SHIHYO

The Company handles personal data for the following purposes. The personal data handled by the Company shall not be used other than for the fulfillment of the following purposes; should the purposes be modified, the Company shall take necessary measures, such as receiving separate consent according to Article 18 of the Personal Information Protection Act.

① Member management
The Company handles personal data for the identification and verification of members for the provision of the membership service, maintenance and management of membership qualifications, identity verification according to the real-name system, operation of membership grades, provision of consultation services, delivery of various notifications and notices, and preservation of records for the handling of appeals such as customer complaints
② Provision of resources or services
The Company handles personal data for the provision of services and content, calculation of rates, and customized consulting services for customers.
③ Marketing and advertisement purposes
The Company handles personal data for the provision of new products (services) and tailored services, provision of advertising information and opportunities for events, provision of services and advertisements according to demographic characteristics, confirmation of service validity, and identification of access frequency or member’s service use statistics.

The Company handles the following personal data items.

a. Membership and member management

b. Utilization of data for marketing and advertisement purposes
- Upon agreeing to receive service and event notifications: Name, date of birth, mobile phone number, purchase history, and registered stores
- [Optional] E-mail address, sex, skin problems, skin type, and other information identified during consultations, such as consultation content

c. Items generated and collected during service use or the handling process
- Service use history, access record, IP address, and cookies

The Company handles, retains, and uses personal data for the period agreed by the customers upon the collection of their personal data or the period according to relevant laws.

① The retention and use periods upon obtaining the customer's consent of collecting their personal data shall be as follows.
Point of membership cancellation or three (3) years from the last purchase (three (3) years from the date registered as a member if there is no transaction record). However, relevant laws shall apply for the retention and use of personal data if special provisions exist.
② The retention periods according to relevant laws shall be as follows.
a. Records on consumer complaint or dispute handling: three (3) years (Act on the Consumer Protection in Electronic Commerce)
b. Records on payment, provision of resources, etc.: five (5) years (Act on the Consumer Protection in Electronic Commerce)
c. Records on cancellation of contracts or orders: five (5) years (Act on the Consumer Protection in Electronic Commerce)
③ The Company shall destroy personal data from the point of membership cancellation or three (3) years from the last purchase (three (3) years from the date registered as a member if there is no transaction record).

① Reason for destruction
If the information that a customer has entered to sign up as a member becomes no longer necessary due to reasons such as the expiry of the retention period or achievement of handling purposes, the relevant information shall be destroyed immediately. The same shall apply when the customer requests membership cancellation or deletion of information; provided, however, that should the information be stored for a certain period, the relevant information shall be destroyed after the period stipulated by the law in a separate database (a separate cabinet in case of paper documents). In such a case, the personal data stored in another database shall not be used for purposes other than to serve the purpose of the law.
② The destruction procedures and methods of personal data shall be as follows.
a. Destruction procedures
The Company shall select items of personal data to be destroyed and obtain the approval of the privacy officer within the Company to destroy the said items.
b. Destruction methods
The Company shall use technical methods to destroy personal data items stored as electronic files to prevent the restoration of records; personal data stored and written on paper documents shall be destroyed using a shredder or incinerated.
③ The Company shall deactivate the account of the customer who has not used the services for one (1) year and store the relevant personal data separately. The separately stored personal data shall be destroyed immediately after two (2) years. At least thirty (30) days prior to deactivating the account, the Company shall notify the member of the deactivation, the date of deactivation, and personal data items to be stored separately through means such as an e-mail or text message. Members who do not wish to deactivate their account must log into the service before the expected deactivation. Even in the event that an account has already been deactivated, the member may still log in and provide consent to activate his/her account and access the service.

① For successful handling of personal data-related tasks, the Company consigns a part of its personal data handling tasks to third parties (refer to the table below). The Company conducts thorough management and supervision, including the definition of matters necessary for the consigned company (consignee)’s safe handling of customers’ personal data, according to the privacy protection laws. Upon the conclusion of a consignment contract, the Company, as the consignor, strives to protect the customers’ personal data by clarifying the prohibition of handling personal data other than the fulfillment of consigned tasks according to Article 26 of the Personal Information Protection Act, technical and managerial protection measures, management and supervision plans on consignees, and responsibilities regarding compensation for damages.

② In the event of any change to the content of the consigned tasks or consignee, the Company shall immediately amend this Policy and notify customers of the changes.

① At any given time, a customer may exercise his/her rights to view, correct, and delete their personal data, or ask the Company to suspend the data handling.
② The rights shall be exercised through methods according to Article 41(1) of the Enforcement Decree of the Personal Information Protection Act, including phone calls to the customer center through the contact information disclosed on the Company’s website, contacting the privacy officer and manager through the contact information disclosed on this Policy, written documents sent to the Company, or e-mails, and the Company shall immediately handle the customer’s execution of rights.
③ The rights may be exercised by a representative, including the legal representative of the customer or a person delegated by the customer. In such a case, the power of attorney using the form of Attachment 11 of the Notification on the Personal Information Handling Method (Notification No. 2020-7) shall be submitted.
④ The customer's request to view data and suspend data handling may be limited according to Article 35(4) and Article 37(2) of the Personal Information Protection Act.
⑤ In the case of correction and deletion requests of personal data, the customer cannot demand a deletion if the personal data item is subject to collection.
⑥ The Company shall confirm that the person who requested the viewing, correction, deletion, or suspension of data handling according to his/her rights as the data subject is the actual holder of the rights or legitimate representative.

① The Company may use cookies to provide personalized services. Cookies are small data packets sent from the HTTP server to the user’s browser, which are saved to members’ hard drives. Cookies identify users’ computers, but they do not identify the users.
② The Company uses cookies for the following purposes.
a. To analyze the access frequency of members and non-members and identify their tastes and interests to utilize them for targeted marketing and service renovations.
b. To identify the participation level and the number of visits during the operation of the Company’s various events to grant discriminatory draw opportunities and provide differentiated information according to individual areas of interest; and
c. To track the items customers were interested in to provide tailored services for individual customers in the next shopping session. Cookies expire when the user closes the browser or logs out. Cookies expire after a day, but customers may also delete cookies from their browsers.
③ Users have the option of installing cookies.
Customers may accept all cookies, receive notifications when a cookie is installed, or reject all cookies by clicking Tools > Internet Options > Privacy > Advanced on top of the browser. However, if the customer refuses to install cookies, there may be restrictions on using tailored services.

① To protect the personal data of customers and handle relevant complaints, the Company designates the responsible department and personnel as follows.

a. Privacy department and manager
Department and name: Customer Management Support Team (Manager Jeon Yang-hyeon)
Contact : 1670-6717, help@loshian.com

b. Privacy officer
Department and name: CEO Gwak Jin-ah
Contact : 1670-6717, help@loshian.com

② Customers may request to view their personal data according to Article 35 of the Personal Information Protection Act by contacting the privacy department. The Company shall strive to quickly handle customers’ requests to view their personal data.

The Company takes the following measures to secure the safety of personal data.

a. Managerial measures: Establishment and implementation of internal management plans, operation of a dedicated organization, and provision of regular employee education
b. Technical measures: Management of access permissions to the personal data handling system, installation of the access control system, encryption of personal data, and installation and renewal of antivirus software
c. Physical measures: Limitation of access to the data processing room, data storage, etc.

The Company does not accept membership requests from children under 14 nor collect their personal data.

To receive remedy for infringement of privacy rights, customers may request settlement of disputes or consultations to the Personal Information Dispute Mediation Committee or the Personal Information Infringement Report Center. Users may contact the following agencies for other reports or consultations on the infringement of the right to privacy.

a. Personal Information Dispute Mediation Committee : (without area code) 1833-6972 (www.kopico.go.kr)
b. Personal Information Infringement Report Center : (without area code) 118 (privacy.kisa.or.kr)
c. Supreme Prosecutors’ Office : (without area code) 1301 (www.spo.go.kr)
d. National Police Agency : (without area code) 182 (ecrm.cyber.go.kr)

① This Policy shall be effective from May 3, 2023. Should an addition, deletion, or editing occur due to the changes in government policies or security technology, the Company shall announce the reason and content of the amendment through its website at least seven (7) days prior to the amendment.
② The previous version of this Policy can be found below.
- Enforcement date: December 19, 2022