II Combined Co., Ltd. (the “Company”) lawfully processes and safely manages personal information in compliance with the Personal Information Protection Act and related laws to protect the freedom and rights of data subjects using the Gentle Monster website (the “Service”) operated by the Company. Accordingly, in order to inform data subjects of the procedures and standards for the processing and protection of personal information, and to enable them to report related grievances and handle them smoothly, the Company establishes and discloses the privacy policy as follows.
Article 1. Purpose and Items of Personal Information Processing
The Company collects and uses personal information as follows. The Company collects only the minimum personal information necessary at the relevant time and uses it strictly for purposes supported by legal grounds or prior consent:
- Items of personal information processed without the consent of the data subject
The Company processes the following personal information items without the consent of the data subject:| Legal Basis | Type | Purpose of collection | Items Collected | Retention Period |
|---|
| Article 15(1)(4) of the Personal Information Protection Act (PIPA) | Membership Registration | To verify the user’s intent to register; to identify and authenticate users for membership-based services; to maintain and manage user eligibility; to prevent unauthorized or fraudulent use of services | User ID, Password, Name, Mobile Phone Number, CI (Connecting Information) | Until membership withdrawal |
| Social Login | To enable sign-up and login via social media accounts (e.g., Kakao, Apple); to identify and authenticate data subjects; to maintain and manage membership eligibility | Kakao: Gender, Date of Birth, Mobile Phone Number, Email, CI (Connecting Information) Apple: Name, Email, User ID, CI (Connecting Information) | Until membership withdrawal |
| Payment and Delivery | To process payments, deliver products, and handle returns and refunds | Purchaser: Name, Phone Number, Email Address Recipient: Name, Shipping Address, Phone Number Payment Information: Payment Method, Amount, Date, Approval Number | Pursuant to Article 6 of the Act on the Consumer Protection in Electronic Commerce:
- Records of contracts or withdrawal: 5 years
- Records of payment and supply of goods: 5 years |
| Repair Service | To receive and track repair service requests | Name, Email, Address | Pursuant to Article 6 of the Act on the Consumer Protection in Electronic Commerce:
- Records of customer complaints or dispute resolution: 3 years |
| Complaint Handling | Email | Name, Email, Country, Order Number, Inquiry and Processing History | Pursuant to Article 6 of the Act on the Consumer Protection in Electronic Commerce:
- Records of computer communications or internet access: 3 months |
| Chat | Name, Email |
| Automatically Collected Information | Information automatically generated during service use or business processes | IP Address, Cookies, Service Usage History, Access Log, Payment Records, Usage Suspension Records | Pursuant to Article 15-2 of the Protection of Communications Secrets Act:
- Records of computer communications or internet access: 3 months |
- Items of personal information processed with the consent of the data subject
The Company processes the following personal information items with the consent of the data subject.| Legal Basis | Category | Purpose of Use | Personal Data Collected | Retention and Usage Period |
|---|
| Article 15(1)(1) of the Personal Information Protection Act – Consent of the Data Subject | Event & Giveaway | Participation in events and giveaway entries | Name, Address, Phone Number, Email Address | Deleted immediately after the event ends |
| Marketing & Promotion | Processing of personal data for service promotion and sales offers | Name, Email | Until membership withdrawal or withdrawal of consent |
- Protection of personal information of children under the age of 14
The Company does not accept registration from children under the age of 14 who require the consent of their legal representatives.
Article 2. Period of Processing and Retention of Personal Information
The Company processes and retains personal information within the personal information retention and use period in accordance with the laws and regulations or within the personal information retention and use period agreed upon when collecting personal information from data subjects.
- Items and retention period of personal information in accordance with the applicable laws and regulations
| Applicable Law | Item Retained | Retention Period |
|---|
| Protection of Communications Secrets Act | Login records | 3 months |
| Act on the Consumer Protection in Electronic Commerce, etc. | Records related to labeling and | 6 months |
| Records related to contracts or withdrawal of offers | 5 years |
| Records related to payment and supply of goods | 5 years |
| Records related to customer complaints or dispute resolution | 3 years |
- Retention of membership registration information in accordance with the Company’s internal policy
- Prevention of unauthorized use issues: 5 years
"“Unauthorized use” refers to any fraudulent or unfair transactions that deviate from generally accepted e-commerce practices, such as taking unfair profits using the site, including, but not limited to, the following examples:
Ex.) Intentionally interfering with the Company’s normal business activities and service operations, such as interrupting the Company’s business by habitually or repeatedly canceling or returning goods, etc. without a legitimate reason after purchasing goods, etc. using the Site, excessive and repeated membership withdrawal and rejoining, participating in a prize event using multiple emails, or any other act of taking unfair profits using the Site.
Article 3. Procedures and Methods for Destruction of Personal Information
When personal information becomes unnecessary due to the lapse of the retention period of personal information, achievement of the purpose of processing, etc., the Company shall immediately destroy the relevant personal information.
In cases where personal information must be preserved continuously in accordance with other laws and internal guidelines even after the personal information retention period of agreed by the data subject has elapsed or the purpose of processing has been achieved, the relevant personal information shall be transferred to a separate database (DB) or preserved at a different storage location.
The procedures and methods for destroying personal information are as follows.
- - Destruction procedure: After achieving the purpose of personal information, the personal information is stored separately for a certain period of time in accordance with internal policies and obligations under the applicable laws and regulations, and then destroyed.
- - Destruction method: The Company shall destroy personal information recorded and stored in the form of electronic files in a manner that renders the records irrecoverable or irretrievable, and destroy personal information recorded and saved in paper documents by shredding them with a shredder or incinerating them.
Article 4. Provision to Third Parties
The Company shall process the personal information of the data subject only within the scope specified for the purpose of processing the personal information, and shall provide the personal information to a third party only in cases falling under Articles 17 and 18 of the Personal Information Protection Act, such as the consent of the data subject and special provisions of the law, and shall not provide any other personal information of the data subject to a third party.
The Company may provide personal information to relevant agencies without the consent of the data subject in the event of an emergency, such as a disaster, infectious disease, an event or accident that poses an imminent risk to life or body, or an imminent loss of property, in accordance with the “Guidelines for Handling and Protection of Personal Information in Emergency Situations” jointly announced by the relevant government departments. For more information, please click here.
Article 5. Additional Use and Provision of Personal Information
The Company shall use and provide personal information only to the extent agreed by the data subject; provided, however, that additional personal information may be used and provided without the consent of the user in accordance with Article 15(3) or 17(4) of the Personal Information Protection Act.
In this case, the Company will consider the following for additional use and provision of personal information without the consent of the data subject:
- - Whether it is related to the original purpose of collection;
- - - Whether there is predictable additional use or provision of personal information in light of the circumstances in which personal information was collected or processing practices;
- - Whether users’ interests are unfairly infringed;
- - Whether measures necessary to ensure safety, such as pseudonymization or encryption, have been taken.
If additional use/provision of personal information continues to occur, the Company will disclose the criteria for determining the above and check compliance with such criteria.
Article 6. Matters Concerning Entrustment of Personal Information Processing
When entering into an entrustment agreement, the Company specifies in documents such as contracts the prohibition of personal information processing for purposes other than the performance of entrusted duties, technical and administrative protection measures, restrictions on re-entrustment, management and supervision of the Entrustee, liability for damages, etc., in accordance with Article 26 of the Personal Information Protection Act, and supervises whether the entrustee safely processes personal information.
- The Company entrusts personal information processing as follows in order to ensure smooth processing of personal information.
| Data Processor (Trustee) | Delegated Task |
|---|
| NICE Information Service | Identity verification |
| NAVER PAY | Payment and delivery |
| KCP | Payment and delivery |
| KakaoPay | Payment |
| TossPay | Payment |
| Chai Corporation (PORTONE) | Payment |
| PayPal | International payment |
| Paymentwall | International payment |
| NICEPAY | Issuance of cash receipts and expense documentation |
| CJ Logistics | Delivery |
| DHL | Delivery |
| Maersk Contract Logistics Korea Limited | Third-party delivery |
| Powerfront Pte., Ltd. | Live chat service for website |
| Salesforce, Inc. | Customer support system via Service Cloud |
| Matrix Cloud Co., Ltd. | Storage of customer service call and chat records |
| EZWARE | Customer database system development |
| Bespin Global | Operation of AWS infrastructure |
If the entrustee re-entrusts the Company’s personal information processing duties, the Company’s consent is obtained. In the event of a change in the details of the entrusted duties or the entrustee, the details will be disclosed through the Privacy Policy.
The Company provides and entrusts personal information collected from service users to foreign countries as follows. If you do not want to transfer your personal information overseas, you may request to withdraw from membership through the website (My Page-Edit Profile). If a data subject refuses to transfer personal information to a foreign country, the Company shall exclude it from such transfer; provided, however, that if you refuse transfer, you will not be able to use services for which overseas transfer is necessary.
- The Company entrusts some personal information processing tasks overseas to ensure smooth service provision. The personal information to be transferred is as follows.
| Legal Basis | Delegated Task | Transferred Personal Data | Country of Transfer | Time & Method of Transfer | Data Recipient | Purpose of Use | Retention and Usage Period |
|---|
| Article 28-8(1)(3) of the Personal Information Protection Act | Provision of live chat service on website | Name, Email Address, Phone Number, Purchase History, Inquiry and Processing Records | Hong Kong | Transmitted via network during service usage | Powerfront Pte Ltd. (support@ powerfront. com) | Provision of live chat service on website | Destroyed upon termination of outsourcing contract |
Article 7. Matters Concerning Measures to Ensure the Security of Personal Information
The Company is taking the following measures to ensure the security of personal information:
- Administrative measures: Operation of an organization dedicated to information protection, establishment and implementation of internal management plans, regular security training for employees, and inspection of compliance status;
- Technical measures: Management of access rights to personal information processing systems, etc., installation of access control systems, encryption of personally identifiable information, etc., and installation of security programs;
- Physical measures: Establishment and operation of procedures for access control and safe access control of computer rooms, data storage rooms, etc.;
- Obtainment of domestic and overseas (individual) information protection certification: ISO27001, ISMS
Article 8. Matters Concerning Installation, Operation, and Refusal of Automatic Personal Information Collection Devices
<Installed/Operated Automatic Personal Information Collection Devices>
In order to provide individual services and conveniences to data subjects, the Company uses “cookies” that store and retrieve information from time to time.
Cookies are small amounts of information sent by servers used to operate websites to data subjects’ internet browsers and are stored on data subjects’ PCs or mobile devices.
Data subjects can set up settings such as allowing or blocking cookies by setting web browser options; provided, however, that if you refuse to store cookies, it may be difficult to use customized services.
1. Allowing/blocking cookies in the web browser
a. Chrome: Select “⁝” in the upper right corner of the web browser > New incognito window (shortcut: Ctrl+Shift+N)
b. Edge: Select “...” in the upper right corner of the web browser > New InPrivate window (shortcut: Ctrl+Shift+N)
2. Allowing/blocking cookies in the mobile browser
a. Chrome: Select “⁝” in the upper right corner of the web browser > New private tab.
b. Safari: Mobile device settings > Safari > Advanced > Block all cookies
c. Samsung Internet: Select the “Tab” icon below the mobile browser > Turn on Secret Mode > Start
Article 9. Rights, Obligations, and Methods of Exercise of Data Subjects and Legal Representatives
Data subjects may exercise their rights as a data subject (accessing, correcting, withdrawing consent to, or deleting their registered personal information) at any time, and may request access, provision, correction, withdrawal of consent, deletion (withdrawal), suspension of processing, objection, etc. with respect to the following matters.
Data subjects can check, modify, or delete personal information at any time through the following channels on the website. After logging in, “Account > Edit Profile > Save/Delete Account”
The Company shall take measures without delay when contacting the complaint handling department in accordance with “Article 10. Personal Information Protection Officer and Remedies for Infringement of Rights and Interests of Data Subjects” for relevant consultation and handling of inquiries.
You may exercise your rights through an agent, and in such cases, you must submit a power of attorney in accordance with the form in Appendix 11, “Public Notice on Methods of Processing Personal Information.”
Requests for access to and suspension of processing of personal information may limit the rights of users pursuant to Article 35(4) and Article 37(2) of the Personal Information Protection Act, and requests for correction and deletion of personal information cannot be made if the personal information is specified as the subject of collection in other laws.
In cases where the consent of the data subject has been obtained or prior notice has been given through a contract, etc., with regard to the fact that an automated decision is being made, if there are clear provisions in the law, the rejection of the automated decision is not acknowledged, and only an explanation and a request for review can be made.
- In addition, a request for rejection or explanation of an automated decision may be rejected if there is a legitimate reason, such as a risk that the life, body, property, or other interests of another person may be unfairly infringed upon.
Article 10. Chief Privacy Officer and Remedies for Infringement of Data Subject Rights
The Company designates a Chief Privacy Officer and operates a dedicated department as follows to take overall responsibility for personal data processing and to handle complaints and provide remedies for any infringement of data subject rights.
| Chief Privacy Officer (CPO) | Taeho Jung |
| Privacy Department | Information Security Team |
| Contact Information | privacy@gentlemonster.com |
Data subjects may seek dispute resolution or consultation related to personal data infringement by contacting institutions such as the Personal Information Dispute Mediation Committee and the Personal Information Infringement Report Center of the Korea Internet & Security Agency (KISA). For other reports or inquiries regarding personal data infringement, please contact the following organizations.
1. Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)
2. Personal Information Infringement Report Center: 118 (privacy.kisa.or.kr)
3. Supreme Prosecutors’ Office: 1301 (www.spo.go.kr)
4. National Police Agency: 182 (ecrm.cyber.go.kr)
Effective Date of this Privacy Policy: May 22, 2025
You may access the previous version of the Privacy Policy below.