So-it Privacy Policy

This English version is a convenience translation. The Korean version is the officially registered privacy policy and shall prevail in the event of any discrepancy.

SaveMyBack Korea Inc. (the "Company") establishes and discloses this Privacy Policy as follows, in accordance with Article 30 of the Personal Information Protection Act ("PIPA"), to protect users' personal information in connection with the online shopping mall service "So-it" (the "Service") it provides, and to handle related grievances promptly and smoothly.

This policy applies to the So-it online shopping mall (web/app), the paid membership, and the points service operated by the Company.

  • Chapter 1. Purpose of processing, items collected, retention and use period
  • Chapter 2. Provision and entrustment of personal information
  • Chapter 3. Retention period and destruction
  • Chapter 4. Rights of users and legal representatives and how to exercise them
  • Chapter 5. Installation, operation, and refusal of automatic collection devices
  • Chapter 6. Measures to ensure safety
  • Chapter 7. Personal information protection officer and contact
  • Chapter 8. Amendment of the privacy policy and notice thereof

Chapter 1. (Items, purpose, and retention period of personal information processed)

① Personal information items processed with the user's consent

When a user signs up, the Company processes the following personal information items with the user's consent. The personal information processed is not used for any purpose other than those below; if the purpose of use changes, the Company will take necessary measures such as obtaining separate consent under Article 18 of PIPA.

Legal basisCategoryPurposeItems collectedRetention & use period
PIPA Art. 15(1)1 (consent of the data subject)Sign-upRegister member informationName, ID, password, email, mobile number*, gender**, date of birth**, default address***Until membership withdrawal
PIPA Art. 15(1)1 (consent of the data subject)Sign-upProvide friend-invite rewardReferrer IDUntil membership withdrawal
PIPA Art. 15(1)1 (consent of the data subject)Service provisionProvide personalized recommendation serviceDelivery area, gender, age group, service usage and visit historyUntil membership withdrawal
PIPA Art. 15(1)1 (consent of the data subject)Service provisionSend notification messagesInformation collected while sending messages (name, ID, mobile number, email, PUSH token, device info (DeviceID)), message-sending historyUp to 2 years after sending (email: 2 years; SMS and alim-talk: 6 months)
PIPA Art. 15(1)1 (consent of the data subject)Fraud preventionManage fraudulent-user historyFraudulent user's name, ID, mobile number, email, address, recipient info (name, mobile number, address), device info (DeviceID), fraud records1 year after membership withdrawal
PIPA Art. 15(1)1 (consent of the data subject)Fraud preventionRestrict duplicate sign-upsID, mobile number, IP address3 months after membership withdrawal

In addition, to provide various services, the Company collects or processes personal information with the user's consent as follows.

(A) Personal information collected with consent upon application during service provision — ① Personal information requiring mandatory consent essential to service provision is notified at the time each service or event is operated, and separate consent may be requested.

② Personal information collected and used with separate optional consent during service provision

Legal basisCategoryPurposeItems collectedRetention & use period
PIPA Art. 15(1)1 (consent of the data subject)Marketing/advertising informationProvide tailored benefit-information serviceInformation collected during So-it service sign-up and use, service usage and visit history, key event history such as search/click/purchase, advertising identifier (ADID/IDFA), device info (Device ID, OS version, app version), sending history of marketing/event/advertising contentUntil membership withdrawal or consent withdrawal
PIPA Art. 15(1)1 (consent of the data subject)Service improvementSurveysID, name, mobile number, responses, purchase history, sending history of marketing/event/advertising contentUntil membership withdrawal or consent withdrawal

② Personal information items collected from sources other than the data subject

The Company may process personal information received from sources other than the data subject (third-party provision, entrustment, etc.), and receives it after lawful consent has been obtained from the relevant data subject.

Legal basisSourcePurposeItems collectedRetention & use period
PIPA Art. 19(1) (consent of the data subject)NaverSNS easy sign-upName, email address, mobile number, birth year, birthday, genderUntil membership withdrawal
PIPA Art. 19(1) (consent of the data subject)KakaoSNS easy sign-upMobile number, email, address, gender*, date of birth*, KakaoTalk channel add status and historyUntil membership withdrawal
PIPA Art. 19(1) (consent of the data subject)APPLESNS easy sign-upName, emailUntil membership withdrawal
PIPA Art. 19(1) (consent of the data subject)TossPayEasy paymentMasked payment-method info (bank name and account number, or card issuer and card number), payment info (payment number, amount, date/time, quick-pay registration status)Until membership withdrawal

※ Information marked with * is collected only when the data subject has explicitly consented while using another company's service.

③ The Company does not collect personal information of users under the age of 14. However, where consent under PIPA must be obtained to process the personal information of a child under 14, the Company obtains consent from the legal representative, deletes the information immediately once its use ends, and safely manages the information while it is in use.

④ During service provision, information such as device info (Device ID, OS version, app version), browser type, IP address, MAC address, cookies, advertising identifier (ADID/IDFA), and service usage and visit history may be generated and collected automatically.

Chapter 2. Provision and entrustment of personal information

① The Company provides personal information to third parties only where Articles 17 and 18 of PIPA apply, such as the user's consent or special provisions of law, and otherwise does not provide users' personal information to third parties.

② However, to provide the service smoothly, the Company may provide personal information to the following third parties, in which case it provides only the minimum necessary scope with the user's consent. Where other statutes — such as the Income Tax Act, the Liquor License Act, the Criminal Procedure Act, the Protection of Communications Secrets Act, and the Act on the Persons Performing the Duties of Judicial Police Officers and the Scope of Their Duties — contain special provisions, personal information may be provided to relevant agencies under the law without the user's consent.

(A) Status of personal information provided to third parties — ① Personal information provided to third parties with the user's consent

Legal basisRecipientPurpose of provisionCategoryItems providedRetention & use period
PIPA Art. 17(1)1 (consent of the data subject)Seller product & service providersProvide seller products and services, provide purchase benefits, customer consultation and complaint handling, provide A/S serviceCommonOrderer info (ID, name, email, mobile number), purchased-product info, payment infoUntil the purpose is achieved
PIPA Art. 17(1)1 (consent of the data subject)Seller product & service providersProvide seller products and services, provide purchase benefits, customer consultation and complaint handling, provide A/S serviceDelivery productsRecipient info (name, mobile number, address, common-entrance password, delivery notes), (when purchasing goods requiring customs clearance) personal customs clearance codeUntil the purpose is achieved
PIPA Art. 17(1)1 (consent of the data subject)Seller product & service providersProvide seller products and services, provide purchase benefits, customer consultation and complaint handling, provide A/S serviceAlcohol productsOrderer info (adult-verification info)Until the purpose is achieved
PIPA Art. 17(1)1 (consent of the data subject)Seller product & service providersProvide seller products and services, provide purchase benefits, customer consultation and complaint handling, provide A/S serviceLodging/travel vouchersGuest info (name, mobile number, date of birth, gender)Until the purpose is achieved
PIPA Art. 17(1)1 (consent of the data subject)Seller product & service providersProvide seller products and services, provide purchase benefits, customer consultation and complaint handling, provide A/S serviceFlight ticketsPassenger info (name, mobile number, date of birth, gender)Until the purpose is achieved
PIPA Art. 17(1)1 (consent of the data subject)Seller product & service providersProvide seller products and services, provide purchase benefits, customer consultation and complaint handling, provide A/S serviceOnline ticketsRecipient info (name, mobile number)Until the purpose is achieved
PIPA Art. 17(1)1 (consent of the data subject)Seller product & service providersProvide seller products and services, provide purchase benefits, customer consultation and complaint handling, provide A/S servicePickup productsPickup date, pickup-location info (store name, contact, address)Until the purpose is achieved
PIPA Art. 17(1)1 (consent of the data subject)Seller product & service providersReturn receipt and handlingReturn-address infoReturn-address info (name, mobile number, address)Until the purpose is achieved
PIPA Art. 17(1)1 (consent of the data subject)Live-commerce participating companiesProvide benefits to live-commerce event winnersCommonID, name, mobile number, event-participation historyUntil the purpose is achieved
PIPA Art. 17(1)1 (consent of the data subject)Live-commerce participating companiesProvide benefits to live-commerce event winnersPrize deliveryRecipient info if needed (name, mobile number, address)Until the purpose is achieved
PIPA Art. 17(1)1 (consent of the data subject)Live-commerce participating companiesProvide benefits to live-commerce event winnersTax/levy processingResident registration number if neededUntil the purpose is achieved

※ Live-commerce event participating companies may change depending on the live schedule; the Company informs winners of detailed participating-company information in the consent form sent only to winners and provides the information after obtaining separate consent.

② Personal information provided to third parties without the user's consent pursuant to law

Legal basisRecipientPurpose of provisionItems providedRetention & use periodRelevant grounds
PIPA Art. 18(2)2 (provided by other statutes)National Tax ServiceTax/levy processingName, resident registration numberUntil the purpose is achievedIncome Tax Act Arts. 21, 127, 164
PIPA Art. 18(2)2 (provided by other statutes)National Tax ServiceReport of alcohol mail-order salesName, address, sales info (sale date, product name, quantity, order amount)Until the purpose is achievedLiquor License Act Art. 17; Enforcement Decree Arts. 17, 20
PIPA Art. 18(2)2 (provided by other statutes)Investigative agencies (prosecution, police, etc.)Response to search-and-seizure warrants, communication-confirmation data, communication data, and investigation-cooperation requestsInformation within the requested scopeUntil the purpose is achievedCriminal Procedure Act Arts. 106, 199; Protection of Communications Secrets Act Art. 13; Act on the Persons Performing the Duties of Judicial Police Officers and the Scope of Their Duties Art. 5

③ To process personal information smoothly, the Company entrusts personal-information processing tasks as follows. When concluding entrustment contracts, the Company specifies in documents such as the contract the prohibition of processing personal information beyond the purpose of the entrusted work, technical and managerial protective measures, restrictions on re-entrustment, supervision of the trustee, and liability including damages, and supervises whether the trustee processes personal information safely.

(A) [Domestic] Trustee status

TrusteeEntrusted work
iStar Glonics Inc.Delivery service
Solapi Inc.SMS/LMS/MMS and alim-talk sending service operation
Toss Payments Corp.Payment and settlement service operation
CJ Logistics Corp.Delivery and quick service
Lotte Global Logistics Co., Ltd.Delivery and quick service
Hate Inc.Delivery service
TrifruitDelivery service
L4K3Delivery service
Key West TechDelivery service
Other product suppliersDelivery service

⑤ Under Article 15(3) or Article 17(4) of PIPA, the Company may additionally use or provide personal information without the user's consent. In such cases, the Company will consider the following for the additional use or provision of personal information without the data subject's consent.

  • Whether it is related to the original purpose of collection
  • Whether the additional use or provision of personal information is foreseeable in light of the circumstances of collection or processing practices
  • Whether it unfairly infringes the user's interests
  • Whether measures necessary to ensure safety, such as pseudonymization or encryption, have been taken

⑥ If the additional use or provision of personal information occurs continuously, the Company will disclose the criteria for the above determinations and check compliance with those criteria.

Chapter 3. Retention period and destruction

① When personal information becomes unnecessary due to the lapse of the retention period under Chapter 1, achievement of the processing purpose, etc., the Company destroys it without delay. However, under an internal policy pursuant to Article 15(1)6 of PIPA, sign-up records and fraud-sanction records are separated and destroyed after being retained for 3 months and 5 years, respectively.

② Even after the retention period has elapsed or the processing purpose has been achieved, where personal information must continue to be preserved under other statutes, the Company preserves it by moving it to a separate database (DB) or storing it in a different location. Separately preserved personal information is not used for any purpose other than preservation, except where it falls under the following reasons or is required by law.

  • Where an investigation or inquiry due to a violation of relevant statutes is in progress, until such investigation or inquiry ends
  • Where credit/debt relationships arising from service use remain, until such credit/debt relationships are settled
  • Where there is an obligation to preserve information under statutes, until the period prescribed by the relevant statutes
Relevant statutePurposeRetention period
Act on Consumer Protection in Electronic Commerce, etc. Art. 6Records on payment and supply of goods5 years
Act on Consumer Protection in Electronic Commerce, etc. Art. 6Records on contracts or withdrawal of offers5 years
Act on Consumer Protection in Electronic Commerce, etc. Art. 6Records on consumer complaints or dispute handling3 years
Act on Consumer Protection in Electronic Commerce, etc. Art. 6Records on labeling and advertising6 months
Income Tax Act Arts. 127, 164; Framework Act on National Taxes Art. 85-3Tax/levy payment on behalf and withholding-tax reporting5 years
Protection of Communications Secrets Act Art. 15-2Cooperation with requests for communication-confirmation data3 months

③ The procedures and methods for destroying personal information are as follows.

Destruction procedure

The Company selects the personal information for which grounds for destruction have arisen and destroys it with the approval of the Company's personal information protection officer.

Destruction method

Personal information recorded/stored in electronic file form is destroyed using methods such as a Low Level Format so that the records cannot be reproduced, and personal information recorded/stored on paper documents is destroyed by shredding or incineration.

Chapter 4. Rights of users and legal representatives and how to exercise them

① Users may at any time request the Company to access, transmit, correct, delete, suspend the processing of, and withdraw consent for their personal information (the "exercise of rights").

※ The rights of a child under 14 must be exercised directly by their legal representative; a data subject who is a minor aged 14 or older may exercise the rights to their own personal information either by themselves or through their legal representative.

② Users may exercise their rights toward the Company in writing, by phone, by email, by fax, etc., and the Company will act on this without delay. In this case, the Company verifies whether the person exercising the rights is the individual concerned or a legitimate representative.

※ Users may at any time directly view, correct, delete, suspend the processing of, and withdraw consent for their personal information under 'My Info > Edit Personal Information' on the website, or request access via a 'Customer Center' inquiry.

③ Users may exercise their rights through a representative such as the user's legal representative or a delegate. In this case, a power of attorney in the form of Attachment No. 11 under the 'Notice on Methods of Personal Information Processing' must be submitted.

④ The data subject's right to request access to and suspension of the processing of personal information may be restricted under Article 35(4) and Article 37(2) of PIPA; where the personal information is specified as subject to processing under other statutes, its deletion may not be requested.

Chapter 5. Installation, operation, and refusal of automatic collection devices

5-1. Cookies

① The Company uses 'cookies' that store and frequently retrieve usage information in order to provide individually tailored services to users.

② A cookie is a small amount of information that the server operating the website sends to the user's computer browser, and it may be stored on the hard disk of the user's PC.

Purpose of cookies: They are used to identify the visit and usage patterns, popular search terms, whether a secure connection is used, etc. for each service and website the user visited, in order to provide optimized information to the user.

Installation, operation, and refusal of cookies: Users have the option to install cookies; through each web browser's option settings, users can allow or refuse all cookies, or require confirmation each time a cookie is stored. In Chrome, use the '⋮' menu at the top right > New Incognito Window (Ctrl+Shift+N); in Edge, use the '…' menu at the top right > New InPrivate Window (Ctrl+Shift+N). If cookie storage is refused, difficulties may arise in using tailored services.

5-2. Advertising identifier (ADID/IDFA)

① The Company may collect the user's 'ADID/IDFA' in order to provide individually tailored services.

② ADID/IDFA is an identifier used to operate mobile apps — an anonymous advertising identifier automatically assigned to the user's smartphone device — and it may be stored within the user's device. Users may refuse collection on Android (Settings > Security & privacy > Privacy > More privacy settings > Ads > Reset or delete advertising ID) or iOS (Settings > Privacy & Security > Tracking > turn off Allow Apps to Request to Track).

5-3. Behavioral information

① In the course of service use, the Company collects and uses behavioral information in a manner that does not identify individuals, using automatic collection devices such as cookies and advertising identifiers (ADID/IDFA), in order to provide users with optimized tailored services and benefits and online tailored advertising.

Items collectedCollection methodCollection purposeRetention & use period
Service usage and visit history, product search/click history, order settings, purchase history (ordered products and amounts), membership subscription/cancellation status, cart/wishlist history, page-impression history, event-participation history, advertising identifierAutomatically collected when the user visits or performs actions on the website and app serviceAnalysis of usage data based on users' interests, preferences, and tendencies; statistical analysis of service usage; improvement of convenience; provision of personalized recommendation serviceUntil membership withdrawal or 2 years from the collection date

② For effective service use, advertising, and marketing, the Company allows online tailored-advertising businesses to collect and process behavioral information using cookies and SDKs as follows.

Device nameDevice typeCollecting businessBehavioral data collectedPurpose of collection
gtag.jsTag JavaScript (web page)Google LLCService usage and visit history, key event history such as search/click/purchase, advertising identifier (ADID/IDFA), device info (Device ID, OS version, app version)Product/service development and statistics, user analysis such as customer analysis, provision of personalized service and benefits, provision of online tailored advertising
Meta PixelJavaScript (web page)Meta Platform, Inc.Service usage and visit history, key event history such as search/click/purchase, advertising identifier (ADID/IDFA), device info (Device ID, OS version, app version)Product/service development and statistics, user analysis such as customer analysis, provision of personalized service and benefits, provision of online tailored advertising
Twitter PixelJavaScript (web page)X Corp. (formerly Twitter Inc.)Service usage and visit history, key event history such as search/click/purchase, advertising identifier (ADID/IDFA), device info (Device ID, OS version, app version)Product/service development and statistics, user analysis such as customer analysis, provision of personalized service and benefits, provision of online tailored advertising
Kakao SDKSDK (mobile app)Kakao Corp.Service usage and visit history, key event history such as search/click/purchase, advertising identifier (ADID/IDFA), device info (Device ID, OS version, app version)Product/service development and statistics, user analysis such as customer analysis, provision of personalized service and benefits, provision of online tailored advertising
Branch SDKSDK (mobile app)Branch Metrics, Inc.Service usage and visit history, key event history such as search/click/purchase, advertising identifier (ADID/IDFA), device info (Device ID, OS version, app version)Product/service development and statistics, user analysis such as customer analysis, provision of personalized service and benefits, provision of online tailored advertising
Amplitude SDKSDK (mobile app)Amplitude, Inc.Service usage and visit history, key event history such as search/click/purchase, advertising identifier (ADID/IDFA), device info (Device ID, OS version, app version)Product/service development and statistics, user analysis such as customer analysis
Braze SDKSDK (mobile app)Braze, Inc.Service usage and visit history, key event history such as search/click/purchase, advertising identifier (ADID/IDFA), device info (Device ID, OS version, app version)Customer relationship management (CRM) service and personalized recommendation service, message-sending agency

③ Users can allow or block behavioral information collected by tailored-advertising businesses by changing browser cookie settings, etc. However, changing cookie settings may restrict the use of some services, such as automatic website login.

④ The Company collects only the minimum behavioral information necessary for optimized tailored services and benefits and online tailored advertising, and does not collect sensitive behavioral information that may infringe individuals' rights, interests, or privacy — such as ideology, beliefs, or medical history.

⑤ Users may contact the personal information protection officer and contact person in Chapter 7 with questions regarding behavioral information, to exercise their right to refuse, or to report harm.

Chapter 6. Measures to ensure safety

6-1. Personal information

① The Company takes the following measures to ensure the safety of personal information.

  • Managerial measures: establishment and implementation of an internal management plan, regular employee training, operation of a dedicated organization
  • Technical measures: access-authority management for personal-information processing systems, installation of access-control systems and other protective measures, internet-network blocking, encryption of unique identifying information, storage and inspection of access logs, installation and updating of security programs, vulnerability inspection and remediation of personal-information processing systems
  • Physical measures: access control of computer rooms and data-storage rooms, safety measures against disasters, control of the carrying in/out of auxiliary storage media

6-2. Pseudonymized information

Where the Company processes pseudonymized information for statistical purposes, scientific research (technology development), public-interest record-keeping, etc., it discloses the relevant details through the privacy policy, prohibits identifying a specific user through pseudonymized information, and applies necessary technical, managerial, and physical measures, such as storing pseudonymized information and additional information separately.

6-3. Artificial intelligence (AI) training data

① The Company may apply artificial intelligence (AI) technology to improve services — such as developing new services, recommending products, composing tailored content, and optimizing search — and does not directly use users' personal information as training data in the process.

② If personal information is processed for purposes such as AI training, the Company will clearly specify the purpose, review its lawfulness to establish processing criteria, and disclose the relevant status and criteria through the privacy policy.

Chapter 7. Personal information protection officer and contact

① The Company takes overall responsibility for personal-information processing tasks and designates a personal information protection officer, as below, to handle data subjects' complaints and provide remedies in relation to personal-information processing. Users may direct all inquiries, complaints, and remedy matters related to personal-information protection that arise while using the Company's services to the personal information protection officer and contact person, and the Company will answer and handle users' inquiries without delay.

Personal Information Protection Officer

Name: Kim Eun-mi

Title: CEO

Contact: 1544-5228

Email: admin@istarholdings.kr

Personal Information Complaint Handling Department

Team: So-it

Email: admin@istarholdings.kr

② To obtain remedies for personal-information infringement, users may apply for dispute resolution or consultation to the Personal Information Dispute Mediation Committee, the Korea Internet & Security Agency Privacy Infringement Report Center, etc. For other reports of and consultation on personal-information infringement, please contact the following organizations.

ContactPhoneWebsite
Personal Information Dispute Mediation Committee1833-6972 (no area code)www.kopico.go.kr
Privacy Infringement Report Center118 (no area code)privacy.kisa.or.kr
National Police Agency182 (no area code)ecrm.police.go.kr

Chapter 8. Amendment of the privacy policy and notice thereof

If this privacy policy is amended, the Company will announce the changes through the website, etc.

– Effective date: December 23, 2025