others), the act of malign/fraudulent access to the services and service applications and related records, record of attempt to access the service applications, the information necessary for verification of the safe environment for execution of services and service applications
2. Purpose of Use
∙ Verification of user as a principal for subscription as a member to use the STOY Wallet services provided by the Company and for use of the services as a member / identification of individuals / imposition of restrictions in use for the members who violated the terms of agreement / imposition of sanctions against the acts to undermine the efficient operation of the services or to fraudulently use the services / check of intention for subscription as a member / imposition of restrictions on subscription or the number of subscriptions / retention of records for arbitration of disputes / response to user petitions such as complaints and others / communication of notices / check of intention for secession from membership
∙ Delivery of advertising information such as the information on the services or other benefits provided by the Company, guidance information on the different types of events progressed by the Company, the newsletters provided by the Company and others only to the users who agreed to the marketing purposes
∙ Administration of information on users, communication of different notices, development of new services, provision of varied services, user counseling and response to user complaints, compensation of damages sustained by users, change of personal information, initialization of passwords for remittance of fund and others
∙ Verification of user as a principal and confirmation of remittance details of cryptocurrencies, matters related to the overall administration of services such as the processing of receipt and payment of cryptocurrencies, settlement of transactions and reconciliation of information when the transaction details are interfaced with the exchange or other wallets
Article 2. (Commissioning External Parties for Treatment of Personal Information)
The Company does not commission the external parties to take care of the personal information of users without the consent of users. If there arises any such need in the future, the Company will notify the users of the party to be commissioned and the details of duties to be delegated and will seek the consent of the users in advance if necessary.
Business entity to be commissioned for processing of personal information
NICE Information Service Co., Ltd.: Authentication by mobile phone number (until the time of secession or termination of commissioning agreement)
Article 3. (Period of Retention and Use of Personal Information)
The Company retains and processes the personal information within the period for retention and use of personal information as per the statutes or the period agreed by the user when the personal information was collected.
In principle, the Company destroys the personal information of users without delay when the users secede from the membership or when the purpose for collection and use of the personal information has been attained but if the information needs to be retained in accordance with the relevant statutes such as the Act on Protection of Communication Secrets, Act on Protection of Consumers in E-commerce Transactions and the Act on Protection of Consumers, the member information is retained for the period prescribed in such related statutes. In this case, the Company uses the information retained only for the purpose for which the information is retained.
Article 4. (Withdrawal of Consent to the Collection and Use of Personal Information)
When the users secede from the membership, the consent to the collection and use of personal information is withdrawn.
Article 5. (Destruction of Personal Information)
When the personal information is not necessary anymore such as when the retention period of personal information has expired, the purpose for processing of personal information has been attained or otherwise, the Company destroys the personal information without delay. However, even though the retention period of personal information consented by the users has expired or the purpose for processing of the personal information has been attained, if the personal information needs to be continuously retained based on the relevant statutes, the corresponding personal information is preserved after moving to a separate database or to a different location for custody.
The Company screens the personal information with the reasons of destruction and destroys the information after the approval by the officer in charge of personal information protection. The personal information printed in hardcopy documents is destroyed by shredding or cremation and the personal information stored in the format of electronic files is deleted by using the technical method to render the reproduction of record impossible.
Article 6. (Rights and Obligations of Users and Method of Exercise)
The users can exercise the rights related to the protection of personal information, as follows, towards the Company anytime or, otherwise, the user oneself can carry out such rights through the menu for change of the user information or the procedure for secession from membership.
∙ Request for view of personal information
∙ Request for correction in case of any errors or if otherwise necessary
∙ Request for deletion
∙ Request of suspension of processing
1. The exercise of rights as per Paragraph 1 can be carried out by way of the written documents, requests over the phone, e-mails, faxes and others delivered to the Company and if any such request is received, the Company will take the necessary actions without delay.
2. f the users request the correction related to the errors of personal information or the deletion of personal information, the Company does not process the corresponding personal information until the correction or deletion is completed.
3. The exercise of rights as per Paragraph 1 may be carried out by way of the agents such as the legal representatives, delegated persons or others. In this case, the power of attorney based on Form No. 11 of the Supplementary Sheet of Enforcement Rules of the Act on Protection of Personal Information should be submitted.
4. When the request for view of information, correction or deletion of information or suspension of processing has been submitted based on the right of the users related to the information, the Company verifies whether the person who submitted the request is the user oneself or one’s legitimate agent.
Article 7. (Measures for Assurance of Security of Personal Information)
In dealing with the personal information of the users, the Company takes the following measures to ensure the security of personal information so that the information may not be lost, stolen, exposed, tampered with or damaged.
∙ Encryption of password: The password of users is stored and managed after encryption and is known only to the user oneself and the verification and change of personal information can be progressed only by the user oneself who knows the password.
∙ Response measures for hacking and others: The Company is making the best of its efforts to prevent the personal information of individual users from being released or damaged by hacking, computer viruses or others. In anticipation of the damages to the personal information, the data is backed up at frequency, the latest vaccine programs are utilized to prevent the leakage or damage of the personal information of the members and the network communication messages are encrypted to ensure the secure transmission of the personal information..
∙ Minimization of the persons in charge of the personal information and education: The Company restricts the number of persons in charge of personal information to the minimal level necessary for discharge of the related duties and the importance of personal information protection is stressed through the administrative procedures such as the education of the persons in charge of personal information and others.
Article 8. (Officer in Charge of Personal Information Management)
1. The Company nominated the officer in charge of personal information protection as follows to assume the overall responsibility regarding the duties related to the processing of personal information and to aid with the resolution of the user complaints related to the processing of personal information, the remedy of damages and others.
∙ Name, affiliation and position: Representative Gil-Dong Hong of STOY
∙ Tel: +82.2.1234.1234
∙ E-mail: cs@stoy.io
2. The users can view, check and report all complaints and petitions related to the protection of personal information arising while the services provided by the Company are used together with the officer in charge of personal information management.
Article 9. (Remedy for Violation of Rights and Privileges)
If the report or counseling is necessary in relation to the violation of personal information, the users may seek the remedies by inquiring of the agencies below.
∙ KISA (privacy.kisa.or.kr)
∙ Cyber Investigation Section, Scientific Investigation Dept., Supreme Prosecutors’ Office (www.spo.go.kr)
∙ Cyber Bureau, Korean National Policy Agency (www.ctrc.go.kr)
Article 10. (Responsibility for Linked Sites)
The Company can provide the users with the links to the other external sites. In this case, since the company does not have the control over the external sites, it cannot take the responsibility for or warrant the usefulness, authenticity and legitimacy of the services or data provided by the external sites to the users and as the policy of the external sites for processing of the personal information is independent of the Company, the users are recommended to make reference to the policy of the relevant external sites.
Article 11. (Change of the Policy for Processing of Personal Information)
In case there are any details to be added, deleted or amended in the current policy for processing of personal information, they will be notified through the ‘public notices’ from at least 7 days before the effective date of the change. However, should there be any critical changes to the right of the users such as in relation to the collection, use and supply to the third parties of the personal information, the particulars will be notified at least 30 days before the effective date.
Supplementary Provisions
This policy for processing of the personal information takes the effect from 01. 15, 2023.