This English version is a convenience translation. The Korean version is the officially registered privacy policy and shall prevail in the event of any discrepancy.
SaveMyBack Korea Inc. (the "Company") establishes and discloses this Privacy Policy as follows, in accordance with Article 30 of the Personal Information Protection Act ("PIPA"), to protect users' personal information in connection with the online shopping mall service "So-it" (the "Service") it provides, and to handle related grievances promptly and smoothly.
This policy applies to the So-it online shopping mall (web/app), the paid membership, and the points service operated by the Company.
When a user signs up, the Company processes the following personal information items with the user's consent. The personal information processed is not used for any purpose other than those below; if the purpose of use changes, the Company will take necessary measures such as obtaining separate consent under Article 18 of PIPA.
| Legal basis | Category | Purpose | Items collected | Retention & use period |
|---|---|---|---|---|
| PIPA Art. 15(1)1 (consent of the data subject) | Sign-up | Register member information | Name, ID, password, email, mobile number*, gender**, date of birth**, default address*** | Until membership withdrawal |
| PIPA Art. 15(1)1 (consent of the data subject) | Sign-up | Provide friend-invite reward | Referrer ID | Until membership withdrawal |
| PIPA Art. 15(1)1 (consent of the data subject) | Service provision | Provide personalized recommendation service | Delivery area, gender, age group, service usage and visit history | Until membership withdrawal |
| PIPA Art. 15(1)1 (consent of the data subject) | Service provision | Send notification messages | Information collected while sending messages (name, ID, mobile number, email, PUSH token, device info (DeviceID)), message-sending history | Up to 2 years after sending (email: 2 years; SMS and alim-talk: 6 months) |
| PIPA Art. 15(1)1 (consent of the data subject) | Fraud prevention | Manage fraudulent-user history | Fraudulent user's name, ID, mobile number, email, address, recipient info (name, mobile number, address), device info (DeviceID), fraud records | 1 year after membership withdrawal |
| PIPA Art. 15(1)1 (consent of the data subject) | Fraud prevention | Restrict duplicate sign-ups | ID, mobile number, IP address | 3 months after membership withdrawal |
In addition, to provide various services, the Company collects or processes personal information with the user's consent as follows.
(A) Personal information collected with consent upon application during service provision — ① Personal information requiring mandatory consent essential to service provision is notified at the time each service or event is operated, and separate consent may be requested.
| Legal basis | Category | Purpose | Items collected | Retention & use period |
|---|---|---|---|---|
| PIPA Art. 15(1)1 (consent of the data subject) | Marketing/advertising information | Provide tailored benefit-information service | Information collected during So-it service sign-up and use, service usage and visit history, key event history such as search/click/purchase, advertising identifier (ADID/IDFA), device info (Device ID, OS version, app version), sending history of marketing/event/advertising content | Until membership withdrawal or consent withdrawal |
| PIPA Art. 15(1)1 (consent of the data subject) | Service improvement | Surveys | ID, name, mobile number, responses, purchase history, sending history of marketing/event/advertising content | Until membership withdrawal or consent withdrawal |
The Company may process personal information received from sources other than the data subject (third-party provision, entrustment, etc.), and receives it after lawful consent has been obtained from the relevant data subject.
| Legal basis | Source | Purpose | Items collected | Retention & use period |
|---|---|---|---|---|
| PIPA Art. 19(1) (consent of the data subject) | Naver | SNS easy sign-up | Name, email address, mobile number, birth year, birthday, gender | Until membership withdrawal |
| PIPA Art. 19(1) (consent of the data subject) | Kakao | SNS easy sign-up | Mobile number, email, address, gender*, date of birth*, KakaoTalk channel add status and history | Until membership withdrawal |
| PIPA Art. 19(1) (consent of the data subject) | APPLE | SNS easy sign-up | Name, email | Until membership withdrawal |
| PIPA Art. 19(1) (consent of the data subject) | TossPay | Easy payment | Masked payment-method info (bank name and account number, or card issuer and card number), payment info (payment number, amount, date/time, quick-pay registration status) | Until membership withdrawal |
※ Information marked with * is collected only when the data subject has explicitly consented while using another company's service.
③ The Company does not collect personal information of users under the age of 14. However, where consent under PIPA must be obtained to process the personal information of a child under 14, the Company obtains consent from the legal representative, deletes the information immediately once its use ends, and safely manages the information while it is in use.
④ During service provision, information such as device info (Device ID, OS version, app version), browser type, IP address, MAC address, cookies, advertising identifier (ADID/IDFA), and service usage and visit history may be generated and collected automatically.
① The Company provides personal information to third parties only where Articles 17 and 18 of PIPA apply, such as the user's consent or special provisions of law, and otherwise does not provide users' personal information to third parties.
② However, to provide the service smoothly, the Company may provide personal information to the following third parties, in which case it provides only the minimum necessary scope with the user's consent. Where other statutes — such as the Income Tax Act, the Liquor License Act, the Criminal Procedure Act, the Protection of Communications Secrets Act, and the Act on the Persons Performing the Duties of Judicial Police Officers and the Scope of Their Duties — contain special provisions, personal information may be provided to relevant agencies under the law without the user's consent.
| Legal basis | Recipient | Purpose of provision | Category | Items provided | Retention & use period |
|---|---|---|---|---|---|
| PIPA Art. 17(1)1 (consent of the data subject) | Seller product & service providers | Provide seller products and services, provide purchase benefits, customer consultation and complaint handling, provide A/S service | Common | Orderer info (ID, name, email, mobile number), purchased-product info, payment info | Until the purpose is achieved |
| PIPA Art. 17(1)1 (consent of the data subject) | Seller product & service providers | Provide seller products and services, provide purchase benefits, customer consultation and complaint handling, provide A/S service | Delivery products | Recipient info (name, mobile number, address, common-entrance password, delivery notes), (when purchasing goods requiring customs clearance) personal customs clearance code | Until the purpose is achieved |
| PIPA Art. 17(1)1 (consent of the data subject) | Seller product & service providers | Provide seller products and services, provide purchase benefits, customer consultation and complaint handling, provide A/S service | Alcohol products | Orderer info (adult-verification info) | Until the purpose is achieved |
| PIPA Art. 17(1)1 (consent of the data subject) | Seller product & service providers | Provide seller products and services, provide purchase benefits, customer consultation and complaint handling, provide A/S service | Lodging/travel vouchers | Guest info (name, mobile number, date of birth, gender) | Until the purpose is achieved |
| PIPA Art. 17(1)1 (consent of the data subject) | Seller product & service providers | Provide seller products and services, provide purchase benefits, customer consultation and complaint handling, provide A/S service | Flight tickets | Passenger info (name, mobile number, date of birth, gender) | Until the purpose is achieved |
| PIPA Art. 17(1)1 (consent of the data subject) | Seller product & service providers | Provide seller products and services, provide purchase benefits, customer consultation and complaint handling, provide A/S service | Online tickets | Recipient info (name, mobile number) | Until the purpose is achieved |
| PIPA Art. 17(1)1 (consent of the data subject) | Seller product & service providers | Provide seller products and services, provide purchase benefits, customer consultation and complaint handling, provide A/S service | Pickup products | Pickup date, pickup-location info (store name, contact, address) | Until the purpose is achieved |
| PIPA Art. 17(1)1 (consent of the data subject) | Seller product & service providers | Return receipt and handling | Return-address info | Return-address info (name, mobile number, address) | Until the purpose is achieved |
| PIPA Art. 17(1)1 (consent of the data subject) | Live-commerce participating companies | Provide benefits to live-commerce event winners | Common | ID, name, mobile number, event-participation history | Until the purpose is achieved |
| PIPA Art. 17(1)1 (consent of the data subject) | Live-commerce participating companies | Provide benefits to live-commerce event winners | Prize delivery | Recipient info if needed (name, mobile number, address) | Until the purpose is achieved |
| PIPA Art. 17(1)1 (consent of the data subject) | Live-commerce participating companies | Provide benefits to live-commerce event winners | Tax/levy processing | Resident registration number if needed | Until the purpose is achieved |
※ Live-commerce event participating companies may change depending on the live schedule; the Company informs winners of detailed participating-company information in the consent form sent only to winners and provides the information after obtaining separate consent.
| Legal basis | Recipient | Purpose of provision | Items provided | Retention & use period | Relevant grounds |
|---|---|---|---|---|---|
| PIPA Art. 18(2)2 (provided by other statutes) | National Tax Service | Tax/levy processing | Name, resident registration number | Until the purpose is achieved | Income Tax Act Arts. 21, 127, 164 |
| PIPA Art. 18(2)2 (provided by other statutes) | National Tax Service | Report of alcohol mail-order sales | Name, address, sales info (sale date, product name, quantity, order amount) | Until the purpose is achieved | Liquor License Act Art. 17; Enforcement Decree Arts. 17, 20 |
| PIPA Art. 18(2)2 (provided by other statutes) | Investigative agencies (prosecution, police, etc.) | Response to search-and-seizure warrants, communication-confirmation data, communication data, and investigation-cooperation requests | Information within the requested scope | Until the purpose is achieved | Criminal Procedure Act Arts. 106, 199; Protection of Communications Secrets Act Art. 13; Act on the Persons Performing the Duties of Judicial Police Officers and the Scope of Their Duties Art. 5 |
③ To process personal information smoothly, the Company entrusts personal-information processing tasks as follows. When concluding entrustment contracts, the Company specifies in documents such as the contract the prohibition of processing personal information beyond the purpose of the entrusted work, technical and managerial protective measures, restrictions on re-entrustment, supervision of the trustee, and liability including damages, and supervises whether the trustee processes personal information safely.
| Trustee | Entrusted work |
|---|---|
| iStar Glonics Inc. | Delivery service |
| Solapi Inc. | SMS/LMS/MMS and alim-talk sending service operation |
| Toss Payments Corp. | Payment and settlement service operation |
| CJ Logistics Corp. | Delivery and quick service |
| Lotte Global Logistics Co., Ltd. | Delivery and quick service |
| Hate Inc. | Delivery service |
| Trifruit | Delivery service |
| L4K3 | Delivery service |
| Key West Tech | Delivery service |
| Other product suppliers | Delivery service |
⑤ Under Article 15(3) or Article 17(4) of PIPA, the Company may additionally use or provide personal information without the user's consent. In such cases, the Company will consider the following for the additional use or provision of personal information without the data subject's consent.
⑥ If the additional use or provision of personal information occurs continuously, the Company will disclose the criteria for the above determinations and check compliance with those criteria.
① When personal information becomes unnecessary due to the lapse of the retention period under Chapter 1, achievement of the processing purpose, etc., the Company destroys it without delay. However, under an internal policy pursuant to Article 15(1)6 of PIPA, sign-up records and fraud-sanction records are separated and destroyed after being retained for 3 months and 5 years, respectively.
② Even after the retention period has elapsed or the processing purpose has been achieved, where personal information must continue to be preserved under other statutes, the Company preserves it by moving it to a separate database (DB) or storing it in a different location. Separately preserved personal information is not used for any purpose other than preservation, except where it falls under the following reasons or is required by law.
| Relevant statute | Purpose | Retention period |
|---|---|---|
| Act on Consumer Protection in Electronic Commerce, etc. Art. 6 | Records on payment and supply of goods | 5 years |
| Act on Consumer Protection in Electronic Commerce, etc. Art. 6 | Records on contracts or withdrawal of offers | 5 years |
| Act on Consumer Protection in Electronic Commerce, etc. Art. 6 | Records on consumer complaints or dispute handling | 3 years |
| Act on Consumer Protection in Electronic Commerce, etc. Art. 6 | Records on labeling and advertising | 6 months |
| Income Tax Act Arts. 127, 164; Framework Act on National Taxes Art. 85-3 | Tax/levy payment on behalf and withholding-tax reporting | 5 years |
| Protection of Communications Secrets Act Art. 15-2 | Cooperation with requests for communication-confirmation data | 3 months |
③ The procedures and methods for destroying personal information are as follows.
The Company selects the personal information for which grounds for destruction have arisen and destroys it with the approval of the Company's personal information protection officer.
Personal information recorded/stored in electronic file form is destroyed using methods such as a Low Level Format so that the records cannot be reproduced, and personal information recorded/stored on paper documents is destroyed by shredding or incineration.
① Users may at any time request the Company to access, transmit, correct, delete, suspend the processing of, and withdraw consent for their personal information (the "exercise of rights").
※ The rights of a child under 14 must be exercised directly by their legal representative; a data subject who is a minor aged 14 or older may exercise the rights to their own personal information either by themselves or through their legal representative.
② Users may exercise their rights toward the Company in writing, by phone, by email, by fax, etc., and the Company will act on this without delay. In this case, the Company verifies whether the person exercising the rights is the individual concerned or a legitimate representative.
※ Users may at any time directly view, correct, delete, suspend the processing of, and withdraw consent for their personal information under 'My Info > Edit Personal Information' on the website, or request access via a 'Customer Center' inquiry.
③ Users may exercise their rights through a representative such as the user's legal representative or a delegate. In this case, a power of attorney in the form of Attachment No. 11 under the 'Notice on Methods of Personal Information Processing' must be submitted.
④ The data subject's right to request access to and suspension of the processing of personal information may be restricted under Article 35(4) and Article 37(2) of PIPA; where the personal information is specified as subject to processing under other statutes, its deletion may not be requested.
① The Company uses 'cookies' that store and frequently retrieve usage information in order to provide individually tailored services to users.
② A cookie is a small amount of information that the server operating the website sends to the user's computer browser, and it may be stored on the hard disk of the user's PC.
Purpose of cookies: They are used to identify the visit and usage patterns, popular search terms, whether a secure connection is used, etc. for each service and website the user visited, in order to provide optimized information to the user.
Installation, operation, and refusal of cookies: Users have the option to install cookies; through each web browser's option settings, users can allow or refuse all cookies, or require confirmation each time a cookie is stored. In Chrome, use the '⋮' menu at the top right > New Incognito Window (Ctrl+Shift+N); in Edge, use the '…' menu at the top right > New InPrivate Window (Ctrl+Shift+N). If cookie storage is refused, difficulties may arise in using tailored services.
① The Company may collect the user's 'ADID/IDFA' in order to provide individually tailored services.
② ADID/IDFA is an identifier used to operate mobile apps — an anonymous advertising identifier automatically assigned to the user's smartphone device — and it may be stored within the user's device. Users may refuse collection on Android (Settings > Security & privacy > Privacy > More privacy settings > Ads > Reset or delete advertising ID) or iOS (Settings > Privacy & Security > Tracking > turn off Allow Apps to Request to Track).
① In the course of service use, the Company collects and uses behavioral information in a manner that does not identify individuals, using automatic collection devices such as cookies and advertising identifiers (ADID/IDFA), in order to provide users with optimized tailored services and benefits and online tailored advertising.
| Items collected | Collection method | Collection purpose | Retention & use period |
|---|---|---|---|
| Service usage and visit history, product search/click history, order settings, purchase history (ordered products and amounts), membership subscription/cancellation status, cart/wishlist history, page-impression history, event-participation history, advertising identifier | Automatically collected when the user visits or performs actions on the website and app service | Analysis of usage data based on users' interests, preferences, and tendencies; statistical analysis of service usage; improvement of convenience; provision of personalized recommendation service | Until membership withdrawal or 2 years from the collection date |
② For effective service use, advertising, and marketing, the Company allows online tailored-advertising businesses to collect and process behavioral information using cookies and SDKs as follows.
| Device name | Device type | Collecting business | Behavioral data collected | Purpose of collection |
|---|---|---|---|---|
| gtag.js | Tag JavaScript (web page) | Google LLC | Service usage and visit history, key event history such as search/click/purchase, advertising identifier (ADID/IDFA), device info (Device ID, OS version, app version) | Product/service development and statistics, user analysis such as customer analysis, provision of personalized service and benefits, provision of online tailored advertising |
| Meta Pixel | JavaScript (web page) | Meta Platform, Inc. | Service usage and visit history, key event history such as search/click/purchase, advertising identifier (ADID/IDFA), device info (Device ID, OS version, app version) | Product/service development and statistics, user analysis such as customer analysis, provision of personalized service and benefits, provision of online tailored advertising |
| Twitter Pixel | JavaScript (web page) | X Corp. (formerly Twitter Inc.) | Service usage and visit history, key event history such as search/click/purchase, advertising identifier (ADID/IDFA), device info (Device ID, OS version, app version) | Product/service development and statistics, user analysis such as customer analysis, provision of personalized service and benefits, provision of online tailored advertising |
| Kakao SDK | SDK (mobile app) | Kakao Corp. | Service usage and visit history, key event history such as search/click/purchase, advertising identifier (ADID/IDFA), device info (Device ID, OS version, app version) | Product/service development and statistics, user analysis such as customer analysis, provision of personalized service and benefits, provision of online tailored advertising |
| Branch SDK | SDK (mobile app) | Branch Metrics, Inc. | Service usage and visit history, key event history such as search/click/purchase, advertising identifier (ADID/IDFA), device info (Device ID, OS version, app version) | Product/service development and statistics, user analysis such as customer analysis, provision of personalized service and benefits, provision of online tailored advertising |
| Amplitude SDK | SDK (mobile app) | Amplitude, Inc. | Service usage and visit history, key event history such as search/click/purchase, advertising identifier (ADID/IDFA), device info (Device ID, OS version, app version) | Product/service development and statistics, user analysis such as customer analysis |
| Braze SDK | SDK (mobile app) | Braze, Inc. | Service usage and visit history, key event history such as search/click/purchase, advertising identifier (ADID/IDFA), device info (Device ID, OS version, app version) | Customer relationship management (CRM) service and personalized recommendation service, message-sending agency |
③ Users can allow or block behavioral information collected by tailored-advertising businesses by changing browser cookie settings, etc. However, changing cookie settings may restrict the use of some services, such as automatic website login.
④ The Company collects only the minimum behavioral information necessary for optimized tailored services and benefits and online tailored advertising, and does not collect sensitive behavioral information that may infringe individuals' rights, interests, or privacy — such as ideology, beliefs, or medical history.
⑤ Users may contact the personal information protection officer and contact person in Chapter 7 with questions regarding behavioral information, to exercise their right to refuse, or to report harm.
① The Company takes the following measures to ensure the safety of personal information.
Where the Company processes pseudonymized information for statistical purposes, scientific research (technology development), public-interest record-keeping, etc., it discloses the relevant details through the privacy policy, prohibits identifying a specific user through pseudonymized information, and applies necessary technical, managerial, and physical measures, such as storing pseudonymized information and additional information separately.
① The Company may apply artificial intelligence (AI) technology to improve services — such as developing new services, recommending products, composing tailored content, and optimizing search — and does not directly use users' personal information as training data in the process.
② If personal information is processed for purposes such as AI training, the Company will clearly specify the purpose, review its lawfulness to establish processing criteria, and disclose the relevant status and criteria through the privacy policy.
① The Company takes overall responsibility for personal-information processing tasks and designates a personal information protection officer, as below, to handle data subjects' complaints and provide remedies in relation to personal-information processing. Users may direct all inquiries, complaints, and remedy matters related to personal-information protection that arise while using the Company's services to the personal information protection officer and contact person, and the Company will answer and handle users' inquiries without delay.
Personal Information Protection Officer
Name: Kim Eun-mi
Title: CEO
Contact: 1544-5228
Email: admin@istarholdings.kr
Personal Information Complaint Handling Department
Team: So-it
Email: admin@istarholdings.kr
② To obtain remedies for personal-information infringement, users may apply for dispute resolution or consultation to the Personal Information Dispute Mediation Committee, the Korea Internet & Security Agency Privacy Infringement Report Center, etc. For other reports of and consultation on personal-information infringement, please contact the following organizations.
| Contact | Phone | Website |
|---|---|---|
| Personal Information Dispute Mediation Committee | 1833-6972 (no area code) | www.kopico.go.kr |
| Privacy Infringement Report Center | 118 (no area code) | privacy.kisa.or.kr |
| National Police Agency | 182 (no area code) | ecrm.police.go.kr |
If this privacy policy is amended, the Company will announce the changes through the website, etc.
– Effective date: December 23, 2025