Privacy Policy
KALDI COFFEE LAB INC. (hereinafter referred to as the "Company") establishes and discloses the following Privacy Policy to protect users' personal information and to promptly and smoothly handle related grievances in accordance with the Personal Information Protection Act and other applicable laws and regulations.
1. Categories and Methods of Personal Information Collection
A. Categories of Personal Information Collected
| Category | Items Collected | Purpose of Collection |
|---|---|---|
| Sign-up (Social Login) | Email address, nickname (name), profile image URL, social service unique identifier | Member identification, registration, and service provision |
| Order/Payment (Members) | Recipient name, phone number, shipping address (postal code, street address, detailed address), email address, delivery notes | Order processing, goods delivery, payment processing |
| Order/Payment (Non-members) | Orderer name, email address, phone number, order inquiry password, recipient name, phone number, shipping address, delivery notes | Non-member order processing and order inquiry |
| Boards/Reviews | Author information (member ID or non-member name), email address, post content | Board service provision, inquiry handling |
| Automatically Collected | IP address, cookies, visit date and time, service usage records, access logs | Service usage statistics, prevention of fraudulent use |
B. Methods of Collection
- Provided by social login services (Google, Naver, Kakao) upon sign-up
- Directly entered by users during service use, such as filling out order forms and using boards
- Automatically generated and collected during service use
2. Purposes of Processing Personal Information
The Company processes personal information for the following purposes. The personal information being processed shall not be used for purposes other than those stated below. If the purpose of use changes, the Company will take necessary measures such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act.
- Member Registration and Management: Identity verification and authentication for membership services, maintenance and management of membership, prevention of fraudulent use of services, various notifications and notices
- Provision of Goods or Services: Delivery of goods (domestic/international), service provision, payment and settlement, order confirmation and shipping status notification emails
- Grievance Handling: Verification of complainant identity, confirmation of complaints, contact and notification for fact-finding, notification of processing results
3. Processing and Retention Period of Personal Information
The Company processes and retains personal information within the retention and use period prescribed by law or within the retention and use period agreed upon by the data subject at the time of collection.
A. Retention Under Company Internal Policies
| Items Retained | Retention Period | Basis for Retention |
|---|---|---|
| Member information (email, nickname, profile image, etc.) | Destroyed immediately upon membership withdrawal | Member consent |
| Non-member order information | Until the retention period prescribed by applicable laws after order completion | Act on the Consumer Protection in Electronic Commerce, etc. |
B. Retention Under Applicable Laws
| Items Retained | Retention Period | Applicable Law |
|---|---|---|
| Records of contracts or withdrawal of offers | 5 years | Act on the Consumer Protection in Electronic Commerce, etc. |
| Records of payment and supply of goods, etc. | 5 years | Act on the Consumer Protection in Electronic Commerce, etc. |
| Records of consumer complaints or dispute resolution | 3 years | Act on the Consumer Protection in Electronic Commerce, etc. |
| Records of labeling/advertising | 6 months | Act on the Consumer Protection in Electronic Commerce, etc. |
| Records of website visits | 3 months | Protection of Communications Secrets Act |
4. Provision of Personal Information to Third Parties
As a general rule, the Company does not provide users' personal information to external parties. However, exceptions are made in the following cases:
- When prior consent has been obtained from the user
- When required by the provisions of laws and regulations, or when there is a request from an investigative agency following the procedures and methods prescribed by law for the purpose of investigation
| Recipient | Purpose of Provision | Items Provided | Retention and Use Period |
|---|---|---|---|
| KG Inicis | Payment processing (domestic) | Order number, payment amount, payment method information | In accordance with the recipient's policy |
| PayPal | Payment processing (international) | Order number, payment amount, payment method information | In accordance with the recipient's policy |
| Logen Logistics, Daesin Logistics | Goods delivery (domestic) | Recipient name, address, contact number | In accordance with the recipient's policy |
| UPS | Goods delivery (international) | Recipient name, email, address, contact number, country code | In accordance with the recipient's policy |
5. Entrustment of Personal Information Processing
The Company entrusts personal information processing as follows for the smooth provision of services.
| Entrusted Party | Entrusted Tasks |
|---|---|
| KG Inicis | Electronic payment processing (domestic) |
| PayPal | Electronic payment processing (international) |
| Logen Logistics, Daesin Logistics | Goods delivery (domestic) |
| UPS | Goods delivery (international) |
When entering into entrustment contracts, the Company specifies in the contract documents matters concerning the prohibition of processing personal information beyond the scope of the entrusted tasks, technical and managerial safeguards, restrictions on re-entrustment, supervision and oversight of the entrusted party, and liability including compensation for damages, in accordance with Article 26 of the Personal Information Protection Act. The Company also supervises whether the entrusted party processes personal information securely.
6. Cross-border Transfer of Personal Information
The Company provides personal information to third parties overseas as follows for the provision of services.
| Recipient | Country | Items Transferred | Purpose of Transfer | Method of Transfer | Retention/Use Period |
|---|---|---|---|---|---|
| United Parcel Service, Inc. | United States | Recipient name, address, contact number, email | International shipping processing | Transmission via network | In accordance with the recipient's policy |
| PayPal Pte. Ltd. | United States (Singapore) | Order number, payment amount, payment method information | International payment processing | Transmission via network | In accordance with the recipient's policy |
| Google LLC | United States | Social unique identifier, email, nickname, profile image | Social login (member authentication) | OAuth 2.0 protocol | Until membership withdrawal |
The Company takes protective measures in accordance with Article 28-8 of the Personal Information Protection Act when transferring personal information overseas.
7. Rights, Obligations, and Methods of Exercise for Data Subjects and Legal Representatives
- Data subjects may exercise the right to request access to, correction of, deletion of, or suspension of processing of their personal information held by the Company at any time.
- The exercise of rights under Paragraph 1 may be made to the Company in writing or by email (info@kaldi.co.kr) in accordance with Article 41, Paragraph 1 of the Enforcement Decree of the Personal Information Protection Act. The Company will take action without delay.
- The exercise of rights under Paragraph 1 may also be made through a legal representative or an authorized agent. In such cases, a power of attorney in the form prescribed by Attached Form No. 11 of the "Public Notice on Methods of Processing Personal Information" must be submitted.
- The rights of data subjects to request access to and suspension of processing of personal information may be restricted in accordance with Article 35, Paragraph 4 and Article 37, Paragraph 2 of the Personal Information Protection Act.
- A request for correction or deletion of personal information cannot be made if the personal information is specified as a subject of collection under other laws and regulations.
- The Company verifies whether the person who makes a request for access, correction, deletion, or suspension of processing is the data subject or a legitimate representative when exercising data subject rights.
- If you wish to withdraw your membership, you may do so directly from the My Page section of the website. Upon withdrawal, the member's personal information will be destroyed immediately. However, information that is required to be retained under applicable laws will be retained for the prescribed period before destruction.
8. Procedures and Methods for Destruction of Personal Information
The Company destroys personal information without delay when the retention period has expired, the purpose of processing has been achieved, or the personal information is otherwise no longer necessary.
A. Destruction Procedures
Information entered by users is transferred to a separate database (or separate documents in the case of paper records) after the purpose has been achieved, and is stored for a certain period in accordance with internal policies and other applicable laws before being destroyed, or is destroyed immediately. Personal information transferred to a separate database will not be used for any other purpose unless required by law.
B. Destruction Methods
- Information in electronic file format is destroyed using technical methods that render the records unrecoverable.
- Personal information printed on paper is destroyed by shredding or incineration.
9. Installation, Operation, and Rejection of Cookies
A. Purposes of Cookie Use
The Company uses the following cookies to provide appropriate services to users.
| Cookie Name | Purpose | Type |
|---|---|---|
| JSESSIONID | Session management, including maintaining login status | Essential (Session Cookie) |
| XSRF-TOKEN | Security token for preventing CSRF (Cross-Site Request Forgery) attacks | Essential (Security Cookie) |
B. Installation, Operation, and Rejection of Cookies
Users have the right to choose whether to install cookies. Therefore, users may allow all cookies, require confirmation each time a cookie is stored, or refuse the storage of all cookies by configuring the options in their web browser.
However, if the storage of cookies is refused, some services that require login may be difficult to use.
How to Change Cookie Settings
- Chrome: Settings > Privacy and Security > Cookies and Other Site Data
- Safari: Preferences > Privacy
- Firefox: Settings > Privacy & Security > Cookies and Site Data
- Edge: Settings > Cookies and Site Permissions > Manage and Delete Cookies and Site Data
10. Measures to Ensure the Security of Personal Information
The Company takes the following measures to ensure the security of personal information.
- Administrative Measures: Establishment and implementation of internal management plans, regular employee training
- Technical Measures: Management of access rights to personal information processing systems, installation of access control systems, encryption of unique identification information (BCrypt encryption of non-member order passwords), SSL/TLS encrypted communication, installation and updating of security software
- Physical Measures: Access control for server rooms, document storage facilities, and similar areas
11. Privacy Officer
The Company designates the following Privacy Officer to take overall responsibility for the processing of personal information and to handle complaints and remedy damages related to the processing of personal information on behalf of data subjects.
| Category | Privacy Officer |
|---|---|
| Name | Hong Hyunpyo |
| Position | CEO |
| Contact | 070-8736-9336 |
| info@kaldi.co.kr |
Users may direct all inquiries, complaints, and requests for remedy related to personal information protection arising from the use of the Company's services to the Privacy Officer. The Company will respond to and process users' inquiries without delay.
12. Remedies for Infringement of Rights
Data subjects may apply for dispute resolution, consultation, or other assistance from the following organizations to seek remedy for personal information infringement.
- Personal Information Dispute Mediation Committee (KOPICO): 1833-6972 (www.kopico.go.kr)
- Personal Information Infringement Report Center (KISA): 118 (privacy.kisa.or.kr)
- Supreme Prosecutors' Office: 1301 (www.spo.go.kr)
- National Police Agency: 182 (ecrm.cyber.go.kr)
13. Changes to This Privacy Policy
This Privacy Policy is effective from the enforcement date. In the event of additions, deletions, or corrections to the policy in accordance with laws and regulations, the Company will provide notice through announcements at least 7 days prior to the enforcement of such changes.
Announcement Date: March 25, 2026
Enforcement Date: March 25, 2026