View Previous Policy
Orange Square Co., Ltd. (hereinafter referred to as the "Company") complies with the "Personal Information Protection Act" and relevant laws and regulations to protect the rights of data subjects, processing personal information lawfully and managing it securely. In accordance with Article 30 of the "Personal Information Protection Act," the Company establishes and discloses this Privacy Policy to protect the personal information of data subjects and to handle related grievances promptly and smoothly.
Article 1 (Purpose for Processing Personal Information)
The Company processes personal information for the following purposes. The personal information being processed will not be used for purposes other than the following, and if the purpose of use changes, necessary measures such as obtaining separate consent in accordance with Article 18 of the "Personal Information Protection Act" will be implemented.
1. Unmanned Kiosk User and Mobile App Member Registration and Management
• Confirmation of intent to join membership, identification/authentication for providing membership services, maintenance/management of membership status, prevention of unauthorized use of services, various notices/notifications, grievance handling, and record preservation for dispute resolution.
2. Processing of Civil Petitions
• Contact and notification for factual investigation, and notification of processing results.
3. Provision of Goods or Services
• Service provision, customized service provision, and payment/settlement of fees.
4. Utilization in Marketing and Advertising
• Development of new services (products) and customized service provision, provision of event and advertising information and opportunities for participation, service provision and advertisement placement according to demographic characteristics, and determination of access frequency or statistics on member service use.
5. Personal Visual Information
• Crime prevention and investigation, facility safety, and fire prevention purposes.
Article 2 (Processing and Retention Period of Personal Information)
① The Company processes and retains personal information within the personal information retention and use period prescribed by laws and regulations or within the period agreed upon when collecting personal information from the data subject.
② The processing and retention periods for each category are as follows:
| Processing Purpose | Retention & Use Period | Legal Basis (Relevant Laws) |
|---|---|---|
| 1. Member Registration & Management | 5 Years | Records on contract or withdrawal of subscription (Act on Consumer Protection in Electronic Commerce) |
| 2. Handling of Civil Petitions | 3 Years | Records on consumer complaints or disputes (Act on Consumer Protection in Electronic Commerce) |
| 3. Provision of Goods/Services | 5 Years | Records on payment and supply of goods (Act on Consumer Protection in Electronic Commerce) |
| 4. Marketing & Advertising | 6 Months | Records on labeling and advertising (Act on Consumer Protection in Electronic Commerce) |
| 5. Personal Visual Information (CCTV) | 30 Days | Internal policy and safety management |
Article 3 (Items of Personal Information Processed)
The Company processes the following personal information items:
1. Unmanned Kiosk User and Mobile App Member Registration and Management
• Unmanned Kiosk: Passport information such as name and nationality.
• Mobile App: Email, password.
2. Processing of Civil Petitions: Email, service usage history.
3. Provision of Goods or Services: Card number, passport information, service usage history, credit card information, payment details, email, name.
4. Utilization in Marketing and Advertising: Gender, date of birth, payment details, nationality, location information of users and members.
5. Personal Visual Information: Videos and photos of service usage.
Article 4 (Provision of Personal Information to Third Parties)
① The Company processes personal information only within the scope specified in Article 1, and provides personal information to third parties only in cases corresponding to Articles 17 and 18 of the "Personal Information Protection Act," such as the consent of the data subject or special provisions of the law.
② The Company provides personal information to third parties as follows:
• Recipient: SK TELECOM Co., Ltd.
• Purpose: Confirmation of customers purchasing airport package products (SIM).
• Items Provided: Name (name input by the data subject at the time of purchase application).
• Retention Period: Period during which the data subject uses the SIM (1 to 90 days).
③ However, in the following cases, personal information may be provided without the separate consent of the data subject:
1. Providing processed member IDs for promotion cashback settlement with partner companies.
2. Providing information to research organizations, survey agencies, or research institutions in a form where a specific individual cannot be identified for the purpose of statistics, academic research, or market research.
3. When there are special provisions in laws such as the Personal Information Protection Act, the Protection of Communications Secrets Act, the Framework Act on National Taxes, the Real-Name Financial Transactions Act, the Specialized Credit Finance Business Act, etc.
⑤ When providing personal information to a third party overseas in accordance with Article 28-8, Paragraph 1, Item 1 of the "Personal Information Protection Act," the Company informs the data subject of the details and obtains consent.
| Item | Details |
|---|---|
| Personal Information Transferred | Name, Gender, Date of Birth, Passport Number, Email |
| Country of Transfer | Japan |
| Timing and Method | Transmission through a dedicated network at the time of purchase of a fixed-amount recharge card |
| Recipient | N&P JAPAN (Cross-border collection agency) |
| Purpose of Use | Compliance with Article 4 of the Japanese "Act on Prevention of Transfer of Criminal Proceeds" |
| Retention and Use Period | Immediate disposal after service termination |
⑥ The overseas transfer of personal information mentioned in Paragraph 5 above is conducted only for users of specific services of the Company with their prior consent. If the user refuses the overseas transfer, they will not be able to use the corresponding service. Furthermore, if the user does not use that specific service, their personal information will not be transferred overseas.
Article 5 (Entrustment of Personal Information Processing)
① The Company entrusts personal information processing tasks as follows for smooth service provision:
| Trustee (Consignee) | Entrusted Task (Scope of Work) |
|---|---|
| Samsung Card Co., Ltd. | Card issuance, transaction approval relay, franchise network use and settlement |
| Hana Card Co., Ltd. | Card issuance, transaction approval relay, franchise network use and settlement |
| Eximbay | Transaction approval data relay and settlement |
| I-Net (Inicis) | Transaction approval data relay and settlement |
| Channel Corporation | Customer consultation solution provider |
| Woowa Bros (Baemin) | Food delivery ordering agency |
| All My Tour | Hotel reservation agency |
| Korail | KTX ticket reservation agency |
| Travelution | Korail Pass reservation agency |
| Naver (Place) | Place reservation agency |
| Google (Maps) | Place reservation agency |
| Amazon Web Services (AWS) | Cloud server operation and management within Korea |
② When concluding an entrustment contract, the Company stipulates in documents such as the contract matters concerning the prohibition of personal information processing beyond the purpose of performing the entrusted work, technical/administrative protection measures, restrictions on re-entrustment, management/supervision of the trustee, and liability for damages in accordance with Article 26 of the "Personal Information Protection Act".
③ If the contents of the entrusted work or the trustee change, we will disclose it through this Privacy Policy without delay.
Article 6 (Personal Information Destruction Procedure and Method)
① The Company destroys personal information without delay when it becomes unnecessary (expiration of retention period, achievement of purpose).
② If preservation is required by other laws despite the expiration of the agreed period, the data is moved to a separate database or stored in a different location.
③ Destruction method: Electronic files are deleted using technical methods that prevent restoration; paper documents are shredded or incinerated.
Article 7 (Rights and Obligations of Data Subjects and Legal Representatives and How to Exercise Them)
① Data subjects may exercise their rights to request access to, correction of, deletion of, or suspension of the processing of their personal information at any time against the Company.
② The exercise of rights pursuant to Paragraph 1 may be made in writing, by telephone, e-mail, FAX, etc., in accordance with Article 41, Paragraph 1 of the Enforcement Decree of the 「Personal Information Protection Act」, and the Company will take action without delay.
③ The exercise of rights pursuant to Paragraph 1 may be made through a legal representative of the data subject or an agent such as a person who has been delegated. In this case, a power of attorney in the form of Attachment No. 11 of the “Notice on Personal Information Processing Methods (No. 2020-7)” must be submitted.
④ Requests for access to and suspension of processing of personal information may result in the restriction of the data subject's rights under Article 35, Paragraph 4 and Article 37, Paragraph 2 of the 「Personal Information Protection Act」.
⑤ Requests for correction and deletion of personal information cannot be made if the personal information is specified as a target for collection in other laws and regulations.
⑥ The Company verifies whether the person making the request, such as a request for access, correction/deletion, or suspension of processing according to the rights of the data subject, is the person themselves or a legitimate agent.
Article 8 (Measures to Ensure the Safety of Personal Information)
The Company is taking the following measures to ensure the safety of personal information:
1. Administrative Measures: Establishment and implementation of an internal management plan, regular employee training, and operation of a dedicated organization.
2. Technical Measures: Management of access rights to personal information processing systems, installation of access control systems and other related protection measures, internet network blocking measures, encryption of personal information, preservation and inspection of access records, installation and renewal of security programs, and vulnerability inspection and supplement of the personal information processing system.
3. Physical Measures: Access control for computer rooms and data storage rooms, storage of documents and auxiliary storage media in a safe place with a locking device, safety measures against disasters and calamities, and control of removal/entry of auxiliary storage media.
Article 9 (Installation, Operation, and Refusal of Devices that Automatically Collect Personal Information)
① The Company uses ‘cookies’ to store and retrieve usage information from time to time in order to provide individual customized services to users.
② A cookie is a small amount of information sent by the server (http) used to operate the website to the user's computer browser and may be stored on the hard disk inside the user's computer.
• Purpose of using cookies: It is used to provide optimized information to users by identifying the type of visit and usage of each service and website visited by the user, popular search terms, whether secure access is provided, etc.
• Installation, operation, and refusal of cookies: You can refuse to store cookies through the option settings in the Tools > Internet Options > Privacy menu at the top of your web browser.
• If you refuse to store cookies, you may experience difficulties in using customized services.
Article 10 (Collection, Use, Provision, and Refusal of Behavioral Information)
① The Company collects and uses behavioral information to provide optimized customized services and benefits, online customized advertisements, etc., to data subjects in the course of using the service.
② The Company collects behavioral information as follows:
• Items of behavioral information collected: User's WOWPASS card payment, mobile app access, and service usage history.
• Method of collecting behavioral information: Automatic collection of the user's WOWPASS card payment records, mobile app access, and usage history.
• Purpose of collecting behavioral information: To provide personalized services suitable for the user's interests and service payment patterns.
• Retention/use period and subsequent data processing method: Automatically destroyed 90 days after the date of collection.
Article 11 (Judgment Criteria for Additional Use and Provision)
① In accordance with Article 15, Paragraph 3 and Article 17, Paragraph 4 of the 「Personal Information Protection Act」, the Company may additionally use or provide personal information without the consent of the data subject, taking into account the matters under Article 14-2 of the Enforcement Decree of the 「Personal Information Protection Act」.
② Accordingly, the Company has considered the following matters in order to make additional use or provision without the consent of the data subject:
• Whether the purpose for the additional use or provision of personal information is relevant to the original purpose of collection.
• Whether there is predictability for additional use or provision in light of the circumstances under which personal information was collected or processing practices.
• Whether the additional use or provision of personal information unfairly infringes on the interests of the data subject.
• Whether necessary measures to ensure safety, such as pseudonymization or encryption, have been taken.
Article 12 (Privacy Officer and Manager)
① The Company is responsible for overall management of personal information processing and has designated a Personal Information Protection Officer and responsible personnel as follows to handle complaints and provide remedies for damages related to personal information processing:
| Category | Name | Title | Contact |
|---|---|---|---|
| Privacy Officer | Hyung-seok Choi | Vice President | 1833-5508 / cs@orangesquare.kr |
| Privacy Manager | Bo-seok Do | Information Security Team Leader | 1833-5508 / cs@orangesquare.kr |
② Data subjects may inquire with the Personal Information Protection Officer and the responsible department regarding all inquiries, complaint handling, and damage relief related to personal information protection that occur while using the Company's services. The Company will respond to and process such inquiries without delay.
Article 13 (Department Receiving and Processing Requests to View Personal Information)
Requests to view personal information under Article 35 of the Act can be made to:
• Department: CX Team / 1833-5508 / cs@orangesquare.kr
Article 14 (Remedies for Infringement of Rights and Interests)
Data subjects may apply for dispute resolution or consultation with the ‘Personal Information Dispute Mediation Committee’ or the ‘Korea Internet & Security Agency (KISA) Personal Information Infringement Report Center’ to seek remedies for personal information infringement. In addition, for other reports or consultations regarding personal information infringement, please contact the following organizations:
• Personal Information Dispute Mediation Committee: (Without area code) 1833-6972 (www.kopico.go.kr)
• Personal Information Infringement Report Center: (Without area code) 118 (privacy.kisa.or.kr)
• National Police Agency: (Without area code) 182 (ecrm.cyber.go.kr)
Article 15 (Operation and Management of Video Information Processing Equipment)
The Company installs and operates video information processing equipment as follows:
1. Basis and Purpose of Installation: Facility safety and crime prevention for the Company’s unmanned kiosks.
2. Number of Units, Installation Location, and Shooting Range:
| Number of Units | Installation Location | Shooting Range |
|---|---|---|
| Per unmanned kiosk unit | Around the top-front of the unit | Service area around the kiosk |
3. Manager in Charge and Personnel with Access Rights:
| Category | Name | Department & Title | Contact |
|---|---|---|---|
| Manager in Charge | Bo-seok Do | Information Security Team Leader | 1833-5508 |
| Authorized Access User | Jin-hoon Hwang | Control Room Team Leader | 1833-5508 |
4. Recording Time, Retention Period, Storage Location, and Processing Method:
| Recording Time | Retention Period | Storage Location |
|---|---|---|
| 24 Hours | 30 Days from the time of recording (Automatic deletion in order of oldest records) | DVR storage device within the kiosk |
※ Processing Method: Matters concerning the use of personal visual information beyond the intended purpose, provision to third parties, destruction, and requests for access, etc., are recorded and managed. Records are automatically deleted in chronological order (oldest first) starting from the point when the storage media capacity is exceeded.
5. Method and Location for Verifying Visual Information: On-site verification at the unmanned kiosk or remote verification via office PC.
6. Measures for Data Subjects' Requests for Access, etc., to Visual Information: An application must be submitted along with a copy of a passport for identity verification. Access is permitted only if the data subject themselves is recorded, or if it is clearly necessary for the protection of the life, body, or property interests of the data subject.
7. Measures to Ensure the Safety of Personal Visual Information:
• Personal visual information processed by the Company is managed securely through measures such as encryption.
• To protect personal visual information, the Company grants differential access rights to visual information. To prevent forgery or alteration, the Company records and manages the date and time of creation, purpose of access, person accessing, and date/time of access. Lockable devices are installed for the secure physical storage of personal visual information.
Article 16 (Amendment of Privacy Policy)
① This Privacy Policy is effective as of February 9, 2026.
② Previous versions (applied from July 11, 2022, to February 8, 2026) can be accessed through the link below.