Coupang Pay Privacy Notice (V.1.4)
Coupang Pay. Ltd. (“Coupang Pay” or “Us” or “We”) is committed to protecting Customers’ personal data at all times.
We are committed to ensuring that the way we conduct our business is compliant with applicable data protection and privacy laws in the Republic of Korea, including the Act on Promotion of Information and Communications Network Utilization and Information Protection (“the Network Act”), the Personal Information Protection Act (“PIPA”), and the Credit Information Use and Protection Act (the “CIUPA”).
This Privacy Notice applies to the services that Coupang Pay provides.
1. Types of Personal Data Collected and Methods of Collection 2. Use of Personal Data 3. Provision of Personal Data 4. Consignment of Personal Data Processing 5. Retention and Destruction of Personal Data 6. Processing of Pseudonymized data 7. Rights and Obligations of Customers 8. Installation/Operation of Automatic Information Collection Tool and How to Opt-out 9. Measures to Protect Personal Data 10. The Chief Privacy Officer and Staff Responsible for Privacy Inquiries 11. Obligation of Notification
|
1. Types of Personal Data Collected and Methods of Collection
We collect Customers’ personal data in order to process membership sign-up and provide services as set out below:
(1) Types of personal data collected
Category | Items to be Collected and Used | |
Customer sign-up; identity verification; customer management and service | ID (email), name, date of birth, sex, mobile number, password, nationality (Korean or other citizens), Connecting Information (CI), Duplicate Information (DI) | |
Payment, settlement, refund | Bank account for payment (bank name, account number, account holder’s name), credit card information (company name, virtual card number (or masked card number)), mobile contact information (carrier, number), cash receipt information, bank account for refund (bank name, account number, account holder’s name), bank account for settlement (bank name, account number, account holder’s name) | |
Customer Due Diligence | Consumers | Nationality, address, (Under enhanced due diligence(EDD)) real name [(resident registration number and resident registration certificate issue date (for Koreans) or alien registration number and alien registration certificate issue date (for other citizens), international driver’s license, passport number, passport expiration date and passport issuing country (for other citizens)], an abstract of resident registration (for minors), occupation or type of business, purpose of transaction, source of funds |
Businesses | Individual: real name and identifiers (name, date of birth, sex, CI, bank account information), address, phone number Corporate body: Representative’s and owner’s name(s), date of birth, sex, nationality (Under enhanced due diligence(EDD)) resident registration number or alien registration number, occupation or type of business, purpose of transaction, source of funds | |
Data that may be collected during the use of website (PC/mobile) and/or mobile app | Service usage history, access logs, IP address, payment record, device information (OS type and version) | |
(2) Methods of collection
A. Personal data that Customers consent to collection upon sign-up or during the use of services and are entered by the Customers themselves or duly provided by Coupang Corp. (“Coupang”)
B. Personal data collected during customer support interactions via website, email, fax, or phone call
C. Personal data collected when Customers participate in online or offline promotional events
D. Data generated by log analysis tools including cookies
2. Use of Personal Data
Coupang Pay uses collected personal data only within the scope specified below, including customer management, development, provision, and improvement of services, and implementation of secure platform, and always obtains prior consent from Customers in case any change is made to the purpose of use.
(1) Management of customer (service users), including sign-up, identification and verification, customer service, dispute settlement, and processing of withdrawal from service
(2) Settlement for purchase or sales of products and provision of mobile payment services (payment, cancellation, registration of payment account, verification of account holder), including identity and name verification, payment method authentication, fraud prevention, cash receipt issuance, and refund
(3) Provision of customized services, improvement of existing services, and development of new services based on analytics on visit and usage patterns and statistics on service usage
(4) Restriction of service on Customers who violate applicable laws or terms and conditions by fraudulent use (or transaction) of service; retention of records for dispute settlement; and handling Customer complaints
(5) Anti-money laundering compliance including Customer Due Diligence and reporting of suspicious transactions pursuant to the Act on Reporting and Using Specific Financial Transaction Information
(6) Marketing activities including ads and promotions; providing information about promotional events and opportunities to participate
3. Provision of Personal Data
Coupang Pay never provides Customers’ personal data to third parties without prior consent from the Customer, unless it is required to provide such data to authorities by applicable laws and regulations or to process mobile payment for transaction. In this case, we provide personal data with Customers’ prior consent to the respective third parties within the required scope as set out below:
(1) Registration of and payment by credit card
Recipient | Purpose of Provision | Data Provided | Period of Retention and Use |
Credit card companies, including KB Kookmin Card, BC Card, Lotte Card, Samsung Card, NH Nonghyup Card, Hyundai Card, Shinhan Card, Hana Card, Woori Card, Citi Card | Payment processing, prevention of payment fraud, identification and name verification for registration of mobile payment service | Credit card company name, date of birth, CI | Customer’s credit card information is deleted immediately upon withdrawal from Coupang Pay service |
(2) Registration of and payment by bank account
Recipient | Purpose of Provision | Data Provided | Period of Retention and Use |
Banks where Customers’ bank account is opened, including KB Kookmin Bank, Woori Bank, Shinhan Bank, Industrial Bank of Korea, NH Nonghyup, Kyongnam Bank, Kwangju Bank, Daegu Bank, Busan Bank, Korea Development Bank, Suhyup Bank, National Credit Union Federation of Korea, Korean Federation of Community Credit Cooperatives, Citi Bank, Korea Post, Jeonbuk Bank, Jeju Bank, SC Bank, KEB Hana Bank | Payment processing, prevention of payment fraud, identification and name verification for provision of service, checking or redeeming reward points | Bank account number, name, date of birth | Customer’s account information is deleted immediately upon withdrawal from Coupang Pay service |
(3) Open Banking
Recipient | Purpose of Provision | Data Provided | Period of Retention and Use |
Korea Financial Telecommunications & Clearings Institute | Processing of debit transfer, confirmation of withdrawal agreement, registration of debit transfer, notification of withdrawal | Name, mobile phone number, date of birth, financial company name and account number, CI | During the provision of Coupang Pay service |
(4) Point conversion
Recipient | Purpose of Provision | Data Provided | Period of Retention and Use |
KEB Hana Card, WOORICARD, KB Kookmin Card Corp. | Identification for point tracking and conversion | Connecting information (CI) | Deleted after identification without delay |
(5) Personal credit information
Recipient | Purpose of Provision | Data Provided | Period of Retention and Use |
Coupang Corp. | Evaluated credit worthiness, credit-related model development and (statistics) analysis, provide customized service; and maintain and provide follow-up management of this contract and the ones before. | Date of service subscription, type and number of payment methods registered by the user, coupay/ coupang cash usage history | During the provision of Coupang Pay service |
4. Consignment of Personal Data Processing
Coupang Pay delegates the processing of personal data to our third parties only within the scope necessary
for provision of service. We clearly specify the requirements for secure processing of such data and oversee how securely our third parties process Customers’ personal data consigned to them in compliance with the Network Act, PIPA, and other applicable laws.
Consignee | Purpose of Consignment |
Coupang Corp. | System development and operation, service operation, customer service and management |
NHN KCP Corp., Nice I&T, Danal Co., Ltd., KG Mobilians, Korea Information Communication Corp., Galaxia Communications Co., Ltd., Settlebank. Inc., NICE Payments | Authentication of payment methods and processing of payment (bank transfer, credit card, mobile payment, virtual account (including creation/management), deposit without bankbook, and other payment methods; verification of account for refund), cash receipt issuance |
Korea Mobile Certification Inc., Korea Credit Bureau, ThinkAT, Inbiznet Co., Ltd. | Identity verification, ARS authentication for obtaining consent to debit transfer |
5. Retention and Destruction of Personal Data
Coupang Pay destroys Customers’ personal data immediately when the purpose of collection and use of such data is achieved, except for data whose retention period is determined otherwise as stipulated below:
(1) Data retained pursuant to internal policies
Pursuant to our internal policies, Customers’ personal data can be retained for six (6) months, before being destroyed, from the withdrawal of consent to collection and use of personal data, for the investigation or prevention of transaction fraud (i.e., transaction that violates laws and regulations or terms of service between the Company and the Customer or that infringes rights or interest of the Company, other Customers, or other parties).
(2) Data retained pursuant to applicable laws and regulations
Coupang Pay retains personal data in compliance with the laws and regulations for the required period of time and never uses them for any other purposes not specified herein. Once the retention period expires, the data retained pursuant to applicable laws and regulations will also be destroyed without delay in technical ways that prevent any recovery of the data.
Retained Data | Retention Period | Relevant Statute |
Records on payment and supply of goods | 5 years | Act on Consumer Protection in Electronic Commerce, etc. |
Records on withdrawal of contract or subscription | 5 years | |
Records on Customer complaints or dispute settlement | 3 years | |
Records on labelling and advertisement | 6 months | |
Records on electronic financial transactions | 5 years | Electronic Financial Transactions Act |
Ledgers and supporting documents regarding all transactions as stipulated in the tax laws | 5 years | Framework Act on National Taxes, Corporate Tax Act |
Information for Customer due diligence | 5 years | Act on Reporting and Using Specified Financial Transaction Information |
Service access logs | 3 months | Protection of Communications Secrets Act |
(3) Destruction method
The retention and use period of the personal data collected starts when the service contract is signed and ends when the contract is terminated. If Customers withdraw consent, Coupang Pay immediately disposes of all of their personal data, with the exception of some retained due to the reasons specified above for a certain period, which will be transferred to a separate database and kept securely and then be destroyed without delay when the predetermined retention period expires through methods that ensure the information cannot be recovered. Hard copy printouts of personal data are shredded or burned, whereas electronic files of personal data are disposed through technical or physical means that ensure the information cannot be recovered.
6. Processing of Pseudonymized data
In order for credit rating modeling of our PayLater service, we process pseudonymized data, including the number of registered payment methods, member ID, mobile payment membership status and number of payment methods registered, CouPay Money balance and number of top-ups. After pseudonymization, the data are consigned to Korea Credit Bureau for analytics and credit rating modeling of PayLater service. Also, Coupang Pay has implemented measures to protect pseudonymized data in compliance with Article 28 of the PIPA and Article 40(2) of the Credit Information Use and Protection Act.
7. Rights and Obligations of Customers
(1) Rights of Customers
A. Access to personal data
Customers have the right to access their personal data collected by Coupang Pay. Customers’ request for access to their personal data may be restricted pursuant to applicable laws and regulations:
· Where an access is prohibited or restricted by applicable laws; or
· Where it is apprehended that any other person’s life or body may be harmed, or any other person’s property or other interests may be unduly infringed on
B. Request for suspension of personal data processing
Subject to Article 37-(2) of PIPA, Customers have the right to request the suspension of processing of their personal data collected by Coupang Pay. However, any suspension may impact the customer’s ability to receive services from Coupang Pay.
C. Correction or deletion of personal data
Customers have the rights to request the correction or deletion of personal data collected by Coupang Pay. In such a case however, if the collection of such personal data is stipulated in applicable laws, Customers cannot request the deletion thereof.
D. Methods of exercising rights
· Customers can exercise their rights by submitting a request to Coupang Pay using the Form 8 of the Enforcement Regulations of the PIPA via a written form, email, or fax, and Coupang Pay will take action without delay.
· When a Customer requests to have his/her personal data corrected or deleted, Coupang Pay suspends the use and processing of the data until the correction or deletion is completed.
· Customers can exercise their rights through a legal representative or designee by submitting a power of attorney using the Form 11 of the Enforcement Regulations of the PIPA.
· .
(2) Obligations of customers
Customers have an obligation to protect their personal data. Coupang Pay is not liable for issues that arise due to personal data leakage caused not by the fault of Coupang Pay, but by any of the following:
• Negligence or acts or omissions of the customer, such as losing, letting others borrow or handing over an ID (email address), password, or medium used to access the service;
• Methods that cannot be prevented by the security controls required by the applicable laws or hacking and other technologies that are outside the control of Coupang Pay despite the security controls Coupang has undertaken.
It is also an obligation of Customers to keep their personal data up to date. Any issues that arise due to incorrect information provided by customers are the responsibility of customers themselves. Individuals who sign up with personal data stolen from others or make payments with stolen IDs may lose their Coupang Pay membership and face penalties pursuant to the applicable laws. Moreover, customers are responsible for keeping their ID and password secure and confidential and may not lend them or hand them over to a third party. They are also under an obligation to cooperate with activities regularly carried out by Coupang Pay to ensure security according to its privacy and security policies.
8. Installation/Operation of Automatic Information Collection Tool and How to Opt-out
(1) Cookie
A cookie is a very small text file sent to and stored in the hard disc of a user’s computer from a website’s server. It is up to Customers to accept or decline the installation of and collection by cookies. Refusal to store cookies, however, may restrict your access to some services.
(2) How to change cookie settings
A. Internet Explorer
Click the “Tools” icon in the upper right corner of the browser window. Select “Internet Option” and then go to “Personal Information” tab to change the settings.
B. Google Chrome
Click on the Settings icon in the upper right corner of the browser window. Select “Settings”, scroll to the bottom of the page, and press “Advanced”. Select “Site Settings” under Privacy and Security section and then select “Cookies and site data” to change the settings.
9. Measures to Protect Personal Data
Coupang Pay has implemented the following technical and administrative measures to protect Customers’ personal data from loss, theft, disclosure, alteration, or damage while processed:
(1) Minimization of personal data handlers and regular training on privacy protection
Coupang Pay restricts access to personal data to those who absolutely need to handle such information for business purposes. We conduct regular training sessions and campaigns on privacy protection and security for all employees who handle personal data. We also have an internal process in place to require all new hires to sign a non-disclosure agreement to prevent information disclosure caused by a human error and to audit the implementation of and employees’ compliance with Coupang Pay’s privacy policiesy. Personal data handlers’ job handover always takes place in a secure and reliable manner, and the responsibility of current and former employees for privacy-related incidents is clearly established.
(2) Restrictions on access to personal data processing systems and implementation of access control solutions
Coupang Pay takes measures to control access to personal data by granting, updating, or revoking access permissions to database systems that process such data. Also, we have intrusion prevention system in place to block unauthorized access from unauthorized parties.
(3) Encryption of personal data
Customers’ passwords are encrypted when stored and managed. All personal data are securely protected with a secure encryption algorithm when stored and managed.
(4) Anti-hacking measures
Coupang Pay has security solutions installed and regularly updates and inspects them in order to prevent intrusion into or damage to personal data through hacking, viruses, and other types of malware.
10. The Chief Privacy Officer and Staff Responsible for Privacy Inquiries
The Chief Privacy Officer (CPO) and the department responsible for handling privacy inquiries are designated as below to oversee all matters related to customer privacy and handle privacy-related complaints. Customers may make inquiries or raise complaints regarding privacy issues through the contact points below. Coupang Pay will promptly respond to and handle inquiries.
Chief Privacy Officer | Department Handling Privacy Complaints |
Name: Max Leveson Phone: 1577-7011 Email: help@coupang.com | Department: Coupang Customer Center Phone: 1577-7011 Email: help@coupang.com |
Customers who need to receive consultation on privacy matters or report a personal data breach may also contact the following authorities:
· Personal Data Breach Reporting Center: 118 (without area code) / privacy.kisa.or.kr
· Personal Information Dispute Mediation Committee: 1833-6972 / www.kopico.go.kr
· Cybercrime Investigation Team at the Supreme Prosecutors’ Office: 1301 (without area code) / www.spo.go.kr
· Cybercrime Investigation Team at the National Police Agency: 1821301 (without area code) / cyberbureau.police.go.kr
11. Obligation of Notification
This Privacy Notice takes effect from the effective date. Should there be an insertion, deletion or correction made to this Privacy Notice in accordance with applicable laws, regulations or policies, Customers will be notified by Coupang Pay at least 7 days before such change. Should there be grounds for a material change to Customer’s right to privacy such as personal data’s collection, use, or transfer to third parties, such change will be notified to Customers at least 14 days prior to its implementation.
Privacy Notice Version 1.4
Release Date: May 14, 2021
Effective Date: May 21, 2021