Privacy policy

CU Global Shop Privacy Policy


BGF Retail Co., Ltd. (hereinafter referred to as the “Company”) complies with applicable laws and regulations, including the Personal Information Protection Act, in order to protect the rights and freedoms of data subjects while operating the CU Global Shop service (hereinafter referred to as the “Service”). The Company processes personal information lawfully and manages it in a secure manner.

In accordance with Article 30 of the Personal Information Protection Act, the Company hereby provides this Privacy Policy to inform data subjects of the procedures and standards for the processing and protection of personal information.


Article 1 (Purpose of Processing Personal Information)

The Company processes personal information for the following purposes. The personal information being processed will not be used for purposes other than those stated below. In the event that the purpose of use is changed, the Company will take necessary measures in accordance with Article 18 of the Personal Information Protection Act.


Category

Purpose

Details

① 

To process product orders and payments

- Receipt of product orders and management of order details through the CU Global Shop service

- Integration with payment services and processing of payments and refunds

② 

To provide international shipping services

- Processing international shipping based on recipient information and outsourcing logistics operations to fulfillment partners

- Domestic collection and outbound processing through ‘Across B’

- Execution of customs clearance procedures in destination countries (China, Japan, Taiwan)

- Handling customer inquiries related to shipping

To operate and manage the service platform

- Order management and service operation through the Shopify platform

- Provision of notices and information related to service use




Article 2 (Categories of Personal Information Processed)

The Company processes personal information as follows.


① Personal Information Processed for the Performance of a Contract

Category

Purpose

Items Data

Retention Period

Membership Registration

Member information registration

Email

(Non-purchasing customers) Automatically deleted after 1 month / (Purchasing customers) Deleted upon request

Service Provision

Sending notification messages

Message Sending History

Retention Period: 3 years from the date of sending

Order management

Customer Information (Name, Mobile Number, Email Address)

Product Information (Purchased Product Information)

Payment Information (Payment Information)

Recipient Information (Name, Mobile Number, Address)

Retention Period: 

5 years from the date of order completion

Payment management

Payment Information (Payment Date and Time, Payment Method, Payment Amount)

Billing Information (Name, Address, Mobile Number)

5 years from the date of order completion

Customer inquiry response

Customer Inquiry Information (Email Address, Name)

3 years from the date the inquiry is resolved



Article 3 (Processing and Retention Period of Personal Information)

① The Company processes and retains personal information within the period stipulated by applicable laws and regulations or within the period agreed upon by the data subject at the time of collection.

② The respective processing and retention periods for personal information are as follows.

Purpose of Processing

Retention Period

Applicable Laws

Records on contracts or withdrawal of subscription

Retention Period: 5 years.

Article 6 (1) 2 of the Enforcement Decree of the Act on Consumer Protection in Electronic Commerce, etc.

Records on payment and supply of goods

Retention Period: 5 years

Article 6 (1) 3 of the Enforcement Decree of the Act on Consumer Protection in Electronic Commerce, etc.

Records on consumer complaints and dispute resolution

Retention Period: 3 years

Article 6 (1) 4 of the Enforcement Decree of the Act on Consumer Protection in Electronic Commerce, etc.

Records on labeling and advertising

Retention Period: 6 months

Article 6 (1) 1 of the Enforcement Decree of the Act on Consumer Protection in Electronic Commerce, etc.

Access logs and internet log records

Retention Period: 3 months

Article 15-2 (2) of the Protection of Communications Secrets Act.



Article 4 (Procedures and Methods for the Destruction of Personal Information)

① The Company shall, without delay, destroy personal information when the retention period has expired or the purpose of processing has been achieved.

② If personal information is required to be preserved in accordance with other applicable laws and regulations, it shall be stored separately in a dedicated database (DB).

③ Procedures and Methods for Destruction.

* Electronic files: Permanently deleted in a manner that prevents recovery of the records.

* Paper documents: Shredded using a shredder or incinerated.


Article 5 (Provision of Personal Information to Third Parties)

① The Company processes personal information only within the scope specified in Article 2 and provides personal information to third parties only in the following cases.

  • Where the data subject has given consent. 

  • Where it is required by law or necessary to comply with legal obligations. 

  • Where it is necessary for the performance of duties by a public authority within its jurisdiction. 

  • Where it is clearly necessary to protect the imminent life, body, or property of the data subject or a third party. 

② The Company does not use personal information for purposes other than those specified, nor does it share such information with third parties for other purposes.


Article 6 (Outsourcing of Personal Information Processing)

① The Company outsources personal information processing tasks as follows for the smooth provision of services.

Trustee

Scope of Outsourced Work

Sub-Trustee

Purpose of Sub-Outsourcing

Across B

Logistics fulfillment operations (including product packing, last-mile delivery, order information processing, product selection, packaging, customs clearance, and final delivery)

UPS, Crossfulfil, Extensiv, EasyAdmin, Jooan Customs Broker, ICS Logistics

Logistics services such as product delivery, customs clearance, order processing, and export declaration

Eximbay

Payment processing services

Woori Bank, Forcs Co., Ltd., Hyosung ITX, Hyphen Corporation, Kukon Co., Ltd.

Secure fund settlement services, electronic contract services, customer verification, overseas virtual account services, and mobile identity verification

Paypal

Payment processing services

Covington & Burling LLP, General Agent Co. Ltd, Google LLC, PayPal Korea Services LLC

Legal advisory services (including litigation, personal data, product and engineering, regulatory and compliance matters), acting as a local representative designated by PayPal for personal data protection matters in Korea, provision of marketing campaign tools, and acting on behalf of third-party logistics providers to comply with legal or regulatory obligations and achieve business purposes

Shopify

Online store operation (including order/payment management and storage and management of customer information)

Amazon Web Services, Cloudflare, Inc. Google Cloud Canada Corporation,Twilio Inc. Nebius B.V.

Mailgun Technologies, Inc.

Cloud hosting, load balancing and DDoS protection, email and SMS delivery, computing workload optimization, and technical environment hosting


② When entering into outsourcing agreements, the Company specifies in the contract matters related to the prohibition of processing personal information for purposes other than the entrusted tasks, technical and administrative safeguards, restrictions on sub-outsourcing, and liability for damages in accordance with Article 26 of the Personal Information Protection Act, and supervises whether the trustees process personal information safely.


Article 7 (Cross-border Transfer of Personal Information)

The Company may transfer personal information overseas as follows for the provision of services.

Relevant Legal Basis

Recipient

Transferred Items

Country

Date and Method of Transfer

Purpose

Retention Period.

Method of Refusal

Article 28-8(1) 3 of the Personal Information Protection Act (Consignment of Processing and Storage)

Across B (Logistics Fulfillment Service Provider)

privacy@acrossb.net
02-6012-3200

Name, Phone Number, Email Address, Address, Purchase History

China, Japan, Taiwan, Hong Kong

Transmission through the network at the time of service use

Last-mile delivery and customs clearance

From the time the order information is received until 30 days after delivery completion

If you do not agree to the overseas transfer of your personal information, you may refuse such transfer by choosing not to use the Service.

Article 28-8(1) 3 of the Personal Information Protection Act (Consignment of Processing and Storage)

PayPal

https://www.paypal.com/kr/cshelp/contact-us/privacy
1-888-221-1161

Name, Email Address, Phone Number, Address

United States (subject to review)

Transmission through the network at the time of service use

Provision of credit card payment services

In accordance with PayPal’s Seller Protection Policy

If you do not agree to the overseas transfer of your personal information, you may refuse such transfer by choosing not to use the Service.

Article 28-8(1) 3 of the Personal Information Protection Act (Consignment of Processing and Storage)

Amazon Web Services Inc

Aws-korea-privacy@amazon.com

All personal information collected or generated from users

USA

Transmission through the network at the time of service use

Transmission through the network at the time of service use

Upon Withdrawal of Membership or Consent

If you do not agree to the overseas transfer of your personal information, you may refuse such transfer by choosing not to use the Service.


※ Overseas delivery is a service provided by a shipping agent at the request of the customer, and responsibility for customs clearance primarily lies with the customer and the shipping agent.

Article 8 (Measures to Ensure the Security of Personal Information)

① In handling users’ personal information, the Company takes the following technical, administrative, and physical measures to ensure that personal information is not lost, stolen, leaked, altered, or damaged.

1. The Company encrypts and securely stores important personal information.

2. The Company has implemented the following measures to prevent hacking and other security threats: a. The Company makes every effort to prevent users’ personal information from being leaked or damaged due to hacking, computer viruses, or other cyber threats.
b. The Company regularly backs up data to prepare for potential damage to personal information and uses the latest antivirus programs to prevent users’ personal information and data from being leaked or damaged. The Company also ensures that personal information can be transmitted securely over networks through encrypted communications and other security measures.
c. The Company uses intrusion prevention systems to control unauthorized access from external parties and strives to implement all possible technical measures necessary to secure its systems.

3. The Company minimizes the number of employees handling personal information and provides regular training: a. Employees authorized to handle personal information are limited to designated personnel only. Separate passwords are assigned and updated regularly, and regular training is conducted to ensure the safe management of personal information.
b. The transfer of duties related to personal information handling is conducted thoroughly under secure conditions, and responsibilities regarding incidents such as personal information leakage before and after employment are clearly defined.
c. The Company designates computer rooms and document storage areas as specially protected zones and strictly controls access to such areas.

4. The Company operates a dedicated personal information protection organization: a. Through its internal personal information protection organization, the Company monitors the implementation of personal information protection measures and compliance by responsible personnel, and promptly takes corrective action if any issues are identified.

② The Company shall not be held liable for any issues arising from the leakage of personal information caused by users’ negligence or problems occurring on the Internet. Users are responsible for appropriately managing their own personal information, including passwords and other credentials, and shall bear responsibility for such management.


Article 9 (Installation, Operation, and Refusal of Automatic Personal Information Collection Devices)

① Cookies.

  • The Company uses “cookies” to store and retrieve user information in order to provide personalized services. 

  • Cookies are small pieces of information sent by the server operating the website to the user’s browser and may be stored on the user’s computer hard drive. 

  • Purpose of Use: Cookies are used to analyze users’ visit and usage patterns, popular search terms, and secure access status in order to provide optimized information. 

  • Installation, Operation, and Refusal: Users have the right to choose whether to allow cookies and can set their web browser options to allow all cookies, reject all cookies, or prompt confirmation whenever a cookie is stored. 

  • If cookies are refused, there may be difficulties in using personalized services.


② Use of External Analytics Tools.

▶ Google Analytics 4.

  • The Company uses cookies and other automatic data collection technologies during the course of providing services in order to collect and use behavioral information in a non-identifiable manner for the purpose of providing users with optimized customized services, benefits, and personalized online advertisements. 

  • Behavioral information refers to information such as website usage history collected to analyze users’ interests and preferences in order to provide customized services. For effective service operation, advertising, and marketing, the Company allows online personalized advertising providers to collect and process behavioral information through the use of cookies and SDKs as follows.

Collection Items

Collection Method

Purpose of Collection

Retention and Use Period

Service usage and visit history, product search and click history, order settings, purchase history (ordered products and amounts), membership subscription/cancellation status, cart/wishlist history, page exposure history, event participation history, advertising identifiers

Automatically collected when users visit the website or app services or perform specific actions

Analysis of user behavior based on interests, preferences, and tendencies, statistical analysis of service usage, improvement of user convenience, and provision of personalized recommendations

2 years from the date of collection


Article 10 (Rights of Data Subjects and Methods of Exercising Such Rights)

① Data subjects may, at any time, request access to, correction, deletion, suspension of processing of, or withdrawal of consent regarding their registered personal information. If a data subject wishes to request access, correction/deletion, suspension of processing, or withdrawal of consent, they may contact the Chief Privacy Officer or the person in charge in writing, by telephone, or by email, and the Company will take immediate action after completing identity verification procedures.

② If a data subject requests correction of errors in personal information, the Company will not use or provide the relevant personal information until the correction has been completed. If the incorrect personal information has already been provided to a third party, the Company will promptly notify the third party of the correction results so that the necessary corrections can be made.

③ The Company processes personal information requested for deletion by users in accordance with this Policy and other applicable laws and regulations, and ensures that such information cannot be viewed or used for any purpose other than those prescribed by applicable laws and regulations.

 

Article 11 (Chief Privacy Officer)

① The Company designates a Chief Privacy Officer as follows to oversee personal information processing and to handle complaints and provide remedies for damages.

  • Department in Charge of Personal Information Protection: Digital Innovation Division. 

  • Chief Privacy Officer: Junyong Park (Executive Director). Tel: +82-2-528-7175. Email: bgf_privacy@bgf.co.kr. 

  • Personal Information Manager: Injune Jeon (Team Leader). Tel: +82-2-528-7175. Email: injun.jeon9@bgf.co.kr. 

  • General Inquiry Email: cuglobalshop@bgf.co.kr. 

② Data subjects may contact the Chief Privacy Officer or the relevant department regarding any inquiries, complaints, or remedies related to personal information protection arising from the use of the service.


Article 12 (Remedies for Infringement of Rights and Interests of Data Subjects)

Data subjects may apply for dispute resolution or consultation regarding personal information infringement to the following organizations.

Personal Information Dispute Mediation Committee

1833-6972

www.kopico.go.kr

Personal Information Infringement Report Center (KISA)

(without area code) 118

privacy.kisa.or.kr

Supreme Prosecutors’ Office Cyber Crime Investigation Division

(without area code) 1301

www.spo.go.kr

National Police Agency Cyber Bureau

(without area code) 182

ecrm.cyber.go.kr