Coupang Pay Privacy Notice (V.1.6)
Coupang Pay Ltd. (“Coupang Pay” or “Us” or “We”) is committed to processing and managing personal data securely for the protection of data subjects’ freedom and rights in accordance with applicable data protection and privacy laws in the Republic of Korea, including the Personal Information Protection Act (PIPA). In accordance with Article 30 of the PIPA, We establish and share our Privacy Notice as follows to guide data subjects on the way their personal data is processed and its standards and to ensure that data protection and privacy complaints can be handled seamlessly and promptly.
1. Purpose of processing personal data, items to be collected, and period of retention and use
Coupang Pay processes data subjects’ personal data as follows:
(1) Purposes of processing personal data by category, items to be collected, and period of retention and use
|
Service |
Purpose of Provision |
Items to be collected |
Period of retention and use |
|
|
Customer sign-up, customer management and service |
Customer sign-up and personal verification |
ID(email), name, date of birth, gender, mobile phone number, password, nationality(Korean or other citizens), connecting information(CI), duplicate information(DI) |
Until 90 days after customer withdrawal · However, if you shall keep the data in accordance with applicable law or regulation, you may keep the data until the date stipulated in the law or regulation. |
|
|
Prevention of fraudulent use and observance of anti-money laundering requirements |
Individuals |
Nationality, address, (Under enhanced due diligence(EDD)) real name[(resident registration number, issuance date of resident registration certificate(Korean citizens), alien registration number, issuance date of alien registration certificate, international driver’s license, passport number, passport issuing country, passport validity(other citizens), resident registration abstract(minors)], occupation or type of business, purpose of transaction, source of funds |
||
|
Businesses |
Sole proprietorship: Real name(name, date of birth, date of birth, CI, bank account information), address, contact information, Corporation: Representative’s and owner’s name(s), date of birth, gender, nationality (Under enhanced due diligence(EDD)) resident registration number or alien registration number, occupation or type of business, purpose of transaction, source of funds |
|||
|
Management of browsing history and service usage history |
User ID, IP address, device information(OS type and version) |
|||
|
Detention of suspicious financial transactions |
Transaction details(transaction date, transaction amount), IP address, device information(OS type and version) |
Until six (6) months after customer withdrawal from Coupang and Coupang Pay |
||
|
Payment and refund |
Payment service(payment, cancellation, payment account registration, account holder verification), payment fraud prevention, processing and analysis of refunds |
Bank account for payment(bank name, account number, account holder’s name) credit card information(company name, virtual card number or masked card number), mobile phone information(carrier, number), bank account for refund(bank name, account number, account holder’s name), bank account for settlement(bank name, account number, account holder’s name) |
Until five (5) years after the end of commerce contract · However, if you shall keep the data in accordance with applicable law or regulation, you may keep the data until the date stipulated in the law or regulation. |
|
* The end of commerce contract refers to the day when the electronic financial transaction agreement ends between Coupang Pay and the user.
The following are the cases where data shall be kept in accordance with application law or regulation.
|
Retained Data |
Retention Period |
Relevant Statute |
|
Personal credit data |
5 years |
Article 20-2 of the Credit Information Use and Protection Act |
|
Customer due diligence data |
5 years |
Article 5-4 of the Act on Reporting and Using Specified Financial Transaction Information |
|
Records of computer communication, internet logs and access point tracking data |
3 months |
Article 15-2 of the Protection of Communications Secrets Act |
|
Records on electronic financial transactions |
5 years |
Article 22 of the Electronic Financial Transactions Act |
|
Records of handling consumer complaints or disputes |
3 years |
Article 6 of the Act on Consumer Protection in Electronic Commerce |
|
Records of contractions, subscription withdrawals, payments, supply of goods, etc. |
5 years |
|
|
Records of labeling and advertising |
6 months |
(2) Methods of collection
A. Personal data that Customers consent to collection upon sign-up or during the use of services and are entered by the Customers themselves or duly provided by Coupang Corp. (“Coupang”)
B. Personal data collected during customer support interactions via website, email, fax, or phone call
C. Personal data collected when Customers participate in online or offline promotional events
D. Data generated by log analysis tools including cookies
2. Provision of personal data to third parties
Coupang Pay processes the personal data of data subjects only to the extent specified in the “Purpose of processing personal data,” and will only provide personal data to third parties if it is subject to Articles 17 and 18 of the Personal Information Protection Act, such as data subjects’ consent and special provisions of the law. Otherwise, Coupang Pay does not provide data subjects’ personal data to third parties.
To provide services seamlessly, we provide data subjects’ personal data to the minimum extent with their prior consent to third parties in the following cases:
(1) Registration of and payment by credit card
|
Recipient |
Purpose of Provision |
Data Provided |
Period of Retention and Use |
|
Credit card companies, including KB Kookmin Card, BC Card, Lotte Card, Samsung Card, NH Nonghyup Card, Hyundai Card, Shinhan Card, Hana Card, Woori Card, Citi Card |
Payment processing, prevention of payment fraud, identification and name verification for registration of mobile payment service |
Credit card company name, date of birth, CI |
Until the end of the transaction period stipulated in the credit card issuance contract |
(2) Registration of and payment by bank account
|
Recipient |
Purpose of Provision |
Data Provided |
Period of Retention and Use |
|
Banks where Customers’ bank account is opened, including KB Kookmin Bank, Woori Bank, Shinhan Bank, Industrial Bank of Korea, NH Nonghyup, Kyongnam Bank, Kwangju Bank, Daegu Bank, Busan Bank, Korea Development Bank, Suhyup Bank, National Credit Union Federation of Korea, Korean Federation of Community Credit Cooperatives, Citi Bank, Korea Post, Jeonbuk Bank, Jeju Bank, SC Bank, KEB Hana Bank, Toss Bank |
Payment processing, prevention of payment fraud, identification and name verification for provision of service, checking or redeeming reward points |
Bank account number, name, date of birth |
Until the end of the transaction period stipulated in the bank account issuance contract |
(3) Open Banking
|
Recipient |
Purpose of Provision |
Data Provided |
Period of Retention and Use |
|
Korea Financial Telecommunications & Clearings Institute |
Processing of debit transfer, confirmation of withdrawal agreement, registration of debit transfer, notification of withdrawal |
Name, mobile phone number, date of birth, financial company name and account number, CI |
Until the end of the mandatory storage period set by the Korea Financial Telecommunications and Clearings Institute |
(4) Open Banking
|
Recipient |
Purpose of Provision |
Data Provided |
Period of Retention and Use |
|
KEB Hana Card, WOORICARD, KB Kookmin Card Corp. |
Identification for point tracking and conversion |
Connecting information (CI) |
Until the data subject in question is identified |
(5) Personal credit information
|
Recipient |
Purpose of Provision |
Data Provided |
Period of Retention and Use |
|
Coupang Corp. |
Evaluated credit worthiness, credit-related model development and (statistics) analysis, provide customized service; and maintain and provide follow-up management of this contract and the ones before. |
Date of service subscription, type and number of payment methods registered by the user, CouPay/ Coupang cash usage history |
Until customer withdrawal from Coupang |
3. Consignment of personal data processing
(1) Coupang Pay delegates the processing of personal data to third parties as follow to process it seamlessly.
|
Consignee |
Purpose of Consignment |
|
Coupang Corp. |
System development and operation, service operation, customer service and management |
|
NHN KCP Corp., Nice I&T, Danal Co., Ltd., KG Mobilians, Korea Information Communication Corp., Galaxia Communications Co., Ltd., Settlebank. Inc., NICE Payments |
Authentication of payment methods and processing of payment (bank transfer, credit card, mobile payment, virtual account (including creation/management), deposit without bankbook, and other payment methods; verification of account for refund), cash receipt issuance |
|
Korea Mobile Certification Inc., Korea Credit Bureau, ThinkAT, Inbiznet Co., Ltd. |
Identity verification, ARS authentication for obtaining consent to debit transfer |
|
Amazon Web Services Inc. |
Processing of personal data in the Cloud infrastructure |
(2) When entering into a consignment contract, Coupang Pay specifies responsibilities, such as prohibition of processing personal data for purposes other than consignment purposes, technical and administrative safeguards, restrictions on reconsignment, management and supervision of consignees, and damages, in the documents such as contracts and supervise the safe handling of personal information by the consignee in accordance with Article 26 of the Personal Information Protection Act.
(3) If the scope of consignment or the list of consignees is updated, we will disclose it in this Privacy Notice without delay.
4. Personal data destruction procedures and methods
(1) Coupang Pay destroys personal data without delay when it becomes unnecessary, including when the retention period expires or the purpose of processing it is achieved.
(2) If personal data must be retained in accordance with applicable laws and regulations even though the retention period data subjects consent to has expired or the purpose of processing it has been achieved, the personal data shall be transferred to a separate database (DB) or stored in a different location.
(3) The procedures and methods for destroying personal data are as follows:
A. Procedures
Coupang Pay selects personal data that has a ground for destruction and destroys it safely in accordance with Coupang Pay’s internal policy
B. Methods
Personal data printed on paper is shredded or incinerated. Personal data in the form of electronic files is destroyed using technical or physical methods in a way that it becomes irreversible
5. Destruction of personal data of non-users
(1) Coupang Pay destroys the personal data of customers who have not used Coupang Pay’s services for over one year. However, the personal data of customers who have Coupay Money is stored separately.
(2) Coupang Pay sends customers a 30-day prior notice before destroying their data and notifies them of the date of deletion and the items to be deleted by email.
(3) Customers can prevent their personal data from being destroyed by using Coupang Pay’s services before the date of deletion.
6. Rights and obligations of data subjects and legal representatives and how to exercise them
(1) Data subjects have right to view, correct, delete or request to stop processing their personal data in Coupang Pay.
(2) Customers can exercise their rights in writing, or by email or fax in accordance with Article 41-1 of the Enforcement Decree of the Personal Information Protection Act, and Coupang Pay will take action accordingly without delay.
(3) The rights may be exercised by a data subject’s legal representative or a delegated person. In this case, a proxy form in accordance with the form in Addendum 11 of the “Public Notice of Personal Information Processing Methods (No. 2020-7)”.
(4) A request to stop viewing and processing personal data may limit the rights of data subjects under Article 35-4 and Article 37-2 of the Personal Information Protection Act.
(5) For a request to edit or delete personal data, customers may not request the deletion of their personal data if it is specified as an item to be collected in applicable laws and regulations,
(6) Coupang Pay may verify the identity of a data subject or the data subject’s legitimate delegated person requesting to view, edit, delete, or stop processing personal data.
7. Measures to ensure safety of personal data
To ensure the safety of personal data, Coupang Pay takes the following measures:
(1) Administrative measures: Establish and implement internal management plan, run a dedicated organization, and train employees regularly
(2) Technical measures: Control access rights to personal data processing system, etc, install access control system, encrypt personal data, install and update security software
(3) Physical measures: Access control to server rooms
8. Installation and operation of automatic personal data collection tools and how to opt-out
(1) Cookie
A cookie is a very small text file sent to and stored in the hard disc of a user’s computer from a website’s server. It is up to Customers to accept or decline the installation of and collection by cookies. Refusal to store cookies, however, may restrict your access to some services.
(2) How to change cookie settings
A. Internet Explorer
Click the “Tools” icon in the upper right corner of the browser window. Select “Internet Option” and then go to “Personal Information” tab to change the settings.
B. Google Chrome
Click on the Settings icon in the upper right corner of the browser window. Select “Settings”, scroll to the bottom of the page, and press “Advanced”. Select “Site Settings” under Privacy and Security section and then select “Cookies and site data” to change the settings.
(1) To supervise works related to processing personal data, address data subjects’ complaints and provide remedies for personal data infringement, Coupang Pay has a Chief Privacy Officer and a dedicated department as follows:
|
Chief Privacy Officer |
|
Name: Jaeho Lee Phone: 1577-7011 Email: privacy@coupangpay.com |
(2) Data subjects may make all personal data protection inquiries, including complaints and remedies, to the CPO or the department handling privacy complaints. Coupang Pay will respond to data subjects’ inquiries without delay.
10. Department handling requests to view personal data
Data subjects may request to view their personal data to the following department. Coupang Pay will endeavor to handle data subjects’ requests to view their personal data promptly.
|
Department handling privacy complaints |
|
Department: Coupang Pay Customer Center Phone: 1577-7011 Email: privacy@coupangpay.com |
11. Remedies for infringement on the rights and interests of data subjects
(1) For remedies for personal date infringement, date subjects can reach out to the Personal Information Dispute Mediation Committee, KISA’s Personal Information Infringement Report Center, and others. Please contact the following agencies for reporting or counseling on personal data infringements.
· Personal Information Infringement Report Center (without local number) 118 / privacy.kisa.or.kr
· Personal Information Dispute Mediation Committee 1833-6972 / www.kopico.go.kr
· Supreme Prosecutors' Office, Cyber Investigation Division (without local number) 1301 / www.spo.go.kr
· Korea National Police Agency, Cyber Bureau (without local number) 182 / cyberbureau.police.go.kr
(2) Coupang Pay is committed to guaranteeing data subjects’ right to self-determination on personal data and providing counseling and damage relief for personal infringement. If you need to report an infringement case or need counseling, please reach out to Coupang Pay’s department handling privacy complaints.
This Privacy Notice will be effective from April 13, 2022.
Click the drop-down to find the older versions of Privacy Notice.