The purposes for which the Company processes personal information are as follows. All information provided by users is used solely for the purposes necessary to achieve the objectives stated below, and any personal information required for the use of services is handled in accordance with the Personal Information Protection Act.

① The Company collects only the minimum personal information necessary, and all collected information is used solely within the scope of the notified purposes.

② The Company processes personal information without separate user consent in the following cases:

③ The Company also processes personal information with the user’s consent as follows:

① The Company processes users’ personal information only within the scope specified in the purposes of processing personal information. Personal information is provided to third parties only in cases where user consent has been obtained, or where it is permitted by special provisions of law in accordance with Articles 17 and 18 of the Personal Information Protection Act. The Company does not provide personal information to third parties in any other cases.

② For smooth service provision, the Company may, in the following cases, provide personal information to third parties within the minimum necessary scope, with the user’s consent, pursuant to Article 17 (1) 1 of the Personal Information Protection Act.

① To ensure smooth processing of personal information, the Company entrusts the following tasks to third-party service providers:

② When entering into outsourcing contracts, the Company specifies in the agreement or related documents, in accordance with Article 26 of the Personal Information Protection Act, matters concerning the prohibition of processing personal information for purposes other than those entrusted, the implementation of technical and managerial protective measures, restrictions on subcontracting, management and supervision of the entrusted parties, and liability for damages. The Company also supervises entrusted parties to ensure that personal information is handled securely.

③ In accordance with Article 26 (6) of the Personal Information Protection Act, when an entrusted party further outsources the Company’s personal information processing services, the Company grants prior approval, and the details of the subcontractors and subcontracted services are disclosed through this Privacy Policy.

④ In the event of any change to the details of entrusted services or entrusted parties, the Company will promptly disclose such changes through this Privacy Policy.

① To provide product payment services, the Company transfers personal information overseas as follows. Users may refuse the overseas transfer of personal information by opting not to use the global payment service; however, in such cases, the use of services that necessarily involve overseas transfer of personal information may be restricted.

② The Company’s entrusted party, Argos, transfers personal information overseas as follows. The overseas transfer of personal information is essential for the operation of the identity verification service prior to ticket reservation, and users who do not consent to the transfer may be restricted from using the reservation service.

① In accordance with Article 15 (3) or Article 17 (4) of the Personal Information Protection Act, the Company may use or provide personal information additionally without obtaining the user’s consent. In such cases, the Company will consider the following matters to determine whether additional use or provision of personal information without the data subject’s consent is permissible:

1. Whether the additional use or provision is related to the original purpose of collection

2. Whether the additional use or provision could have been reasonably anticipated in light of the circumstances under which the personal information was collected or the customary practices of processing

3. Whether the additional use or provision would unfairly infringe upon the interests of the user

4. Whether necessary safety measures, such as pseudonymization or encryption, have been implemented

② If additional use or provision of personal information continues to occur on an ongoing basis, the Company will publicly disclose the criteria used for determining each of the matters set forth in Paragraph 1 above and will verify compliance with those criteria.

① When personal information becomes unnecessary, such as upon the expiration of the retention period, the achievement of the purpose of processing, the discontinuation of a service, or the termination of business, the Company shall destroy the relevant personal information within five days unless there is a legitimate reason not to do so.

② Notwithstanding Paragraph 1, if the Company is required to continue retaining personal information in accordance with internal policies or other applicable laws, the Company shall store such personal information by transferring it to a separate database (DB) or by keeping it in a different storage location. (For the items of personal information retained and the grounds for retention under internal policies or other laws, refer to Article 2, “Items of Personal Information Processed.”)

③ The procedures and methods for the destruction of personal information are as follows.

1. Procedures for Destruction

When grounds arise for destroying personal information, the Company immediately destroys the relevant information. If necessary, the information may be temporarily stored for a certain period in accordance with internal policies and applicable laws before being destroyed.

2. Methods of Destruction

Personal information stored in electronic file format is deleted using technical methods that prevent the recovery or reproduction of the records.
Personal information printed on paper is destroyed by shredding with a shredder or by incineration.

① Users may, at any time, exercise their rights (hereinafter referred to as “Exercise of Rights”) to request access to, correction of, deletion of, suspension of processing of, or withdrawal of consent for their personal information, as well as to object to or request an explanation of automated decision-making.

1. Log in > My Page > Member Information: Access, correct, delete, and suspend processing of personal information

2. Contact the Personal Information Protection Officer via email or telephone (see Article 12, Personal Information Protection Officer and Related Matters)

② Upon a user’s request, the Company shall take prompt action and verify that the requester is the data subject or a duly authorized representative.

③ Users may exercise their rights through a legal representative or a delegated agent. In such cases, the Company may require the submission of additional documents, such as a family relationship certificate or a power of attorney in the form prescribed in [Appendix Form No. 11] of the “Notification on the Method of Processing Personal Information (No. 2023-12).” These documents may be submitted via email.

④ Users may request access to their personal information; however, the Company may restrict or deny access in the following cases:

1. Where access is prohibited or restricted by law

2. Where there is a concern that access may harm another person’s life or body, or unfairly infringe upon another person’s property or other rights and interests

⑤ Users may request the suspension of personal information processing; however, the Company may refuse such a request in the following cases:

1. Where it is unavoidable to comply with a legal obligation or a special provision of law

2. Where there is a concern that access may harm another person’s life or body, or unfairly infringe upon another person’s property or other rights and interests

3. Where it would be difficult to perform a contract, such as the provision of services agreed upon with the user, if the personal information is not processed, and the user has not clearly expressed an intention to terminate the contract

The Company takes the following technical, administrative, and physical measures to ensure the security of personal information and to prevent its loss, theft, leakage, alteration, or damage:

① Technical Measures

1. Installation and Updating of Security Programs

To prevent the leakage or damage of personal information, the Company regularly backs up data, installs and updates antivirus programs, and conducts inspections to ensure that users’ personal information and data are protected from unauthorized access or damage.

2. Encryption of Personal Information

Users’ personal information is protected by passwords and encrypted data, and personal information is safely transmitted and received over networks through encrypted communication and similar security methods.

3. Retention and Tamper Prevention of Access Records

The Company retains and manages access records to personal information processing systems for at least two years and employs security features to prevent the alteration, theft, or loss of such records.

4. Access Control and Restrictions on Personal Information

The Company manages and restricts access to personal information through the granting, modification, and revocation of access rights to databases that process personal information, thereby preventing unauthorized internal or external access.

② Administrative Measures

1. Establishment and Implementation of Internal Management Plans

The Company establishes internal management plans and reviews their implementation each year, including the designation of a Personal Information Protection Officer and the operation of an internal organization responsible for personal information protection.

2. Operation of a Dedicated Organization

The Company operates a dedicated department to ensure that all employees comply with legal obligations regarding personal information protection, and the department continuously carries out administrative and technical protection measures.

3. Regular Employee Training

To enhance awareness of personal information protection, the Company provides regular training to all executives and employees.

③ Physical Measures

1. Access Control for Unauthorized Personnel

The Company designates separate physical storage locations for personal information processing systems and establishes control procedures to prevent unauthorized persons from gaining access.

2. Use of Locking Devices for Document Security

Documents and auxiliary storage media containing personal information are stored in secure locations equipped with locking devices.

3. Subscription to Personal Information Protection Liability Insurance

The Company has subscribed to personal information protection liability insurance to ensure compensation for any damage suffered by users in the event of a personal information breach.

④ In addition to the measures required by law, the Company also implements the following activities to further enhance the security of personal information:

1. Acquisition of Personal Information Protection Certifications: Personal Information and Information Security Management System (ISMS-P), Excellent Web and System Certification for Personal Information Protection (ePRIVACY PLUS)

The Company, like most websites, uses cookies. A cookie is a small string of information transmitted from a website to a user’s Internet browser and stored on the user’s computer disk. Cookies do not identify individual users.

① Operation of Cookies

1. Provision of differentiated information according to the user’s areas of interest

2. Analysis of access frequency, duration of visits, and other metrics to understand user preferences and interests for targeted marketing

3. Tracking content viewed with interest to provide personalized services

4. Analysis of user habits to use as indicators for service improvement and restructuring

② User’s Choice Regarding Cookies

Users have the right to choose whether to allow cookies. Although the settings may differ slightly depending on the type of browser, users can configure their browser settings to decide whether to accept cookies; however, if cookies are disabled, some services requiring login may be restricted. The method for setting cookies is as follows.

Cookies expire when the browser is closed or the user logs out.

① The Company designates the following Personal Information Protection Officer, who has overall responsibility for personal information processing, as well as for handling user complaints and providing remedies for damages related to personal information processing.

② Users may contact the following representative by phone or email for inquiries, requests for access, complaints, or remedies related to personal information protection. The Company will respond to and process such inquiries without delay.

Users may request dispute resolution or consultation from the Personal Information Infringement Report Center of the Korea Internet & Security Agency (KISA), the Personal Information Dispute Mediation Committee, or other relevant organizations in order to seek remedies for damages resulting from personal information infringement. For reports or consultations regarding other cases of personal information infringement, please contact the following institution.

This Privacy Policy may be supplemented, deleted, or amended in accordance with relevant laws, regulations, guidelines, or changes in the Company’s services, and it shall take effect from the effective date specified below.