LEGAL
Privacy Policy
Effective Date: August 1, 2025
Code Co., Ltd. (hereinafter referred to as "the Company") places great importance on protecting the freedom and rights of customers regarding their personal information. The Company complies with the 'Personal Information Protection Act' and relevant administrative guidelines, and has established a personal information processing policy based on applicable laws to securely manage the personal information of data subjects.
This Privacy Policy explains the processing of information collected by the Company providing this policy. The Company acts as the Controller of information collected in the course of providing services.
This Privacy Policy explains how the Company uses the personal information provided by users, the purposes for which it is used, and the measures taken to protect personal information.
1. Information Processed and Methods of Processing
① Types of Personal Information Processed The personal information collected by the Company includes the following: The Company may collect information provided directly by the user. In addition to information directly provided by the user, the Company may also collect information during the user's use of its services.
| Category | Items of Personal Information Being Collected |
|---|---|
| Due Diligence | [Corporate Information]<br>Company Name, Business Registration Number, Corporate Registration Number, Unique Identifier, Business Address, Establishment Date, Company Contact Information, Company Email, Representative Information (Name, Nationality, Date of Birth, Passport Number or ID Copy), Director and Shareholder Information (Name, Date of Birth, Nationality, Shareholding Percentage)<br><br>[Beneficial Owner Information]<br>Name, Nationality, Date of Birth, Passport or ID Copy, Shareholding Percentage |
| Dashboard Signup and Contact Verification | [Personal Information]<br>Name, Email Address, Phone Number |
| Service Usage | Service Usage Records, Suspension and Termination Records, Access Logs, Cookies, Records of Abnormal or Improper Usage, User Access Information (IP Address, Visit Date and Time, Device Information, Browser, Country) |
② Collection Methods The Company collects user information through the following methods:
- Webpages, Written Forms, Fax, Telephone, Email, Generated Information Collection Tools, etc.
2. Processing of Personal Information
① The Company uses the information collected from users for the following purposes:
- Member management and identity verification
- Detection and prevention of unauthorized service use or fraudulent activity
- Execution of contracts related to the provision of services requested by users, including payment and billing
- Use based on prior user consent, such as providing information for due diligence by other VASPs
- Notification of changes to the Company's website, services, or policies
- Compliance with applicable laws and legal obligations ② If the Company intends to use the information for purposes other than those specified in this Privacy Policy, the Company will first notify the user and obtain the user's consent before doing so.
3. Delegation of Personal Information Processing
① The Company delegates the processing of personal information to external specialized service providers, as listed below, to facilitate specific services. Delegation is only conducted when necessary for the implementation of each service.
② When the Company delegates the processing of personal information, it ensures the safety of personal information protection by clearly stipulating adherence to privacy instructions, confidentiality of personal information, prohibition of provision to third parties, liability in case of incidents, delegation period, and return or destruction of personal information after the termination of processing. The Company also supervises the entrusted service providers to ensure the secure handling of personal information.
③ The Company entrusts personal information processing tasks as follows:
| Name of Entrusted Service Provider | Description of Delegated Tasks (Services) | Retention Period |
|---|---|---|
| Amazon Web Services, Inc. | Data Storage and Service Operation for Service Provision | Until membership withdrawal or termination of the outsourcing contract, or as required by law. |
4. Provision of Personal Information to Third Parties
① The Company does not disclose users' personal information to third parties, except in the following cases:
- When the user gives prior consent
- When sharing personal information with a specific member company for due diligence
- In other cases where prior consent has been given by the user
- When required by law
- When disclosure is required under applicable laws
- When a law enforcement agency requests information for investigation purposes, in accordance with legal procedures and methods ② The Company provides the following personal information to third parties with the user's prior consent.
| Recipient | Purpose of Use | Provided Information | Retention and Usage Period |
|---|---|---|---|
| LSEG<br>(World-Check) | Customer Identification | Name, Date of Birth, Gender, Nationality | Until the purpose is achieved or as required by law |
| ③ The Company's website, products, and services may contain links to third-party websites, products, and services. The privacy policies of the third-party sites may differ from those of the Company. Users are advised to review the privacy policies of any linked third-party sites independently. |
5. Transfer of Personal Information Overseas
① Operating globally, the Company may provide users' personal information to its affiliates or third parties located in other countries for the purposes outlined in this Privacy Policy. The Company will take appropriate measures to ensure the protection of personal information, regardless of where it is transferred, stored, or processed.
② The Company may provide the following personal information to third parties with the user's prior consent.
| Recipient | Country of Transfer, Contact Information | Purpose of Use | Date and Method of Provision | Retention and Usage Period |
|---|---|---|---|---|
| LSEG <br>(World-Check) | United Kingdom<br>(Contact Info) | Customer Identification for Corporate Members (Due Diligence) in Service Use | Accessed through Web Services | Destroyed after the purpose of use is achieved |
| ③ (Applicable for US Use) When using or disclosing personal information obtained from the European Union or Switzerland, the Company complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework, uses Standard Contractual Clauses approved by the European Commission, or implements other EU-compliant safeguards, including obtaining the user's consent when necessary. |
6. Retention and Usage Period of Personal Information
① The Company will destroy users' personal information once the purpose of collection and use has been fulfilled, any legal or business necessity for retaining the information has been resolved, or upon the user's request. However, if retention is mandated by applicable laws, the Company will retain member information for a specified period as defined by the relevant laws. The following information will be retained in accordance with the applicable laws:
- Records related to contracts or withdrawal of offers: 5 years (in accordance with the Act on Consumer Protection in Electronic Commerce)
- Records related to payment and supply of goods: 5 years (in accordance with the Act on Consumer Protection in Electronic Commerce)
- Records related to consumer complaints or dispute resolution: 3 years (in accordance with the Act on Consumer Protection in Electronic Commerce)
- Records on the collection, processing, and use of credit information: 3 years (in accordance with the Act on the Use and Protection of Credit Information)
- Records on labeling/advertising: 6 months (in accordance with the Act on Consumer Protection in Electronic Commerce)
- User internet log records/user access tracking data: 3 months (in accordance with the Protection of Communications Secrets Act)
- Other communication confirmation data: 12 months (in accordance with the Protection of Communications Secrets Act)
7. Procedures and Methods for Destruction of Personal Information
① The Company, in principle, destroys personal information once the purpose of its collection and use has been fulfilled. ② However, information that must be retained under applicable laws will be stored for the duration specified by those laws and subsequently destroyed. During this period, any personal information stored separately will not be used for purposes other than those specified by the law. ③ The methods of destruction of personal information are as follows: Personal information recorded on paper is shredded or incinerated, while personal information stored electronically is deleted using technical methods that make recovery impossible.
8. Measures to Ensure the Security of Personal Information
① The Company places a high priority on the security of users' personal information. To prevent unauthorized access, disclosure, use, and modification of users' personal information, and to protect personal information from loss, theft, leakage, alteration, or damage, the Company has implemented the following technical, managerial, and physical measures to ensure security.
| Category | Measures |
|---|---|
| Technical Measures | ∘ Use of secure encryption algorithms for transmitting personal information over the network.<br>∘ Encryption of sensitive information using secure encryption algorithms..<br>∘ Installation and operation of antivirus software..<br>∘ Installation and operation of access control devices..<br>∘ Establishment and implementation of internal management plans.<br>∘ Encryption of personal information subject to encryption, using secure encryption algorithms for safe storage and management. |
| Managerial Measures | ∘ Designation of a Personal Information Protection Officer.<br>∘ Training of personal information handlers.<br>∘ Establishment and implementation of internal management plans.<br>∘ Establishment of password creation rules to make passwords difficult to guess.<br>∘ Secure storage of access records for personal information processing systems.<br>∘ Differentiation of access rights to personal information processing systems. |
| Physical Measures | ∘ Establishment and implementation of procedures for controlling access to facilities that store personal information.<br>∘ Storing documents or auxiliary storage media containing personal information in a secure location with a locking mechanism. |
9. Rights of Users
① Users or their legal representatives, as the data subjects, have the following rights regarding the collection, use, and sharing of their personal information by the Company:
- Access to personal information
- Correction or deletion of personal information
- Temporary suspension of personal information processing
- Withdrawal of previously provided consent
② To exercise these rights, users may contact the Company (or the Personal Information Management Officer or representative) by written request, telephone, or email, and the Company will take action without delay. However, the Company may refuse such requests only for valid reasons as specified by law or for equivalent reasons.
10. Department Responsible for Handling Personal Information Requests
① For any questions regarding this policy or to update your information held by the Company, please contact the Company using the information below:
- Company Name: Code Co., Ltd.
- Address: 12F, SH Tower, 331 Bongeunsa-ro, Gangnam-gu, Seoul, Republic of Korea
- Phone: +82-2-6406-8447
- Email: partnership@codevasp.com
② The DPO(Data Protection Officer) of the Company is as follows:
- Name: HWANG DONGHYUN
- Department: Development Team
- Contact: partnership@codevasp.com
11. Responsibility for Linked Sites
① The Company may provide links that direct members to external websites. In such cases, the Company does not have control over the external sites and is not responsible for the services, legality, usefulness, or accuracy provided by these external sites. Additionally, the privacy policies of the linked external sites are independent of the Company. Therefore, users are advised to review the policies of the respective external sites.
12. Changes to the Privacy Policy
① The Company may provide links that direct members to external websites. ②In such cases, the Company does not have control over the external sites and is not responsible for the services, legality, usefulness, or accuracy provided by these external sites. Additionally, the privacy policies of the linked external sites are independent of the Company. Therefore, users are advised to review the policies of the respective external sites.
Supplementary Provisions
These terms shall take effect from November 20, 2024.
Appendix: GDPR Application
① In accordance with the GDPR, the Company processes users' personal information lawfully only under the following circumstances:
- When the user has consented to the processing of their personal information
- When processing is necessary for the performance of a contract to which the user is a party, or in order to take steps at the user's request prior to entering into a contract
- For member management and identity verification
- For the performance of contracts related to services requested by the user, including payment and billing
- When processing is necessary for compliance with a legal obligation applicable to the Company
- Compliance with laws, regulations, legal processes, and government requests
- When processing is necessary to protect the vital interests of the user or another natural person
- Detection, prevention, and response to fraud, abuse, security risks, or technical issues that may harm the user or other natural persons
- When processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company
- When processing is necessary for the purposes of the legitimate interests pursued by the Company or by a third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the user, particularly where the user is a child and requires special protection of personal information)
② In accordance with the GDPR, users or their legal representatives, as data subjects, have the following rights regarding the collection, use, and sharing of their personal information by the Company:
- Right of Access to Personal Information
- Users or their legal representatives may access the information and request verification of records relating to the collection, use, and sharing of the information, as permitted by applicable law.
- Right to Rectification
- Users or their legal representatives may request corrections of inaccurate or incomplete information.
- Right to Erasure ("Right to be Forgotten")
- Users or their legal representatives may request the deletion of information when the purpose has been achieved, consent has been withdrawn, or under other relevant circumstances.
- Right to Restrict Processing
- Users or their legal representatives may request a restriction on information processing in cases where there is a dispute over the accuracy or lawfulness of processing, or where information needs to be preserved.
- Right to Data Portability
- Users or their legal representatives may request the provision or transfer of their information.
- Right to Object
- Users or their legal representatives may request to stop the processing of their information for purposes such as direct marketing, legitimate interest, the performance of a public task, or for research and statistical purposes.
- Right to Object to Automated Individual Decision-Making, Including Profiling
- Users or their legal representatives may request to stop automated processing, including profiling, that produces legal effects or significantly affects them.
③ To exercise these rights, users may contact the Company (or the Personal Information Management Officer or representative) by written request, telephone, or email, and the Company will take action without delay. However, the Company may refuse such requests only for valid reasons as specified by law or for equivalent reasons.