Koncierge Privacy Policy
Thank you for using Koncierge, the global concierge service operated by DBRICKS LABS Co., Ltd. (the "Company"). This Privacy Policy (the "Policy") explains how the Company collects, uses, provides, and manages Users' personal information.
■ Summary
• The Company collects only the minimum personal information necessary to provide the Service.
• Payment information such as full card numbers and CVC is not stored on the Company's servers and is processed only through PCI-DSS certified payment processors.
• Users may access, correct, and delete their data at any time.
• Users have the right to refuse use of their data for AI training.
• The Company does not sell Users' personal information to third parties.
1. General
1. DBRICKS LABS Co., Ltd. (the "Company") complies with personal information protection requirements under applicable laws, including the Personal Information Protection Act, the Act on Promotion of Information and Communications Network Utilization and Information Protection, the Protection of Communications Secrets Act, and the Act on the Consumer Protection in Electronic Commerce, to protect personal information of Users of Koncierge, the global concierge service operated by the Company.
2. If the Company provides the Service to Users residing in Europe, it also complies with applicable international data protection laws such as the EU General Data Protection Regulation (GDPR).
3. The Company does not use collected personal information for purposes other than the original collection purposes. The Company processes and retains personal information within the retention periods required by applicable laws and within the periods notified to and consented to by Users at the time of collection.
2. Personal Information Collected and Purpose of Use
The Company collects and uses personal information for the following purposes. Personal information collected is not used for purposes other than the following, and if the purpose of use changes, the Company takes necessary measures such as obtaining separate consent.
The Company does not collect or use personal information of children under 14.
| Legal basis | Category | Purpose | Items collected | Retention period |
|---|---|---|---|---|
| Personal Information Protection Act Article 15(1)4 (contract formation and performance) | Membership registration | Creating and managing Service accounts, identity verification, notice delivery, handling Service-related inquiries, consultations, and complaints, and checking whether the User is under 14 | (Required) email, password | Until membership withdrawal |
| Personal Information Protection Act Article 15(1)4 (contract formation and performance) | Service provision | Analyzing Users' free-form concierge requests, searching, verifying, quoting, and purchasing goods, and supporting international shipping and customs clearance | (Required) product request contents, recipient name, shipping address, contact information, email | Five years from completion of goods or service supply and completion of payment and settlement |
| Personal Information Protection Act Article 15(1)4 (contract formation and performance) | Payment | Payment processing, refunds, partial refunds, and payment fraud prevention | (Required) payment method information (card type, last four digits, expiration date), billing address | Five years from completion of goods or service supply and completion of payment and settlement |
| Customs Act Article 12, etc. (legal obligation) | Customs clearance | Automatic calculation and reporting of EU IOSS VAT, identity verification and customs declaration for transactions exceeding EUR 150 | (Required) recipient information, transaction value, identity document information if applicable | Five years from transaction end date under the Customs Act or ten years under EU VAT Directive Art. 369k |
| Personal Information Protection Act Article 15(1)1 (consent) | App user | Device identification and app push notification delivery for Service notices and advertising information | (Optional) device ID, push token | Until membership withdrawal or withdrawal of consent to receive advertising information |
| Personal Information Protection Act Article 15(1)1 (consent) | Location information | Automatic recognition of country of residence, display of local currency, and checking available delivery regions | (Optional) GPS or Wi-Fi based location information | Destroyed immediately upon withdrawal of consent |
| Personal Information Protection Act Article 15(1)1 (consent) | AI model improvement | Improving AI recommendation models using de-identified data | (Optional) request history, behavior data (de-identified) | Immediately excluded from datasets upon AI training opt-out |
■ AI Training Opt-Out Right
Users may refuse use of their data for AI training at any time.
Opt-out requests may be submitted to support@dbrickslabs.com, and upon such request the Company excludes the User's data from AI training datasets even in de-identified form.
▸ Automatically Collected Information
The following information may be automatically collected during use of the Service.
• IP address, cookies, visit date and time, Service usage records
• Device information (device type, operating system and version, app version, mobile network information)
• App usage logs (screen navigation path, feature usage history, search terms, error logs)
3. Outsourcing of Personal Information Processing
The Company outsources the following personal information processing tasks to external processors for better Service provision and customer convenience. When entering into outsourcing contracts, the Company specifies in documents such as contracts matters required under Article 26 of the Personal Information Protection Act, including prohibition of processing personal information for purposes other than outsourced tasks, technical and managerial safeguards, restrictions on re-outsourcing, management and supervision of processors, and liability for damages, and supervises whether processors safely process personal information.
| Outsourcing purpose | Processor |
|---|---|
| Payment processing for ordered goods | Stripe Inc. and other payment processors designated by the Company |
| Email delivery | Email solution providers such as Stibee, Mailgun, and others |
| App push notification delivery | Apple Push Notification Service (APNs), Firebase Cloud Messaging (FCM) |
| Customer support | Customer support solution providers such as Intercom, Zendesk, and others |
| Product purchase and inspection | Company operation team and Korea-based partner companies designated by the Company (Trustwise Corporation) |
| International shipping and customs clearance | Local customs and logistics partners designated by the Company (SARSPED Logistics) |
| EU VAT reporting and payment | IOSS intermediary designated by the Company |
| Data storage and infrastructure management | Amazon Web Services, Inc. |
| Usage behavior analysis | Google Analytics and other analytics solutions designated by the Company |
| Abnormal transaction and fraud detection | Stripe Radar and other fraud detection solutions |
4. Provision of Personal Information to Third Parties
The Company may provide Users' personal information to third parties through lawful procedures prescribed by law where User consent is obtained or where special provisions exist under other laws. In urgent situations such as disasters, infectious diseases, incidents or accidents causing imminent risk to life or body, or imminent property loss, the Company may provide personal information to relevant authorities without User consent.
The Company does not sell Users' personal information to third parties.
5. Overseas Transfer of Personal Information
Due to the nature of the global concierge Service, the Company transfers personal information overseas as follows. Users may refuse collection and overseas transfer of information, but refusal may restrict use of the Service.
| Legal basis | Items transferred | Transfer method | Destination country and recipient | Purpose of transfer | Retention period | How to refuse |
|---|---|---|---|---|---|---|
| Personal Information Protection Act Article 28-8(1)3 (processing outsourcing and storage) | Email, name, encrypted account information, Service usage data | Transferred from time to time through information and communications networks during Service provision | (United States) Amazon Web Services, Inc. | Data storage and infrastructure operation | Until membership withdrawal or Service contract termination | Service cannot be used if transfer is refused |
| Personal Information Protection Act Article 28-8(1)1 (consent) | Payment information (name, email, address, country, phone number, payment method token) | Real-time encrypted API transfer at the time of payment | (United States) Stripe, Inc. | International payment processing | Five years from transaction end date | Not transferred before payment; transferred only upon payment consent. Payment unavailable if refused |
| Personal Information Protection Act Article 28-8(1)3 (processing outsourcing and storage) | Recipient information (name, address, country, phone number, transaction value) | Real-time encrypted API transfer at order completion | IOSS intermediary and customs partners designated by the Company | International shipping and EU customs and VAT reporting | Five years from transaction end date | International shipping unavailable if transfer is refused |
| Personal Information Protection Act Article 28-8(1)3 (processing outsourcing and storage) | IP, device ID, OS information, Service usage information | Transferred from time to time through information and communications networks during Service provision | (United States) Google LLC | Usage behavior analysis and Service improvement | Until membership withdrawal or Service contract termination | May be refused through the cookie refusal method in Article 9 of this Policy |
Where personal information of Users residing in Europe is transferred to Korea, the United States, or other countries, the Company ensures safe processing with recipients through appropriate safeguards such as Standard Contractual Clauses under GDPR Art. 46.
6. Retention and Use Period of Personal Information
The Company retains and uses Users' personal information for the periods notified and consented to. When the purpose of collection and use is achieved, the retention period expires, or consent is withdrawn, collected personal information is destroyed so that it cannot be accessed or used. However, where prior consent was obtained from the data subject or retention is required under applicable laws, the Company retains personal information for a certain period as follows. In case of consent withdrawal or withdrawal from membership, information is separately stored.
| Records retained | Retention period | Applicable law |
|---|---|---|
| Service usage records, access logs, access IP information, cookies | Three months | Protection of Communications Secrets Act |
| Records on labeling and advertising | Six months | Act on the Consumer Protection in Electronic Commerce |
| Records on consumer complaints or dispute handling | Three years | Act on the Consumer Protection in Electronic Commerce |
| Records on contracts or withdrawal of offers | Five years | Act on the Consumer Protection in Electronic Commerce |
| Records on payment and supply of goods | Five years | Act on the Consumer Protection in Electronic Commerce |
| Electronic financial transaction records | Five years | Electronic Financial Transactions Act |
| Customs-related documents | Five years | Customs Act Article 12 |
| EU IOSS transaction and VAT records | Ten years | EU VAT Directive Art. 369k |
7. Destruction Procedure and Method
1. When personal information becomes unnecessary due to expiration of retention period, achievement of processing purpose, or similar reasons, the Company destroys the information without delay in accordance with Article 6 of this Policy.
2. Personal information printed on paper is shredded or incinerated, and electronic files are deleted using technical methods that make records unrecoverable.
3. If personal information must continue to be retained under other laws even after the consented retention period has expired or the processing purpose has been achieved, the Company transfers such personal information to a separate database or stores it in a different location.
8. User Rights and How to Exercise Them
1. Users may at any time view or correct their registered personal information and may request membership withdrawal. Personal information access and correction are available through Settings > Privacy Management in the app, and membership withdrawal is available by selecting Membership Withdrawal and completing identity verification.
2. Under Article 41(1) of the Enforcement Decree of the Personal Information Protection Act, Users may request access, transfer, correction, deletion, suspension of processing, and withdrawal of consent in writing, by email, or other methods through the department below.
3. If a User requests correction of an error in personal information, the Company does not use or provide the personal information until correction is completed. If incorrect personal information has already been provided to a third party, the Company promptly notifies the third party of the correction result so that correction can be made.
4. Personal information terminated or deleted at a User's request is processed as specified in Article 6 of this Policy and is not accessed or used for other purposes.
5. Users residing in Europe may additionally exercise the following rights under GDPR Arts. 15 to 22.
• Right of access, rectification, deletion (right to be forgotten), restriction of processing, data portability, and objection
• Right to object to automated decision-making and profiling
• Right to refuse use of data for AI training
• Right to lodge a complaint with the data protection supervisory authority in the country of residence
9. Installation, Operation, and Refusal of Automatic Personal Information Collection Devices
▸ Operation of Cookies
A. The Company's website uses cookies for member authentication.
B. Cookies are small information data sent by an HTTP server to the User's browser and are used to confirm legitimate Users between webpages and the User's computer.
C. The Company uses cookies to identify account information in order to provide more suitable and useful services to Users.
D. Users may choose whether to allow cookies. Users may change browser settings to allow all cookies, confirm before cookies are stored, or refuse storage of all cookies. If all cookies are refused, some Services requiring login may not be available.
▸ How to Refuse Cookie Collection in Web Browsers
• Edge: Menu > Settings > Cookies and site permissions > Manage and delete cookies and site data > enable Block third-party cookies
• Chrome: Menu > Settings > Privacy and security > Third-party cookies > enable Block third-party cookies
• Safari: Preferences > enable Prevent cross-site tracking and Block all cookies
▸ How to Block or Allow Smartphone Advertising Identifiers
• Android: Settings > Security and privacy > Privacy > Other privacy settings > Ads > Reset advertising ID or Delete advertising ID
• iPhone: Settings > Privacy & Security > Tracking > turn off Allow Apps to Request to Track
Menu names and methods may differ depending on the mobile OS version.
▸ Push Notifications
A. The Company sends benefits, events, and product recommendation information through push notifications to Users who consent to receive advertising information.
B. Push notification preferences can be changed at any time in Settings > Notification Settings in the app.
C. For smooth Service provision, the Company collects and stores Users' push notification consent status and device identification information (Device Token) on the server.
▸ How to Refuse Push Notifications
• Koncierge app: Login > Settings > Notification Settings > Push Notifications OFF
10. Measures to Ensure Security of Personal Information
▸ Technical Safeguards
A. The Company maintains security systems related to servers and networks and conducts regular vulnerability inspections and remediation.
B. The Company maintains a web firewall and takes best efforts to protect Users' personal information.
C. Users' personal information is encrypted and stored and managed according to legal standards, and files and transmitted data are used through TLS 1.2 or higher encrypted communications.
D. Payment information is processed only through tokenization by PCI-DSS Level 1 certified payment processors such as Stripe, and full card numbers and CVC are not stored on the Company's servers.
E. The Company controls access to personal information by granting, changing, and deleting access rights to personal information processing systems.
F. The Company manages access records to personal information processing systems as required by applicable laws and uses security functions to prevent access records from being forged, altered, stolen, or lost.
G. The Company installs and updates antivirus and other security solutions on PCs of employees handling personal information to protect against malware and similar threats.
▸ Managerial Safeguards
A. The Company limits personnel who may handle Users' personal information to the minimum.
B. The Company establishes and implements internal rules so employees can understand and practice guidelines and procedures necessary for access to and management of personal information, and conducts regular personal information protection training.
C. The Company establishes and implements an internal management plan for safe processing of personal information.
▸ Physical Safeguards
A. The Company safely protects major infrastructure through security system installation and operation in areas where external access is restricted and controlled.
B. The Company strictly controls use of media containing personal information, including auxiliary storage media, and restricts external removal or entry.
C. The Company establishes and implements safeguards to prevent leakage or exposure of personal and important information in work environments such as work PCs, desks, and drawers.
11. Personal Information Protection Officer and Contact
The personal information protection officer and contact are as follows and will respond promptly and sincerely to inquiries regarding personal information.
▸ Personal Information Protection Officer
• Department: Operations Team
• Email: support@dbrickslabs.com
▸ Personal Information Protection Contact
• Department: Operations Team
• Email: support@dbrickslabs.com
For reports or consultation regarding other personal information infringements, please contact the following agencies.
| Agency | Contact | Website |
|---|---|---|
| Personal Information Dispute Mediation Committee | 1833-6972 | www.kopico.go.kr |
| Personal Information Infringement Report Center | 118 without area code | privacy.kisa.or.kr |
| Cyber Investigation Department, Supreme Prosecutors' Office | 1301 | www.spo.go.kr |
| Cyber Bureau, Korean National Police Agency | 182 without area code | ecrm.police.go.kr |
| European supervisory authority | Data protection supervisory authority in the country of residence | edpb.europa.eu |
12. Addendum
If additions, deletions, or amendments are made due to changes in laws or policies, the Company will notify Users through in-app notices and email at least seven days before the effective date. Important changes concerning Users' rights or obligations will be notified at least 30 days in advance.
Contact
Email: support@dbrickslabs.com
Operator: DBRICKS LABS Co., Ltd.
Service name: Koncierge