2.1

Privacy Policy for Travel Wallet’s Corporate Services

Travel Wallet Co., Ltd. (hereinafter referred to as the “Company”) complies with the Personal Information Protection Act and other relevant privacy laws to legally and securely process personal data of data subjects (customers). In order to allow data subjects to easily check the standards and procedures for the processing of personal information and smoothly exercise their rights, the Company establishes and discloses this Privacy Policy as follows.

1. Purpose of Processing Personal Information

  • Purpose of processing: Consultation on business partnership inquiries and related matters, and subscription to and use of Travel Wallet’s corporate services
The Company processes only the minimum amount of personal information necessary to achieve the above purposes. The personal information will not be used for purposes other than those stated above, and if the purpose of processing changes, the Company will take necessary measures such as obtaining separate consent from the data subject.

2. Retention and Use Period of Personal Information

  1. The Company processes and retains personal information until the purpose of collection and use, as agreed upon by the data subject, has been fulfilled. If the retention period expires or the purpose of processing is achieved, and the personal information is no longer needed, the Company will promptly destroy the information.
  1. However, notwithstanding paragraph 1, if there is a requirement to retain personal information under applicable laws, the Company will store the personal information for the period prescribed by the relevant laws. The details and retention periods are as follows:
Information Retained
Retention Period
Legal Basis
Records of contracts or withdrawal of offers
5 years
Article 6 of the Act on Consumer Protection in Electronic Commerce, Article 6(1) of the Enforcement Decree
Records of payment and supply of goods, etc.
5 years
Article 6 of the Act on Consumer Protection in Electronic Commerce, Article 6(1) of the Enforcement Decree
Records of consumer complaints or dispute resolution
3 years
Article 6 of the Act on Consumer Protection in Electronic Commerce, Article 6(1) of the Enforcement Decree
Records of display and advertisements
6 months
Article 6 of the Act on Consumer Protection in Electronic Commerce, Article 6(1) of the Enforcement Decree
Records of electronic financial transactions exceeding KRW 10,000 per transaction
5 years
Article 22(1) of the Electronic Financial Transactions Act, Article 12(1) of the Enforcement Decree
Records of electronic financial transactions not exceeding KRW 10,000 per transaction
1 year
Article 22(1) of the Electronic Financial Transactions Act, Article 12(1) of the Enforcement Decree
Records related to the provision of real-name financial transaction information
5 years
Article 4-3(2) of the Real Name Financial Transactions Act
Records related to suspicious transaction reports (STR)
5 years
Article 5-4(1) of the Act on Reporting and Using Specified Financial Transaction Information
Records related to customer due diligence (KYC)
5 years
Article 5-4(1) of the Act on Reporting and Using Specified Financial Transaction Information
Information on remitters and beneficiaries related to wire transfers
5 years
Article 5-4(1) of the Act on Reporting and Using Specified Financial Transaction Information
Foreign exchange ledgers, foreign exchange sale applications, and foreign exchange purchase certificates
5 years
Article 2-29(7) of the Foreign Exchange Transactions Regulation
Records of domestic payments and receipts by payer and recipient related to small-scale overseas remittance
5 years
Article 2-31(5) of the Foreign Exchange Transactions Regulation
Settlement and transaction records during the execution of small-scale overseas remittance services
5 years
Article 2-31(6) of the Foreign Exchange Transactions Regulation
Books and evidential documents related to taxation
5 years
Article 85-3(2) of the Framework Act on National Taxes
Telecommunications verification data (e.g., telecommunications time, call start/end time, phone numbers, usage volume)
12 months
Article 15-2(2) of the Protection of Communications Secrets Act, Article 41(2) of the Enforcement Decree
Telecommunications verification data (e.g., internet log records, connection tracking data for location)
3 months
Article 15-2(2) of the Protection of Communications Secrets Act, Article 41(2) of the Enforcement Decree
Records of use/provision of personal location data
6 months
Article 16(2) of the Location Information Act
Records of collection, use, and processing of personal credit information
3 years
Article 20(2) of the Credit Information Use and Protection Act

3. Items of Personal Information Processed

The Company processes and retains personal information items as follows according to the purpose of collection:
Purpose of Collection
Items Collected
Retention and Use Period
Corporate remittance service application
- Required: Korean name, English name, applicant’s mobile number, applicant’s company email address, date of birth, gender, country of residence, user ID, password- Optional: applicant’s job title/position, city of birth, occupation, applicant’s telephone number
Until account termination and contract end
Invitation of corporate remittance members
- Required: employee’s email address
Until account termination and contract end
Corporate remittance member registration
- Required: company email address, Korean name, English name, date of birth, gender, nationality, country of residence, mobile number, telephone number, occupation, job title/position, English city of birth, user ID, password, copy of representative’s ID (resident registration card, driver’s license, passport), foreign registration card or passport for foreigners
Until account termination and contract end
Affiliate and advertising service application and registration
- Required: applicant’s name, mobile number, company email address, user ID, password- Optional: job title/position, telephone number
Until account termination and contract end
Inquiry and customer support
- Required: company name, manager’s name, job title/position, mobile number, email address
1 year after inquiry completion
Customer verification and suspicious transaction reporting
- Required: copy of representative’s ID (resident registration card, driver’s license, passport); for foreigners: foreign registration card or passport
5 years
Contract execution and customer identification
- Required:• Representative: Korean and English names, gender, resident registration number, date of birth, nationality, country and address of residence, contact, email address• Ultimate beneficial owner: Korean and English names, gender, resident registration number, date of birth, nationality, country and address of residence, contact, email address• Agent: Korean and English names, occupation, gender, resident registration number, date of birth, nationality, country and address of residence, contact, email address• Supporting documents: agent and representative IDs, power of attorney- Optional: agent’s city of birth
Until contract end
Settlement and remittance
- Required: bank account number, account type, bank name, account holder name
Until contract end
  • Note: The Company may additionally retain personal information pursuant to applicable laws (see Article 2 of this Policy).

4. Provision of Personal Information to Third Parties

The Company may provide personal information to third parties only when any of the following conditions under Article 17(1) or Article 18(2) of the Personal Information Protection Act are met: when the data subject has given consent; when specifically required by law; or when it is necessary to protect the life, body, or property of the data subject or a third party in an emergency situation.
Currently, the Company does not provide any personal information to third parties.

5. Delegation of Personal Information Processing Tasks

  1. The Company entrusts certain tasks to external companies that are essential to provide services to users.
  1. When entering into a consignment agreement, the Company includes provisions in the agreement or relevant documentation in accordance with Article 26(1) of the Personal Information Protection Act. These provisions specify the prohibition of processing personal information for any purposes other than those specified in the consignment, technical and administrative safeguards, limitations on sub-delegation, supervision over the consignee, and liability for damages in case of breach. The Company supervises whether the consignee processes personal information securely.
  1. The Company publicly discloses the details of the entrusted tasks and the identity of the consignee to allow data subjects to easily confirm this information at any time, as shown below:
Entrusted Task
Consignee
Retention and Use Period
Individual and Corporate AML (Anti-Money Laundering) Services
GTOne Co., Ltd.
Until termination of the consignment agreement
  • Note: The Company may retain personal information additionally in accordance with applicable laws (see Article 2 of this policy).
  1. The Company also discloses the identity of any third party (i.e., sub-consignee) that receives re-consigned tasks from the original consignee, and the scope of such tasks.

6. Matters Concerning the Overseas Transfer of Personal Information

The Company entrusts international remittance services to an overseas corporation, Visa Worldwide Pte. Ltd., and transfers customers’ personal information abroad within the scope of the entrusted services.
Category
Details
Recipient
- Company name: Visa Worldwide Pte. Ltd.   - Contact: gcas.gfc@visa.com, +65-800-4481-250
Items of Personal Information Transferred
Remittance purpose, sender’s name, sender’s account information, sender’s address, sender’s nationality, sender’s contact information, recipient’s name, recipient’s address, recipient’s account information, recipient’s nationality
Country to Which the Information is Transferred
Singapore
Time and Method of Transfer
Transferred through an encrypted network (data network) at the time of business execution using the Travel Wallet application
Purpose of Use and Retention Period by the Recipient
- Purpose of use: To carry out international remittance services  - Retention period: Until five years have passed from the end of the financial transaction
Right to Refuse and Disadvantages of Refusal
The data subject has the right to refuse the overseas transfer of personal information. However, as consent to the overseas transfer of personal information is essential for international remittance transactions, refusal may result in limitations on the service.

7. Procedures and Methods for the Destruction of Personal Information

 
The Company shall promptly destroy the personal information when the purpose of collection and use has been achieved or the retention period has expired. The procedures and methods for destruction are as follows:
  1. Destruction Procedure: After the purpose of personal information use has been achieved, the information is stored for a certain period according to internal policies and relevant laws for information protection, and then destroyed.
  1. Destruction Method:
      • Personal information stored in electronic file formats is deleted using technical methods that prevent data recovery.
      • Personal information stored in paper documents is destroyed by shredding or incineration.

8. Rights and Obligations of the Data Subject and Legal Representative and How to Exercise Them

  1. The data subject may exercise the following rights related to personal information protection at any time with respect to the Company:
    1. Request to access personal information
    2. Request to correct personal information
    3. Request to delete personal information
    4. Request to suspend the processing of personal information
  1. Requests for access or suspension of processing may be restricted pursuant to Articles 35(4) and 37(2) of the Personal Information Protection Act.
  1. Requests for correction or deletion may not be accepted if the personal information is specified as a collection target under other laws.
  1. When a data subject makes a request for access, correction, deletion, or suspension of processing, the Company verifies whether the requester is the data subject or a legitimate representative.

9. Personal Information Protection Officer and Responsible Department

  1. The Company designates the following personal information protection officer and department to be responsible for the overall management of personal information processing, and for handling complaints and providing remedies related to personal information.
Department in Charge of Personal Information
Personal Information Protection Officer
Security/IT Headquarters
Name
Title
Contact
Byunghee Lee
CISO / CPO
business@travel-wallet.com+82-2-522-0400
  1. The data subject may contact the personal information protection officer or responsible department for any inquiries, complaints, or requests for remedy related to personal information that occur while using the Company’s services (or business). The Company will respond and handle such inquiries without delay.

10. Measures to Ensure the Security of Personal Information

In accordance with Article 29 of the Personal Information Protection Act, the Company takes the following measures to ensure the security of personal information:
  1. Regular internal audits
      • Internal audits are conducted regularly (once a year) to ensure the stability and safety of personal information handling.
  1. Minimization and training of personnel handling personal information
      • The Company designates specific employees to handle personal information and implements measures to minimize access by limiting the number of authorized personnel.
  1. Establishment and implementation of internal management plans
      • Internal management plans are established and implemented to ensure the safe handling of personal information.
  1. Technical measures against hacking, etc.
      • To prevent leakage or damage of personal information due to hacking or computer viruses, security programs are installed, regularly updated, and inspected. Systems are installed in physically restricted areas, and access is monitored and blocked through technical and physical means.
  1. Encryption of personal information
      • Users’ personal information and passwords are encrypted and stored securely based on the guidelines set by the Personal Information Protection Commission. Communication between server and client is conducted via SSL encrypted transmission.
  1. Storage and prevention of forgery of access records
      • Access records to the personal information processing system are stored and managed for at least two years, and security features are used to prevent tampering, theft, or loss of these records.
  1. Restriction of access to personal information
      • Access rights to the databases handling personal information are granted, changed, and revoked as needed, and unauthorized access is controlled using intrusion prevention systems.
  1. Use of lockable storage for document security
      • Documents and storage devices containing personal information are stored in secure locations equipped with locks.
  1. Control of access by unauthorized persons
      • Physical storage areas containing personal information are kept separate and protected by an established and enforced access control procedure.

11. Remedies for Infringement of the Rights of the Data Subject

  1. The Company respects the data subject’s right to self-determination over personal information and makes every effort to provide remedies and consultation in case of rights violations. For inquiries or consultation, please contact the customer service department (see Article 9 above).
  1. Data subjects may contact the following institutions for relief and consultation regarding infringement of personal information:
  • Personal Information Dispute Mediation Committee: 1833-6972 (http://kopico.go.kr)
  • Personal Information Infringement Report Center: 118 (http://privacy.kisa.or.kr)
  • Supreme Prosecutors’ Office Cybercrime Investigation Unit: 1301 (http://spo.go.kr)
  • National Police Agency Cyber Safety Bureau: 182 (http://cyberbureau.police.go.kr)
  1. If the rights or interests of a data subject are infringed by the actions or inactions of the head of a public institution in relation to access (Article 25), correction or deletion (Article 26), or suspension of processing (Article 37) of personal information under the Personal Information Protection Act, the data subject may file an administrative appeal in accordance with the Administrative Appeals Act.

12. Enforcement and Amendments to the Privacy Policy

This privacy policy shall take effect as of the effective date, and any additions, deletions, or modifications according to laws or internal policies will be announced at least 7 days before the effective date through public notices.
  • Privacy Policy Version: Ver 2.1
  • Date of Announcement: February 18, 2025
  • Effective Date: February 25, 2025
2.1
2.12.01.21.11.0