Privacy & Cookie Policy

SurplusGlobal Inc. (hereinafter referred to as "the Company") takes the privacy of users very seriously and is committed to protecting it. The Company ensures the rights related to personal information are protected, based on user consent, whenever the collection, use, and provision of personal information are necessary. 'Personal information' refers to information about a living individual which can identify the person by including name, contact information, etc. (This includes information which cannot identify a specific individual by itself but can be easily combined with other information to identify an individual. The same shall apply hereinafter).

The Company complies diligently with related laws and regulations such as the 'Personal Information Protection Act,' and policies and guidelines from public institutions like the Ministry of Science and ICT, and the Korea Internet & Security Agency. The Company does not collect information that may infringe on the basic human rights of users unless consented by the user or as stipulated in the law, and strives to protect the personal information of the information subject and to smoothly handle related complaints and grievances.

The Company's 'Privacy Policy' is based on the content mentioned above, and is being implemented and publicized on the online homepage so that users can easily access and view it.

Collection and Purpose of Use of Personal Information

1.1. The Company does not collect or use personal information without prior consent from the user and collects only the minimum necessary information. Collected information is used only within the notified range.

1.2. The Company processes the personal information of users for the following purposes and will use it only within these purposes. If the purpose of use changes, separate consent measures are taken in accordance with related laws.

Collection of Personal Information and Processing (Retention) Period

2.1. The items of personal information collected by the Company are as follows:

2.2. In addition, in accordance with relevant laws, if an investigation (including investigation) or litigation related to it is ongoing, it will be retained and used until the investigation or litigation is concluded, and if there is a legally prescribed retention period, it will be retained and used for that period.

Use and Provision of Collected Personal Information to Third Parties

3.1. The Company uses the personal information of users (members) only within the scope notified after collection and does not provide it to third parties as a principle. However, in the following cases, personal information can be provided to third parties for the convenience of users (members), and prior consent is obtained from users (members) when providing it:

3.1.1. With prior consent from the user (member).

3.1.2When required by law or through legal procedures and methods, at the request of investigative agencies for investigation purposes.

3.1.3. When necessary for the performance of a contract, provision of products (goods) and services, and for settlement of costs and payments.

3.1.4. When necessary for notifying relevant national institutions regarding taxes and public dues related to the user (member).

3.1.5. When necessary for academic and statistical purposes where specific individual identification is not possible.

Outsourcing of Personal Information Processing

4.1. The Company outsources personal information tasks to external professional companies as listed below to ensure smooth processing of users' (members') personal information:

- Google LLC: Analysis of homepage user statistics, etc.

- Microsoft (LinkedIn): Analysis of homepage user statistics, etc.

4.2. The Company continuously manages and supervises these trustees to ensure they process users' (members') personal information legally and securely. Detailed outsourcing contracts are established in compliance with personal information protection laws, prohibiting processing of personal information beyond the purpose of the entrusted tasks, ensuring confidentiality, checking implementation of technical/administrative protective measures, limiting re-entrustment of personal information, compensations for damages, and compliance with related legal regulations. Furthermore, when the contract or task ends, the trustees are required to immediately destroy any personal information of users held by them.

4.3. The Company outsources and stores some personal information to overseas companies for service provision and user statistics analysis.

- Recipient Company Name: Google LLC, Microsoft Corporation, Baidu Inc.

- Destination Country: United States of America (USA), CHN

- Transfer Date and Method: Transfer through network at the time of user service on the homepage website

- Personal Information Items Transferred: Cookies, browser-related data, IP address, site activity collection (excluding personal identification information transmission)

- Purpose and Retention Period of Recipient's Use: Statistical measurement of user interaction on the homepage website, maintenance and provision of IP address service security, storage of user data for 36 months.

Destruction Procedure and Method of Personal Information

5.1. The Company destroys personal information immediately after the retention period has elapsed or the purpose of processing is achieved, with the approval of the personal information protection officer.

5.2. For personal information stored in electronic file format, methods that make the records irreproducible are used. If stored on paper or other documents, they are shredded or incinerated.

Rights, Obligations, and Methods for Protecting User Personal Information

6.1. Information subjects (users) have the following rights related to personal information protection:

a. Right to be informed: The Company must notify the information subject (user) when processing personal information. The privacy policy is updated at least once every 12 months.

b. Request to access personal information: Information subjects (users) can request access to categories and specific information collected by the Company. The Company must provide at least two methods for such requests.

c. Request to correct or delete personal information: Information subjects (users) can request deletion of all forms of personal information collected by the Company, which must be complied with. Users can request deletion, anonymization, or aggregation, and the Company must acknowledge receipt of the deletion request within 10 days and delete the information within 45 days.

d. Request to suspend processing of personal information.

6.2. Information subjects (users) can request modifications to their personal information.

6.3. When there is a request for correction or deletion of personal information by the information subject (user), the Company will not use or provide such information to third parties until the correction or deletion is completed.

6.4. Personal information terminated or deleted at the request of the information subject (user) will be processed according to the stated personal information processing and retention period, and no other use or provision will be made.

6.5. Information subjects (users) can make requests through legal representatives or agents regarding access, correction, deletion, and suspension of processing of their personal information. However, the Company may require documentation proving legal representation according to relevant laws.

Installation and Operation of Automatic Personal Information Collection Devices and Rejection (COOKIES)

7.1. The Company uses cookies to provide users (members) with various and differentiated personalized information services.

7.2. Cookies are small amounts of information transmitted by website servers to the user's (member's) computer browser, which identifies the computer but not the individual user (member), and may be stored on the hard disk of the PC computer.

7.3. Users (members) have a choice regarding cookies. Users (members) can accept all cookies, be notified when a cookie is set, or reject all cookies by adjusting their web browser settings. However, if cookie storage is rejected, there may be limitations in accessing some services that require login.

Ensuring Security for User (Member) Personal Information Protection (Technical and Administrative Measures)

8.1. The Company has developed technical and administrative protective measures to ensure that users' (members') personal information is not lost, stolen, leaked, forged, altered, or damaged, including:

- Establishing and implementing an internal management plan for personal information protection.

- Physical access control to personal information processing equipment.

- Encryption of passwords (PW) and installation of security programs.

- Access rights management for personal information processing systems, installation of access control systems.

- Measures against intrusion into others' information and communication networks.

- Minimization of personal information processors, regular training, etc.

Personal Information Protection Officer and Manager

9.1. The Company has designated a personal information protection officer responsible for overseeing the work related to personal information processing, handling user complaints, and remediation related to personal information protection.

- Personal Information Protection Officer: Bruce Kim, CEO

- Personal Information Protection Manager: Michael Sang-il CHO, Team leader

- Contact: Telephone: 032-728-1400, Email: privacy@surplusglobal.com

9.2. The personal information protection officer (manager) is in charge of all matters related to personal information protection arising during the service usage process and responds promptly to inquiries from users (members).

9.3. Users (members) can receive damage remediation and consultation for personal information infringement from the following organizations:

- Personal Information Infringement Report Center (Operated by Korea Internet & Security Agency)

- Personal Information Dispute Mediation Committee (Operated by Korea Internet & Security Agency)

- Supreme Prosecutors' Office Cybercrime Investigation Division

- National Police Agency Cyber Security Bureau

- In addition, if rights or interests are infringed due to a decision or inaction by the head of a public institution regarding requests for access, correction, deletion, or suspension of processing of personal information, administrative litigation can be filed according to the Administrative Litigation Act.

Duty to Notify

10.1. Users (members) have the duty to protect their personal information and must comply with personal information protection laws and related laws. They must ensure that their personal information such as IDs and passwords are not leaked. The Company is not responsible for any leaks due to the user's (member's) negligence. Additionally, if inaccurate information is provided or someone else's personal information is used, the user (member) is responsible and may be subject to criminal prosecution.

10.2. The Company's privacy policy applies from the date of implementation mentioned below, and changes, additions, or deletions to the policy will be announced from 7 days before the implementation date. However, in case of significant changes affecting users' rights (such as changes in the collection and use of personal information, third-party provision, etc.), the changes will be announced 30 days in advance and implemented after 30 days.

10.3. The Company will obtain separate consent from users in accordance with the Personal Information Protection Act and related laws if needed. However, the minimum necessary information may be provided without consent in cases required by law or requested by courts, investigative agencies, or government administrative agencies.

10.4. The current announcement of the Company's personal information processing policy is as of Feb 7^th, 2024, and the implementation date of the personal information processing policy is Feb 14^th, 2024.