MiriCanvas DesignHub Personal Information Processing Policy
MIRI.DIH Co., Ltd. (hereinafter "the Company"), which operates the MiriCanvas DesignHub (designhub.miricanvas.com), complies with the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. pursuant to its provisions. The Company has the following processing policy for personal information to protect the Member's personal information, rights, and interests, and to efficiently process the Member's personal information grievances in accordance with the Personal Information Protection Act and other relevant laws of the Republic of Korea. If the Personal Information Processing Policy is amended in the future, such amendment will be notified publicly through website (or by individual notice).
Article 1. The Purpose for which Personal Information is Processed
The Company extends its best efforts under the policy for personal information to be securely protected and stored so that no rights and interests are infringed. Personal information is utilized for purposes such as membership registration, efficient customer service, and the provision of paid services; the purpose of the Personal Information Processing Policy is to provide full transparency on personal information, such as what information the Company collects, how such collected information is used, when it is shared ("outsourced or provided") as needed and with whom, and when and how information is destroyed when the purpose of its use is achieved. If any relevant Personal Information Processing Policy is amended, such as by changes to the Terms of Service or the collection of additional personal information etc., accessible and comprehensible notice of such amendment will be given publicly on the web site, or individually by email.
Article 2. The Particulars of Personal Information to Be Collected, and Means of Collection
The Company collects members' personal information for membership registration and the provision of services; the particular of collected information and the means of collection are as follow:
- The particulars of personal information to be collected
- At initial membership registration, the Company collects the following minimum particulars of personal information as required information:
- Required information: Email address, name, password
- Optional information: Profile picture, name of company/organization, size of company/organization, industry, department, type (individual/corporation/organization), region, phone number, field value etc.
- The following information may additionally be collected in the course of service usage or customer service:
- Transaction information: Accounting point person information for the issuance of a tax invoice (name, contact information, email address), resident registration number, passport number, business registration number, address, account number, copy of identification etc. for royalty income payment
- Service usage information: Inquirer information (name, email address, phone number), telephone number, IP address, cookie, date and time of visit, service usage record, abnormal usage record, browser information, operating system (OS) information, device information, MAC address, date and time of visit etc.
- Means of Collecting Personal Information
- The Company collects personal information with the following means:
- Website, written form, telephone, email, event entries, facsimile, customer service tool
- Provision by a partner or a third party in a service partnership
Article 3. The Purpose of Personal Information Collection and Usage
The Company will use members' personal information collected through membership registration for the following specified purposes:
- Member Management
- Provision and improvement of services, member identification, limitations placed on the usage of members who violated the terms of service, sanctions on activities that hinder the operation of services and on illegitimate uses of the service, confirmation of the intention to join, limitations on registration and the number of registrations, confirmation of a legal representative's consent if the personal information of a child under 14 is collected, confirmation of the legal representative's identity after the fact, preservation of records for mediation of conflicts, processing of complaints such as grievances, transmission of notice, confirmation of the intention to withdraw membership etc.
- Usage in the development of new services, marketing, and advertisement
- The development of new services and the provision of customized services, the provision of services and display of ads in accordance with statistical characteristics, confirming service validity, the provision of information on company and partner events and of opportunities to participate, provision of promotional information, identification of access frequency, statistical analysis of members' service usage etc.
- Performance of contracts on the provision of services and settlement of fees for the provision of paid services
- Provision of paid services, the provision of specific customized services, billing for paid services, payment for purchases and fees, identity authentication, shipping or mailing of goods or bills etc., fee collection etc.
- Preservation and submission as evidence in legal disputes etc.
- Provision of sales reports and royalty payments
Article 4. Consent to the Collection of Personal Information
The Company shall display the Personal Information Processing Policy so that members can verify it to their satisfaction on joining, and configure the environment so that they sign up after giving their consent. All members who have registered membership are deemed to have consented to the entirety of the personal information collection procedure and purpose of use above
Article 5. The Period for Retaining and Using Personal Information
The Company processes and retains personal information during the period for retaining and using personal information in accordance with law, or the period for retaining and using personal information to which the data subject consented at the time the personal information was collected. Each piece of personal information is processed and retained for the following periods:
- Records related to cancellation of contracts or subscriptions etc.: Five (5) years (Enforcement Decree of the Act on the Consumer Protection in Electronic Commerce, Etc., Article 6)
- Records related to payment for and supply of goods, etc.: Five (5) years (Enforcement Decree of the Act on the Consumer Protection in Electronic Commerce, Etc., Article 6)
- Records relating to resolution of consumer complaints or disputes: Three (3) years (Enforcement Decree of the Act on the Consumer Protection in Electronic Commerce, Etc., Article 6)
- Records related to marks and advertisements: Six (6) months (Enforcement Decree of the Act on the Consumer Protection in Electronic Commerce, Etc., Article 6)
- Website visitation record: Three (3) months (Enforcement Decree of the Protection of Communications Secrets Act, Article 41)
- Even without a basis for the retention of personal information in the relevant law, the Company may otherwise retain personal information to prevent material loss to itself, or when obligated to do so for criminal trial, litigation etc.; provided that such retention shall be for the minimum period and particulars necessary to achieve such purpose.
- Identifying information to prevent repeat registration if membership was withdrawn; or
- Identifying information to refuse transactions to persons whose membership was removed under the Terms of Service.
- In accordance with the validity period of personal information, the Company will separate out for retention or destroy the personal information of members who have not used the service for one (1) year, and the separately retained personal information will be destroyed without delay after four (4) years of retention. The member will be notified by email about this separate retention or destruction by thirty (30) days prior to the expiration of the one-year period above, that the personal information will be separately retained or destroyed, the date on which the period expires, the particulars of the personal information to be destroyed etc.
- Accounting documents on the payment and transfer of royalties and their details will be retained in accordance with the periods provided for in the relevant law such as the Commercial Act, the Framework Act on National Taxes etc.
Article 6. Procedures and Methods for Destroying Personal Information
As a rule, the Company destroys personal information without delay when the purpose of processing it has been achieved. The procedure and method for such destruction is as follows:
- Destruction procedure
- Information entered by the Member is transferred to a separate database (a different document if on paper) after the purpose is achieved, then destroyed immediately or after retention for a certain period in accordance with internal policy and relevant law. The personal information transferred to the database at this time is not used for any other purpose unless by law.
- Method of destruction
- Technical means are used on records in electronic file form to make the record irretrievable.
- Personal information printed on paper will be shredded by a shredder or destroyed by burning.
Article 7. The Provision of Personal Information
As a rule, the Company shall not provide the Member's personal information outside the Company; provided that exceptions apply as follow:
- The Members gave advance consent;
- Where the information is necessary for statistics, scientific research, or market research, and is provided in a form from which specific individuals cannot be identified;
- Causes relating to the assignment, merger etc. of business arise (provided that if Member personal information must be transferred for cause relating to the assignment of business etc., the Company will give advance notice on the fact of the personal information transfer etc. in accordance with the procedures and methods provided for in the relevant law, and the Member will be given the right to withdraw consent to the transfer of personal information); or
- Where it is in accordance with legal provisions, or an investigative agency requests it for investigative purposes.
Article 8. Outsourcing of Personal Information
- The Company outsources the work of processing personal information as follows for the purpose of efficient personal information work:
Outsourcee | Outsourced Work |
---|---|
Amazon Web Service (AWS) | The provision of cloud IT\ninfrastructure |
Inicis | Credit card payment service |
Settlebank | Simple payment service |
Zendesk | Customer service\n |
Modusign | Electronic contract service |
Stibee, Cheom Soft | Email transmission service |
Biz-Con | Gifticon transmission service |
Creator, GDN, DDN, Facebook, LinkedIn | Member-customized advertisement |
Payoneer Inc., | Payment Transfer Service |
- The Company, in contracting to outsource, specifies in documentary form such as in the contract the prohibition against processing personal information outside the purpose of performing the outsourced work, technical and managerial safeguards, restrictions on sub-outsourcing, management and supervision of the outsourcee, and matters of liability such as the compensation of damage, and supervises the safe processing of personal information by the outsourcee in accordance with Article 26 of the Personal Information Protection Act.
- If the outsourced work or outsourcee under this Personal Information Processing Policy is modified, the Company will disclose such change through this Personal Information Processing Policy without delay.
Article 9. The Rights of the Member and Their Legal Representative, and Means of Their Exercise
- The Member and their legal representative may at any time inquire or modify the Member's own registered personal information, and may request termination of membership. If an email applying for withdrawal of membership is sent to the customer service center, the withdrawal will be processed after verifying personal identity.
- The Company will process the personal information terminated or deleted at the request of the Member or their legal representative as specified in Article 5. The Period for Retaining and Using Personal Information, and will process it so that it cannot be perused or used for any other purpose.
- If the right under Paragraph 1 is exercised through an agent such as a legal representative of the Member, documentation such as a Power of Attorney must be furnished and submitted to the Company.
- The request to peruse and to cease the processing of personal information may be limited by Articles 35 (4) and 37 (2) of the Personal Information Protection Act, while the request to correct or delete may be refused if such personal information is prescribed as subject to collection in another law.
Article 10. The Installation, Operation, and Removal of a Personal Information Automatic Collection Tool
MiriCanvas DesignHub uses cookies to store, and from time to time load, usage information for the provision of individual customized services. A cookie is a small amount of information sent to the Member's computer browser by a server (http) used to operate a website, and may be stored in the hard disk of Members' personal computers.
- The purpose of cookies: Identifies the services visited by the Member, aspects of the Member's visits to and uses of services and websites, popular search keywords, whether access was secure etc. to provide optimized information to the Member.
- The installation, operation, and refusal of cookies: The Member can refuse cookie storage by configuring options in the Tools Internet Options > Personal Information menu at the top of their web browser.
- Refusing cookie storage may cause difficulties in the use of services.
Article 11. Personal Information Safeguards
The Company takes the following technical, managerial, and physical measures necessary to ensure safety in accordance with Article 29 of the Personal Information Protection Act:
- Minimalization of employees who handle personal information, and their training
- The Company implements measures to designate employees who handle personal information and minimalizing them to persons in charge for the management of personal information.
- Technical policies in case of hacking etc.
- The Company installs security software to prevent the leakage of and damage to personal information from hacking, computer viruses etc., regularly updates and inspects such software, installs systems in areas where access from the outside is restricted, and keeps them under technical and physical surveillance and blocks.
- Encryption of personal information
- The Member's personal information and password are encrypted for management and storage, making it knowable only to the Member personally; separate security functions are applied to crucial data, such as encryption of the file or transmitted data, or the use of file locking mechanisms.
- Limited access to personal information
- Measures are being taken to limit access to personal information through the grant, modification, and expungement of authority to access database systems to process personal information, and an infiltration blocking system controls unauthorized access from the outside.
Meanwhile, when providing services to members in the European Union (EU), the Company complies with the EU's General Data Protection Regulation and the laws of the EU member states (hereinafter "GDPR etc."), and the following may apply:
- The purpose and basis of personal information processing: The Company uses the collected personal information only for the purposes stated in Article 3, gives the Member advance notice of this fact, and seeks the Member's consent. Also, in accordance with the GDPR etc., the Company may process the Member's personal information if any one of the following applies:
- The data subject consented;
- It is for the conclusion and performance of a contract with the data subject;
- It is to comply with legal requirements;
- Processing is necessary for the crucial interest of the data subject; or
- It is for the pursuit of the Company's legitimate interests (the foregoing does not apply where the data subject's interests, rights, or freedoms are more important than the interests pursued by the Company.
- The guarantee of the rights of the Member who uses the Company's services within the European Union (EU)
According to the GDPR etc., the Member may request the Company to transfer their personal information to a different manager, and may also refuse the processing of their personal information. Furthermore, the Member retains the right to bring grievances on the processing of their personal information before the personal information protection authorities. Meanwhile, the Company may use personal information to provide marketing such as events or advertisement to the Member and seek the Member's consent in relation to the foregoing; the Member may at any time withdraw their consent if such marketing is not desired. The Member may request the foregoing requests by means such as telephone, email, documents etc.; the Company will act on such request without delay once it is filed. If modification or correction is requested for errors in the Member's personal information, the Company will not use or provide such personal information of the Member until such matter is modified or corrected.
Article 12. Notice of Changes to the Personal Information Processing Policy
The above Personal Information Processing Policy applies from the date of its implementation; if there are additions, deletions, or corrections to the modifications in accordance with law and policy public notice of such change will be given at least seven (7) days before implementation.
Article 13. Privacy Officers and Persons Responsible
This Company has designated a privacy officer as follows to be responsible for overall personal information processing work, and for the processing of data subject grievances and relief for damage etc. in relation to the processing of personal information:
- Department responsible for personal information management: Content Sourcing Team
- Email: creative@miridih.com
- Name of privacy officer: Min-kyu Kim
- Telephone number: +82-70-4355-4884
- Email: creative@miridih.com
You may inquire with the Privacy Officer and responsible department for all inquiries, grievance, relief for damage etc. arising from the use of the Company and the Company's services (MiriCanvas DesignHub). If you otherwise require reporting or consultation on the infringement of personal information, please inquire with the following bodies:
- Personal Information Infringement Report Center (https://privacy.kisa.or.kr/main.do /118 without area code)
- The Cybercrime Investigation Center of the Supreme Prosecutors' Office (http://www.spo.go.kr / +82-2-3480-2000)
- Cyber Bureau of the Police Agency (https://www.police.go.kr/www/security/cyber.jsp 182 without area code)
This Policy is implemented starting on February 8th, 2024.