SmileMe Privacy Policy
Danal Entertainment Corporation (hereinafter referred to as "Company") has established and published the following Privacy Policy under Article 30 of the Personal Information Protection Act to protect data subjects’ personal information and to promptly and smoothly handle any related grievances.
This Privacy Policy will take effect from November 22, 2024.
Article 1 (Purposes of Processing Personal Information)
The Company processes personal information for the following purposes. The information being processed will not be used for any purpose other than those listed below, and in case of a change in usage purpose, the Company will take necessary measures such as obtaining separate consent under Article 18 of the Personal Information Protection Act
1. SmileMe Service Membership Registration and Management
Processing of personal information for purposes of confirming the intent to register, providing member-specific services, identification, and authentication, preventing duplicate registrations, maintaining and managing membership eligibility, preventing fraudulent use of services, preventing registration of children under the age of 14, various notifications and communications, and handling grievances. For international users, specific provisions apply
A. Preventing registration of children under 16 residing in the European Union.
B. Preventing registration of children under 13 living outside the European Union and Korea.
2. Handling of Civil Complaints
Processing personal information to verify the complainant’s identity, confirming the complaint’s details, contacting for investigation, and notifying the outcome.
3. Provision of Goods or Services
Processing personal information to deliver goods, provide services, send contracts and invoices, provide content, sell content that includes personal data of individual sellers, provide customized services, authenticate identity, verify age, process payment and settlement, and collect debts.
4. Marketing and Advertising Utilization
Processing personal information to develop new services (products) and providing customized services, providing opportunities for participation in events and promotional information, providing services and placing advertisements based on demographic characteristics, verifying the effectiveness of services, and gathering statistics on service usage and frequency of visits by members.
Article 2 (Processing and Retention Period of Personal Information)
① The Company processes and retains personal information within the period of retention and use of personal information stipulated by law or consented by the data subject at the time of collection.
② The specific personal information processing and retention periods are as follows
1. SmileMe Service Membership Registration and Management: Personal information is retained and used for the purpose mentioned from the date of consent using such information until two months after the termination of membership. In the following cases, personal information will be retained for the duration of the relevant reason:
1) Until the end of any ongoing investigation due to violations of related laws.
2) Until the settlement of any remaining claims or debts related to service use.
2. Personal information is retained and used for the purposes mentioned from the date of consent to the use of such information until two months after the termination of membership.
3. Provision of Goods or Services: Personal information is retained and used from the date of consent until the provision of goods/services is completed and charges are settled. In the following cases, it will be retained until the end of the specified period for the purpose mentioned
1) Records related to advertisement, performance of contracts, and transactions under the Act on Consumer Protection in Electronic Commerce, etc.
– Records on the collection, processing, and utilization of credit information: 3 years
– Records on consumer complaints or dispute resolution: 3 years
– Records on payment and supply of goods: 5 years
– Records on contracts or withdrawal of offers: 5 years
– Records on advertisement: 6 months
– However, transactions under 10,000 KRW are kept for 1 year, and transactions over 10,000 KRW for up to 5 years.
2) Storage of communication confirmation data under the Protection of Communications Secrets Act:
– Computer communication and internet log data, access tracing data: 3 months
3) Creation and Sale of Content Containing Facial Data
– Until the termination of the contract separately entered into with the Company by individual sellers who create and sell content containing facial data. If the contract specifies otherwise, it will be retained according to those terms.
4. Marketing and Advertisement Utilization: Personal information is retained and used for the purposes mentioned from the date of consent to its use until the withdrawal of membership or revocation of consent to receive promotional information.
Article 3 (Categories of Personal Information Processed)
① The Company processes the following categories of personal information.
1. SmileMe Service Membership Registration and Management: The Company supports various social logins to facilitate convenient membership registration and service use, processing personal information in this process. However, the types and methods of social logins supported for membership registration may vary by country.
1) When registering using a Naver ID
– Required Information: Naver account (email), mobile phone number, nickname
– Optional Information: None
2) When registering using a Google ID
– Required Information: Google account (email), mobile phone number, nickname
– Optional Information: None
3) When registering using a KakaoTalk ID
– Required Information: Kakao account (email), mobile phone number, nickname
– Optional Information: None
4) When registering using an Apple ID
– Required Information: Apple account (email), mobile phone number, nickname
– Optional Information: None
2. Handling Civil Complaints
– Required Information: Email
– Optional Information: None
3. Provision of Goods or Services
1) Use of specific filters and effects
– Required Information: Member facial recognition data, metadata, member photos (when using specific filters and effects)
– Optional Information: None
2) Creation and sale of content containing facial data
– Required Information: Name, Resident Registration Number, email, mobile phone number, account information, address
– Optional Information: Facial data in content generated by the service
3) Purchase of goods or services
– Required Information: Email, name, mobile phone number, address, payment method information
– Optional Information: None
4) When linking with affiliated platforms
– Required Information: Email, mobile phone number
– Optional Information: None
4. Marketing and Advertising Utilization
– Required Information: Email, mobile phone number
– Optional Information: None
5. The following personal information categories may be automatically collected during service usage.
– Mobile device information (OS, manufacturer, model name, UUID, etc.), service usage records, visit records, IP address, bad usage records, etc.
Article 4 (Processing of Facial Data in Content)
① The Company stores the content created by individual selling members on its servers. Facial data within the content is not separated and not stored individually. Content uploaded to the market through contracts with individual selling members is made available to other members for purchase. Members can buy and download the content to their SmileMe service, affiliated apps, or personal devices for private use.
② When a member uses specific filters and effects, the member's facial recognition data, metadata, and images are transmitted to the Company’s servers for use and processing. Information transmitted to the server is immediately deleted when the member stops using the specific filters and effects or if the application is terminated during use and not stored on the server.
Article 5 (Processing of Personal Information of Children Under 14)
① The Company does not collect personal information from children under 14. However, if personal information from children under 14 is collected, the legal guardian may withdraw consent for collecting, using, or providing the child's personal information and may request access to correcting errors in the child's personal information. Specific provisions apply to international users.
1. In cases when the personal information of a child under 16 residing in the European Union is collected.
2. In cases when the personal information of a child under 13 residing outside the European Union and South Korea is collected.
② If the legal guardian of a member who is a child under 14 requests access to the information or suspension of its processing by telephone or in writing, the Company will require documentation such as a power of attorney and a seal certificate, as well as copies of identification for both the requester and the representative, to verify whether the requester is the legitimate legal guardian.
Article 6 (Provisions on the Provision of Personal Information to Third Parties)
① The Company processes the personal information of data subjects only within the scope specified to process such information. It provides personal information to third parties only with the consent of the data subject or in cases specified under Articles 17 and 18 of the Personal Information Protection Act, such as special provisions of law. Apart from these cases, the Company does not provide personal information to third parties.
② For the smooth provision of services, the Company provides personal information to the extent necessary and only with the consent of the data subject in the following cases
|
Recipients |
Purpose of Provision |
Information Provided |
Retention and Usage Period of Personal Information |
|
Recipient: Physical Goods Sellers |
To facilitate smooth transactions between sellers and buyers, customer consultation and complaint handling, product delivery, and benefits associated with product purchases. |
Name, email, mobile phone number, address |
Until the purpose of using the personal information is achieved. |
|
Bimilri Co., Ltd. |
To verify the existence/match of account information for the provision of affiliated services. |
Email, mobile phone number |
Until the end of the affiliated contract or until service provision concludes. |
③ By the "Emergency Personal Information Processing and Protection Guidelines" jointly announced by government departments, in the event of emergencies such as disasters, infectious diseases, incidents causing imminent danger to life or physical health, or urgent property loss, the Company may provide personal information to relevant authorities without the consent of the data subject. For more details, please [click here]
Article 7 (Matters Relating to the Outsourcing of Personal Information Processing Tasks)
① The Company outsources personal information processing tasks to smoothly handle personal information.
|
Contractor |
Outsourced Tasks |
Retention and Usage Period of Personal Information |
|
Summers Platform Co., Ltd. |
Provision of delivery tracking services |
Until the end of the outsourced task or termination of the outsourcing contract |
|
Logivation Co., Ltd |
Provision of goods delivery and related logistics services |
|
|
Danal Co., Ltd. |
Payment processing (mobile phone payments, direct bank transfers, account transfers, credit cards, and other payment methods) and prevention of payment fraud |
② When entering into outsourcing contracts, the Company stipulates in the contract and other documents, in accordance with Article 26 of the Personal Information Protection Act, provisions that prevent the processing of personal information for purposes other than those of the outsourcing tasks, technical and administrative protection measures, restrictions on re-outsourcing, management and supervision of the contractors, and responsibilities related to compensation for damages. The Company also supervises to ensure that the contractors process personal information securely..
③ Should there be any changes to the content of the outsourced tasks or contractors, the Company will promptly disclose such changes through this Privacy Policy.
Article 8 (Procedures and Methods for Destruction of Personal Information)
① The Company will destroy personal information without delay when it is no longer necessary, such as when the retention period has expired or the purposes for processing have been achieved.
② If the retention period consented to by the data subject has expired or the purpose for processing has been achieved, but the personal information must still be preserved under other legal provisions, that personal information will be stored separately in a different database (DB) or storage location.
③ The procedures and methods for destroying personal information are as follows
1. Destruction Procedure
The Company selects the personal information that needs to be destroyed, obtains approval from the Company’s Personal Information Protection Officer, and then proceeds with the destruction.
2. Destruction Method
Electronic files are destroyed using methods that prevent the records from being reproduced. Printed personal information is destroyed either by shredding or incineration.
Article 9 (Measures Regarding the Destruction of Personal Information of Inactive Users)
① The Company will convert accounts that have not been used for five years into dormant accounts and store the personal information separately. This separately stored personal information will be destroyed without delay after being retained for five years.
② The Company notifies members who are scheduled to be dormant, 30 days prior to the dormancy, of the fact that their information will be stored separately, the scheduled date of dormancy, and the categories of personal information to be stored separately, using methods such as email or text messages that can reach the user.
③ If you do not wish to convert to a dormant account, you may log in to the service before the conversion to a dormant account. Moreover, even after an account has been converted to dormant, you can restore the dormant account and use the services normally, subject to your consent, by logging in.
Article 10 (ights and Obligations of Data Subjects and Legal Representatives and Methods of Exercising These Rights)
① Data subjects can exercise their rights to request access, correction, deletion, or suspension of processing of their personal information at any time.
② The exercise of the rights mentioned in the preceding paragraph can be made in writing, via email, or fax, in accordance with Article 41(1) of the Enforcement Decree of the Personal Information Protection Act, and the Company will respond to these requests without delay.
③ The exercise of the rights mentioned can be made through a legal representative or an agent authorized by the data subject. In this case, a power of attorney in accordance with the form No. 11 of the "Notice on the Methods of Processing Personal Information (No. 2020-7)" must be submitted.
④ Requests for access to and suspension of processing personal information may be restricted under Article 35(4) and Article 37(2) of the Personal Information Protection Act.
⑤ Requests for correction and deletion of personal information may not be made if the personal information is designated for collection under other laws.
⑥ When requests for access, correction, deletion, or suspension of processing are made, the Company will verify whether the requester is the data subject or a legitimate representative.
Article 11 (Measures to Ensure the Security of Personal Information)
The Company is implementing the following measures to ensure the security of personal information
1. Regular Self-Audit
The company conducts regular (quarterly) self-audits to ensure the security of personal information handling.
2. Minimization and Training of Personal Information Handlers
Designated employees handle personal information, and measures are implemented to minimize and manage personal information effectively.
3. Establishment and Implementation of Internal Management Plan
An internal management plan is established and implemented to ensure the secure processing of personal information.
4. Technical Measures Against Hacking
Security programs are installed to prevent leakage and damage of personal information due to hacking or computer viruses. These programs are regularly updated and checked, and the systems are installed in areas with restricted access and are technically and physically monitored and blocked.
5. Encryption of Personal Information
Users' personal information and passwords are encrypted, stored, and managed so that only the individual can know them. Important data is protected using encryption for files and transmission data or through the use of file locking functions.
6. Storage and Falsification Prevention of Access Records
Access records to the personal information processing system are stored and managed for at least one year. If personal information is added for more than 50,000 data subjects, or if unique identifiers or sensitive information is processed, it is stored and managed for more than two years. Security features are used to prevent tampering, theft, or loss of access records.
7. Restrictions on Access to Personal Information
Necessary measures are implemented for access control to the database systems processing personal information, through authorization, modification, and deletion of access rights. Intrusion prevention systems are used to control unauthorized access from outside.
8. Use of Locks for Document Security
Documents and auxiliary storage media containing personal information are stored in a secure location with locking devices.
9. Control of Access by Unauthorized Persons
Physical storage locations containing personal information are separately established, and access control procedures are established and operated.
Physical storage location of personal information: 3rd Floor, Seohyun Building, 326 Hwangsaeul-ro, Bundang-gu, Seongnam-si, Gyeonggi-do, Korea, Danal Entertainment Co., Ltd.
Article 12 (Installation, Operation, and Rejection of Devices that Automatically Collect Personal Information)
The Company does not use cookies that store and retrieve users' information on demand.
Article 13 (Collection, Use, Provision of Behavioral Information, and Rejection)
The Company does not collect, use, or provide behavioral information for purposes such as online tailored advertising.
Article 14 (Criteria for Additional Use and Provision of Information)
① The Company does not provide personal information to third parties without the user's separate consent or unless required by law. However, personal information may be provided to third parties within the necessary scope, after obtaining user consent, for the use of services by external partners.
② According to Article 15, Paragraph 3, and Article 17, Paragraph 4 of the Personal Information Protection Act, and as considered under Article 14-2 of the Act’s Enforcement Decree, the Company may use or provide personal information without the data subject's consent.
③ For additional use or provision without the consent of the data subject, the Company considers the following
1. Whether the purpose of additional use or provision is relevant to the original collection purpose.
2. Whether additional use or provision is predictable based on the circumstances of collection or processing practices.
3. Whether the additional use or provision unfairly infringes on the interests of the data subject.
4. Whether necessary measures such as anonymization or encryption have been taken to ensure safety.
Article 15 (Handling of Pseudonymized Information)
The Company does not process pseudonymized information.
Article 16 (Personal Information Protection Officer)
① The Company has appointed a Personal Information Protection Officer to oversee the processing of personal information and handle complaints and damage remedies related to personal information processing as follows
▶ Personal Information Protection Officer
– Name: You Yeop Lim
– Position: CEO
– Contact : 031-710-7027
※ Connected to the personal information protection department.
▶ Personal Information Protection Department
– Department: Business Operation Team, New Media Business Division
– Officer: Hyeri Kim
– Contact: 031-710-7027 / hyeree@danalenter.co.kr
② Data subjects may contact the Personal Information Protection Officer or department with any inquiries, complaints, or damage remedies related to the protection of personal information arising from the use of the Company’s services. The Company will respond to and address these inquiries without delay.
Article 17 (Department Receiving and Processing Requests for Access to Personal
Data subjects can request access to their personal information under Article 35 of the Personal Information Protection Act at the following department. The Company will endeavor to promptly process such requests.
▶ Department Receiving and Processing Access Requests
– Department: Business Operation Team, New Media Business Division
– Officer: Hyeri Kim
– Contact: 031-710-7027 / hyeree@danalenter.co.kr
Article 18 (Remedies for Infringement of Data Subject's Rights)
① Data subjects can apply for dispute resolution or consultation to the Personal Information Dispute Mediation Committee, the Personal Information Infringement Report Center of the Korea Internet & Security Agency, and other relevant institutions in case of personal information infringement. For other reports of personal information infringement and consultations, please contact the following institutions
1. Personal Information Dispute Mediation Committee : 1833-6972 (www.kopico.go.kr)
2. Personal Information Infringement Report Center : 118 (privacy.kisa.or.kr)
3. Supreme Prosecutors' Office : 1301 (www.spo.go.kr)
4. National Police Agency : 182 (ecrm.cyber.go.kr)
② The Company is committed to ensuring the self-determination rights of data subjects regarding their personal information and provides support for consultation and remedy in case of personal information infringement. If you need to report or consult, please contact the following department:
▶ Personal Information Protection Customer Consultation and Reporting
– Department: Business Operation Team, New Media Business Division
– Officer: Hyeri Kim
– Contact: 031-710-7027 / hyeree@danalenter.co.kr
③ Individuals whose rights or interests have been infringed upon due to actions or inaction by a public authority, under Articles 35 (Access to Personal Information), 36 (Correction and Deletion of Personal Information), and 37 (Suspension of Processing of Personal Information) of the Personal Information Protection Act, may request administrative review according to the Administrative Appeals Act.
▶ Central Administrative Appeals Commission : 110 (www.simpan.go.kr)
Article 19 (Special Provisions for Overseas Users)
① The following provisions do not apply to members residing outside South Korea
1. Information in Article 6 (Provisions on the Provision of Personal Information to Third Parties), Paragraph 2 regarding the provision of personal information to Bimilri Co., Ltd.
Article 20 (Changes to the Privacy Policy)
The previous privacy policies can be reviewed below