Privacy Policy

Article 1 (Purpose of Processing Personal Information)
  1. The Company processes personal information for the following purposes.
  2. The personal information being processed will not be used for purposes other than the following. If the purpose of processing is changed, the Company will implement necessary measures, such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act.
    1. Product Reservation and Consultation
      Service Purpose of Collection and Use Items Collected and Used
      Tour Products Consultation, reservation, and customer management for tour products Mandatory - Identity verification information
      (Name, mobile phone number, personal verification password)
      Shopping Consultation, purchase, delivery, and buyer management for shopping products Mandatory - Identity verification information
      (Name, mobile phone number)
      - Recipient verification information
      (Recipient's name, mobile phone number, delivery address)
      Payment / Settlement / Refund Payment, settlement, and refund for product purchases Mandatory - Name, credit card information (Card number, expiration date, first 2 digits of the password)
      - Upon refund request
      (Bank name, account number, account holder name)
      Cash Receipt Issuance of cash receipts Mandatory - For income deduction: Mobile phone number, cash receipt card number
      - For expense proof: Mobile phone number, business registration number
    2. Miscellaneous
      Service Purpose of Collection and Use Items Collected and Used
      Satisfaction Survey - Participant satisfaction survey for service quality improvement, statistical analysis of results, and satisfaction management
      - Prize drawings and distribution for survey participants, and handling complaints related to prizes
      Mandatory Name, mobile phone number
      Information Automatically Collected or Generated During Service Use Identity verification, generation of service usage statistics, prevention of fraudulent use, and marketing information announcements Automatically Generated Connecting IP information, cookies, access logs, mobile device information (operating system and version, device identification information), payment records
      Application for Correction / Inspection / Deletion of Personal Information Identity verification Mandatory Name, mobile phone number, copy of ID card (with Resident Registration Number removed)
Article 2 (Processing and Retention Period of Personal Information)
  1. The Company processes and retains personal information within the personal information retention and use period required by relevant laws and regulations or within the period agreed upon by the data subject at the time of collection.
  2. The processing and retention periods for each type of personal information are as follows:
    Grounds for Retention (Relevant Law) Items Retained Retention Period
    Article 6 of the Act on Consumer Protection in Electronic Commerce Records regarding contracts or withdrawal of subscriptions, etc. 5 years
    Records regarding payments and supply of goods, etc. 5 years
    Records regarding consumer complaints or dispute resolutions 3 years
    Records regarding labeling and advertising 6 months
  3. However, in the event of any of the following reasons, the information will be retained until the conclusion of the respective reason:
    1. Where an investigation or inquiry due to a violation of relevant laws is ongoing: Until the conclusion of the respective investigation or inquiry
    2. Where any credit or debt relationship remains from service usage: Until the settlement of the respective credit or debt relationship
    3. In the case of providing goods or services: Until the completion of the supply of goods/services and the completion of payment/settlement
    4. In the case of <Exceptional Grounds>: Until the <Retention Period>
Article 3 (Provision of Personal Information to Third Parties)
  1. The Company processes the personal information of data subjects only within the scope specified for the purpose of processing. The Company provides personal information to third parties only when it falls under Articles 17 and 18 of the Personal Information Protection Act, such as with the consent of the data subject or under special provisions of law, and does not otherwise provide the personal information of the data subject to third parties.
  2. The Company may provide personal information to relevant authorities without the data subject's consent in the event of emergency situations such as disasters, infectious diseases, events/accidents causing imminent danger to life or body, or imminent loss of property, as follows:
    Classification Legal Basis Recipient Authority Items Provided
    Disaster Response Article 74-3 of the Framework Act on the Management of Disasters and Safety (Request for Provision of Information, etc.) Central Disaster and Safety Countermeasures Headquarters or Local Disaster and Safety Countermeasures Headquarters Name, address, and phone number
    Prevention and Control of Infectious Diseases Article 76-2 of the Infectious Disease Control and Prevention Act (Request for Provision of Information and Verification of Information, etc.) Korea Disease Control and Prevention Agency (KDCA) or nationwide cities/do (provincial governments) Name, address, and phone number
    Protection of Persons at Risk of Suicide Article 19-3 of the Act on the Prevention of Suicide and the Creation of a Culture of Respect for Life (Request for Provision of Information for Rescuing Persons Subject to Urgent Rescue, etc.) Police Stations / Korea Coast Guard Name, address, and phone number of the person subject to urgent rescue
Article 4 (Outsourcing of Personal Information Processing)
  1. The Company outsources the processing of personal information as follows to ensure smooth processing of personal information operations:
    Subcontractor (Consignee) Outsourced Task Retention and Use Period
    KG Inicis Co., Ltd. Payment processing services Until membership withdrawal or termination of the outsourcing contract
    Kakao Corp. Shipping prizes to event winners, and responding to complaints related to prize distribution
    Kakao Corp. Smart messaging services (Sending KakaoTalk Notification Talk/Friend Talk, SMS/LMS/MMS)
  2. When concluding an outsourcing contract, the Company explicitly stipulates in documents such as the contract the prohibition of processing personal information for purposes other than performing the outsourced tasks, technical and managerial protection measures, restrictions on re-outsourcing, management and supervision of the subcontractor, and liabilities such as compensation for damages in accordance with Article 26 of the Personal Information Protection Act, and supervises whether the subcontractor processes personal information safely.
  3. In accordance with Article 26, Paragraph 6 of the Personal Information Protection Act, the Company obtains the Company's prior consent if the subcontractor re-outsources the Company's personal information processing operations.
  4. If the contents of the outsourced tasks or the subcontractor change, the Company will disclose such changes through this Privacy Policy without delay.
Article 5 (Procedures and Methods for Destruction of Personal Information)
  1. The Company destroys the relevant personal information without delay when the personal information becomes unnecessary, such as the expiration of the retention period or the achievement of the purpose of processing.
  2. If personal information must continue to be preserved under other laws and regulations despite the expiration of the retention period agreed upon by the data subject or the achievement of the purpose of processing, the relevant personal information shall be transferred to a separate database (DB) or stored in a different location.
  3. The procedures and methods for destroying personal information are as follows:
    1. Destruction Procedure
      The Company identifies the personal information for which grounds for destruction have occurred and destroys the personal information with the approval of the Company's Chief Privacy Officer.
    2. Destruction Method
      The Company destroys electronic files in a manner that renders the records unrecoverable, and shreds paper documents using a shredder.
Article 7 (Rights, Obligations, and Exercise Methods of Data Subjects and Legal Representatives)
  1. Data subjects may exercise their rights to request access to, correction of, deletion of, or suspension of processing of their personal information against the Company at any time.
  2. The exercise of rights may be made in writing, via email, or by fax (FAX) in accordance with Article 41, Paragraph 1 of the Enforcement Decree of the Personal Information Protection Act, and the Company will take action without delay.
  3. The exercise of rights may also be conducted through a representative, such as a legal representative of the data subject or a person who has been delegated authority. In this case, a power of attorney in accordance with Form 11 of the "Notice on Methods of Processing Personal Information" must be submitted.
  4. Requests for access to and suspension of processing of personal information may be restricted under Article 35, Paragraph 4 and Article 37, Paragraph 2 of the Personal Information Protection Act.
  5. Requests for correction or deletion of personal information cannot be made if the personal information is explicitly specified as a collection target under other laws and regulations.
  6. The Company verifies whether the person making the request for access, correction/deletion, or suspension of processing is the data subject themselves or a legitimate representative.
Article 8 (Measures to Ensure the Safety of Personal Information)
  1. The Company takes the following measures to ensure the safety of personal information:
    1. Minimization and training of staff handling personal information
    2. Technical measures against hacking, etc.
      To prevent the leakage or destruction of personal information caused by hacking or computer viruses, the Company installs security programs, performs periodic updates and inspections, installs systems in areas with controlled access from the outside, and monitors and blocks them technically and physically.
    3. Access restrictions to personal information
      The Company takes necessary measures to control access to personal information by granting, changing, and revoking access rights to the database system that processes personal information, and controls unauthorized access from the outside using an intrusion prevention system.
    4. Use of locking devices for document security
      Documents and auxiliary storage media containing personal information are stored in a safe place equipped with locking devices.
Article 9 (Installation, Operation, and Rejection of Automatic Personal Information Collection Devices)
  1. The Company uses 'cookies' to store and frequently retrieve usage information in order to provide individualized customized services to data subjects.
    A cookie is a small amount of information sent by the server (HTTP) used to operate the website to the user's computer browser, and may also be stored on the hard disk of the user's PC.
    1. Purpose of using cookies: It is used to provide optimized information to users by understanding the types of visits and usage patterns, popular search terms, and secure connections for each service and website visited by the user.
    2. Installation, operation, and rejection of cookies: Users can refuse to store cookies through the option settings in Tools > Internet Options > Privacy menu at the top of the web browser. Detailed rejection methods for each web browser can be found in Article 12, Paragraph 7.
    3. If you refuse to store cookies, you may experience difficulties in using customized services.
  2. Matters concerning the collection, use, and rejection of behavioral information
    1. The Company collects and uses behavioral information to provide optimized customized services, benefits, and customized online advertisements to data subjects during service use.
    2. The Company collects behavioral information as follows:
      Legal Basis Collection Method Purpose of Collection and Use Items Collected Retention and Use Period
      Article 15, Paragraph 1, Item 1 of the Personal Information Protection Act Automatically collected when a user visits/runs the website and app Providing personalized product recommendation services (including advertisements) based on the user's interests and tendencies User's website/app service visit history, service usage records, search history, purchase (payment) history, and advertising identifier (ADID/IDFA) Retained for 6 months from the date of collection
    3. The Company collects only the minimum behavioral information necessary for customized online advertisements, and does not collect sensitive behavioral information that is likely to clearly infringe upon an individual's rights, interests, or privacy, such as thoughts, beliefs, family and relative relationships, academic history, medical history, or other social activity histories.
    4. The Company does not collect behavioral information for customized advertising purposes from online services known to be used primarily by children under the age of 14, and does not provide customized advertising to children known to be under the age of 14.
    5. The Company collects and uses advertising identifiers in mobile apps for customized online advertisements. Data subjects can block or allow customized advertisements in apps by changing the settings of their mobile device.
      * Blocking/Allowing Advertising Identifiers on Smartphones
      1. (Android) ① Settings → ② Google → ③ Ads → Opt out of Ads Personalization or Reset advertising ID
      2. (iPhone) ① Settings → ② Privacy & Security → ③ Tracking → Toggle off 'Allow Apps to Request to Track'
      ※ Menus and methods may vary slightly depending on the mobile OS version.
    6. Data subjects can collectively block or allow customized online advertisements by changing the cookie settings of their web browser. However, changing cookie settings may affect the use of some services, such as automatic login to websites.
      * Blocking/Allowing Customized Advertisements via Web Browsers
      1. Microsoft Edge
      2. Chrome Browser
    7. Data subjects may inquire about behavioral information, exercise their right to refuse, or report damages through the contact information listed in the Chief Privacy Officer and Personal Information Protection Department section.
    8. Chief Privacy Officer and Personal Information Protection Department
      1. The Company designates a Chief Privacy Officer as follows to take overall responsibility for personal information processing, and to handle complaints and provide damage relief for data subjects regarding personal information processing.
        Personal Information Protection Department
        Name: Ju-hyun Lee
        Phone: 070-7602-6700
        Affiliation: Heritage Project Co., Ltd.
        FAX: 0508-934-5190
        Email: jhlee@heritageproject.kr
      2. Data subjects may inquire about all personal information protection-related inquiries, complaint handling, and damage relief that occur while using the Company's services (or business) to the Chief Privacy Officer and the department in charge. The Company will respond to and process inquiries from data subjects without delay.
Article 12 (Rights and Obligations of Users)
  1. Users have the right to have their personal information protected, and bear the obligation to protect their own personal information as well as not to infringe upon the information of others, including postings. Failure to fulfill user obligations that results in damage to others' information may be subject to punishment under the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.
  2. The Company shall not be held liable for any problems arising from user negligence, such as sharing the user's ID and password or leaving the seat while logged in. To protect personal information, it is advisable for users to manage their IDs and passwords securely and change their passwords regularly.
  3. Users must maintain their personal information in an up-to-date state. The responsibility for issues arising from entering inaccurate information rests entirely with the user. Using false information, such as unauthorized use of another person's information, may lead to loss of membership, restrictions on service use, and punishment under relevant laws.
Article 13 (Chief Privacy Officer and Requests for Inspection of Personal Information)
Classification Name Contact Information
Chief Privacy Officer Title: Director
Name: Ju-hyun Lee
Phone: 070-7602-6700
Email: jhlee@heritageproject.kr
FAX: 0508-934-5190
Article 14 (Remedies for Infringement of Rights and Interests)
  1. Data subjects may apply for dispute resolution or consultation with the Personal Information Dispute Mediation Committee, or the Personal Information Infringement Report Center of the Korea Internet & Security Agency (KISA) to receive remedies for personal information infringements. For other reports and consultations on personal information infringements, please contact the institutions below:

    Personal Information Dispute Mediation Committee: (Without area code) 1833-6972 (www.kopico.go.kr)
    Personal Information Infringement Report Center: (Without area code) 118 (privacy.kisa.or.kr)
    Supreme Prosecutors' Office: (Without area code) 1301 (www.spo.go.kr)
    National Police Agency: (Without area code) 182 (ecrm.cyber.go.kr)
Article 15 (Notification of Changes to the Privacy Policy, etc.)
  1. This Privacy Policy shall apply from May 10, 2025.
  2. Previous versions of the Privacy Policy can be checked at the top of the Privacy Policy page.