Travel Wallet Personal (Location) Information Processing Policy
Travel Wallet Co., Ltd. (hereinafter referred to as the “Company”) complies with the Personal Information Protection Act and other relevant laws to protect the rights and freedoms of data subjects, lawfully processes personal information, and manages it safely. Accordingly, pursuant to Article 30 of the Personal Information Protection Act, the Company establishes and discloses this personal information processing policy to inform data subjects of the procedures and standards regarding the processing of personal information and to facilitate the handling of related grievances promptly and appropriately.
1. Purpose of Processing Personal (Location) Information
The Company processes only the minimum amount of personal information necessary for the following purposes. Personal information will not be used for purposes other than those stated below, and if the purpose of use changes, the Company will obtain separate consent or take other necessary measures.
Purposes include: membership registration and identity verification, customer verification and suspicious transaction monitoring/reporting, payment for goods and services, supply and delivery of goods and services, card issuance and delivery, remittance, bank account registration, complaint handling, service abuse prevention, operation and management of events and prize delivery related to services provided by the Company, and to fulfill obligations under applicable laws and regulations.
2. Processing and Retention Period of Personal (Location) Information
① The Company processes and retains personal information until the purpose of collection and use is achieved, as agreed to by the data subject at the time of collection.
- Financial transaction information: Deleted within 5 years from the termination of the business relationship (or within 3 months from the date the purpose is achieved, if earlier). The termination of the business relationship refers to the date the relationship ends due to expiry of contract, exercise of termination rights, completion of statute of limitations, or other legal causes.
- Personal (credit) information other than financial transaction information: Retained until service withdrawal from Travel Wallet.
② Notwithstanding Paragraph 1, the following personal and credit information shall be retained in accordance with relevant laws:
Information Retained | Retention Period | Legal Basis |
Records of contract or withdrawal | 5 years | E-Commerce Act Art. 6 & Enforcement Decree Art. 6(1) |
Records of payment and supply of goods, etc. | 5 years | E-Commerce Act Art. 6 & Enforcement Decree Art. 6(1) |
Consumer complaints and dispute resolution | 3 years | E-Commerce Act Art. 6 & Enforcement Decree Art. 6(1) |
Records of advertisements and displays | 6 months | E-Commerce Act Art. 6 & Enforcement Decree Art. 6(1) |
Electronic financial transaction records (over KRW 10,000) | 5 years | Electronic Financial Transactions Act Art. 22(1) & Enforcement Decree Art. 12(1) |
Electronic financial transaction records (under KRW 10,000) | 1 year | Same as above |
Provision records of financial real-name transaction information | 5 years | Real-Name Financial Transactions Act Art. 4-3(2) |
STR (Suspicious Transaction Report) related data | 5 years | Specific Financial Information Act Art. 5-4(1) |
KYC (Know Your Customer) verification records | 5 years | Same as above |
Sender and recipient info for remittances | 5 years | Same as above |
Currency exchange documents (e.g., exchange ledger, foreign exchange application forms) | 5 years | Foreign Exchange Transaction Regulations Art. 2-29(7) |
Micro remittance transaction records by payer/payee | 5 years | Foreign Exchange Transaction Regulations Art. 2-31(5) |
Reconciliation and transaction history in micro remittance services | 5 years | Foreign Exchange Transaction Regulations Art. 2-31(6) |
Tax records and supporting documents | 5 years | National Tax Basic Law Art. 85-3(2) |
Communication confirmation data (e.g., telecom time, numbers) | 12 months | Communication Privacy Protection Act Art. 15-2(2) & Enforcement Decree Art. 41(2) |
Communication logs and location tracking data | 3 months | Same as above |
Records of use/provision of location information | 6 months | Location Information Act Art. 16(2) |
Records of collection, use, and processing of credit info | 3 years | Credit Info Act Art. 20(2) |
3. Items of Personal (Location) Information Processed
① The Company processes the following personal information items according to the purpose of collection:
Purpose of Collection | Items Collected |
Membership registration and identity verification | - Required: Name, date of birth, gender, mobile phone number, mobile carrier, password, resident registration number, identity verification information (CI, DI) |
Customer identification and suspicious transaction reporting | [General personal (credit) information] - Required: Korean name, English name, date of birth, gender, nationality, postal code, actual residential address, occupation and industry (if self-employed), email, mobile phone number, mobile carrier, identity verification information (CI, DI), ID copy image and information on ID excluding unique identification information - Required: Unique identification information (resident registration number, driver’s license number, foreign registration number), transaction purpose, source of funds and supporting documents (only for customers requiring enhanced due diligence (EDD), collected and used in accordance with Article 5-2 of the Act on Reporting and Using Specified Financial Transaction Information and Article 10-4 of the Enforcement Decree of the same Act) |
Open Banking withdrawal consent | - Required: Name, date of birth, CI, mobile phone number |
Card issuance and delivery | - Required: Address, English name, mobile phone number, password, occupation |
Bank account registration | - Required: Name, bank name, account number, date of birth, email |
Fraud detection | - Required: IP address, MAC address, operating system, device identification information, device type, mobile phone number * For PC: HDD serial number * For mobile device: Android ID/UUID, etc. |
Customer complaint handling | - Required: Name, last 4 digits of mobile phone number - Optional: Mobile phone number |
Remittance | - Required: (Sender info) Sender’s English last and first name, English address, detailed English address, city, sender’s account info - Required: (Recipient info) Recipient’s English last and first name, country, English address, detailed English address, city, State/Province/Region, account holder’s name, account number |
Social service | - Required: Location information, gender, age |
Event participation, winner announcement and verification | - Optional: Name, mobile phone number |
Overseas transaction dispute | - Required: Name, email, mobile phone number, electronic signature, card number, card authorization info (transaction history) - Optional: Supporting documents |
Domestic affiliate payment | - Required: (For linking affiliate member info) CI, name, date of birth, gender, nationality, email, mobile phone number, mobile carrier - Required: (For affiliate payment) Affiliate membership number, payment info |
- In other cases, if consent is obtained from the customer, the information is retained for the agreed period.
4. Provision of Personal (Location) Information to Third Parties
The Company only provides personal information to third parties if it falls under Article 17 or Article 18 of the Personal Information Protection Act, such as with the consent of the data subject or by special legal provision. The recipients are as follows:
Recipient | Purpose of Provision | Items Provided | Retention and Use Period |
Korea Financial Telecommunications & Clearings Institute | Balance inquiry, real-name account inquiry, remitter information inquiry, credit transfer, debit transfer | Same as KFTC Open API request message specification | 5 years |
NAVER Corp. | Identity verification and electronic signature | Name, date of birth, mobile phone number | Destroyed immediately after identity verification and electronic signature |
Kakao Corp. | Identity verification and electronic signature | Name, date of birth, mobile phone number | Destroyed immediately after identity verification and electronic signature |
KT Corp. | Identity verification and electronic signature | Name, date of birth, mobile phone number | Destroyed immediately after identity verification and electronic signature |
COOCON Co., Ltd. | ARS-based identity verification | Name, date of birth, mobile phone number, account number | Destroyed immediately after verification |
Shinhan Card | Smooth transaction between seller and buyer | CAVV, card number, approval number, Track2 (encrypted), merchant name, payment amount, payment time, (if password transaction) password | 5 years |
Shinhan Card | Issuance of year-end tax settlement certificate and income deduction processing | Name, date of birth, gender, mobile phone number, CI, monthly transaction amount and count | 5 years from data submission to NTS or certificate issuance |
National Tax Service | Same as above | Same as above | Same as above |
COOCON Co., Ltd. | Firm banking service | Account holder name, financial institution name, account number, resident number (DOB), business registration number | 5 years from consent date |
Hyphen Corporation | Firm banking service | Same as above | Same as above |
KB Kookmin Bank, Shinhan Bank, Nonghyup Bank, Toss Bank | Firm banking service | Same as above | Same as above |
CJ OliveNetworks | CJ One barcode payment service | CI, unique member ID, name, DOB, gender, email, mobile phone number, mobile carrier | Until service termination, membership cancellation, or end of partnership |
Lotte Members Co., Ltd. | L Point barcode payment service | CI, name, DOB, gender, address, email, mobile carrier, mobile number | Same as above |
- Legal basis for collection: Article 3(1) of the Real Name Financial Transactions Act for resident number collection; Article 4(1)5 of the same Act and Article 9(2) of its Enforcement Decree for personal information collection.
5. Outsourcing of Personal (Location) Information Processing
① The Company outsources part of its essential tasks to external vendors to provide a variety of services to users.
② When signing an outsourcing contract, the Company clearly states in documents such as contracts the obligations including prohibition of processing for purposes other than performing outsourced tasks, implementation of security measures, restriction on re-outsourcing, supervision over the consignee, and liability for damages, as required by Article 26 of the Personal Information Protection Act. The Company also supervises the consignee’s safe handling of personal information.
③ If the content of the outsourced task or the consignee changes, the Company discloses this through its Privacy Policy without delay.
Outsourced Task | Consignee | Retention and Use Period |
Identity and customer verification | Korea Credit Bureau, INFOTEC Co., Ltd., Posicube Co., Ltd., COOCON Co., Ltd. | Until the purpose is achieved or outsourcing contract ends (except where separately retained under relevant laws) |
Card issuance and delivery | Kona I Co., Ltd. | Until the purpose is achieved or outsourcing contract ends (except where separately retained under relevant laws) |
Customer service | NHN Corp., Channel Corporation | Until the purpose is achieved or outsourcing contract ends (except where separately retained under relevant laws) |
Cloud infrastructure operation and management | Amazon Web Services, Inc. | Until the purpose is achieved or outsourcing contract ends (except where separately retained under relevant laws) |
KIOSK card issuance | Hyosung TNS | Until the purpose is achieved or outsourcing contract ends (except where separately retained under relevant laws) |
KakaoTalk Biz Message Dispatch | NHN Cloud Corp. | Until the purpose is achieved or outsourcing contract ends (except where separately retained under relevant laws) |
FX Money service KYC and real-name verification | BC Card Co., Ltd. | Until the purpose is achieved or outsourcing contract ends (except where separately retained under relevant laws) |
④ If the content of the re-delegated tasks or the re-delegatee changes, the Company shall promptly disclose such changes through this Privacy Policy.
Re-delegated Task | Delegatee | Re-delegatee | Retention and Use Period |
Card delivery | Kona I Co., Ltd. | Zeniel Co., Ltd. | Until the purpose is achieved or outsourcing contract ends (except where separately retained under relevant laws) |
KakaoTalk Biz message dispatch | NHN Cloud Corp. | Kakao Corp. | Until the purpose is achieved or outsourcing contract ends (except where separately retained under relevant laws) |
6. Matters Concerning Overseas Transfer of Personal (Location) Information
The Company entrusts its foreign remittance operations to the overseas corporation Visa Worldwide Pte. Ltd. as follows:
Category | Details |
Recipient | Company Name: Visa Worldwide Pte. Ltd.Contact: gcas.gfc@visa.com, 800 4481 250 |
Items of Personal Information Transferred | Purpose of remittance, sender’s name, sender’s account info, sender’s address, sender’s nationality, recipient’s name, recipient’s address, recipient’s account info, recipient’s nationality, contact number |
Country of Transfer | Singapore |
Transfer Method | Transmission through encrypted network at the time of business execution using the Travel Wallet application |
Purpose of Use and Retention Period | Purpose: Execution of overseas account remittanceRetention Period: 5 years from the end of the financial transaction |
Right to Refuse and Disadvantages of Refusal | Users have the right to refuse the collection of personal information. However, consent to overseas transfer is essential for cross-border remittance transactions, and refusal to consent may result in service restrictions. |
7. Procedures and Methods for Destroying Personal Information
The Company promptly destroys personal information once the purpose of collection and use has been fulfilled or the retention period has ended.
- Destruction Procedure: Personal information is stored for a certain period in accordance with internal policies and relevant laws after the purpose has been achieved, then destroyed.
- Destruction Method:
- Personal information stored in electronic file format is deleted using technical methods that make it unrecoverable.
- Personal information recorded on paper is shredded or incinerated.
8. Rights and Obligations of the Data Subject and Legal Representative and How to Exercise Them
① The data subject may exercise the following rights related to personal information protection at any time with respect to the Company:
- Request to access personal information
- Request for correction if there are errors
- Request for deletion
- Request to suspend processing
② Requests for access and suspension of processing may be restricted under Article 35(4) and Article 37(2) of the Personal Information Protection Act.
③ Requests for correction or deletion cannot be accepted if the relevant personal information is specified as a subject for collection by other laws.
④ When responding to requests for access, correction, deletion, or suspension of processing, the Company verifies whether the requester is the data subject or a legitimate representative.
9. Installation, Operation, and Refusal of Devices that Automatically Collect Personal Information
① The Company uses cookies that store and retrieve user information from time to time to provide personalized services.
② A cookie is a small amount of information that the server used to operate the website sends to the user’s web browser, and it may be stored on the user’s PC hard drive.
a. Purpose of using cookies: Cookies are used to analyze users’ visits and usage patterns on each service and website, popular search terms, secure login status, etc., in order to provide optimized information to users.
b. Installation, operation, and refusal of cookies:
Example (Chrome browser): Click the ‘:’ icon on the top right → Settings → Privacy and Security → Cookies and other site data → Block all cookies
③ However, if you refuse to install cookies, there may be difficulties in using some services.
10. Personal Information Protection Officer, Location Information Manager, and Responsible Department
① The Company appoints the following personal information protection officer who is responsible for overall personal information processing and for handling user complaints and damage relief related to personal information.
Responsible Department | Personal Information Protection Officer & Location Information Manager | ㅤ | ㅤ |
- | Name | Position | Contact |
Security Team | Byeonghee Lee | CISO / CPO | support@travel-wallet.com
02-522-0400 |
② Data subjects may contact the personal information protection officer or the responsible department regarding any inquiries, complaints, or damage relief related to personal information protection while using the Company’s services (or business). The Company will respond and handle such inquiries without delay.
11. Measures to Ensure the Security of Personal Information
In accordance with Article 29 of the Personal Information Protection Act, the Company takes the following measures to ensure the security of personal information:
① Regular self-audits:
To ensure the stability of personal information handling, regular internal audits are conducted (at least once a year).
② Minimization and training of staff handling personal information:
Staff handling personal information are designated and limited to those responsible, and management measures are implemented to minimize the number of handlers.
③ Establishment and implementation of internal management plans:
Internal management plans are established and implemented to safely process personal information.
④ Technical measures against hacking, etc.:
Security programs are installed and regularly updated/inspected to prevent leakage or damage of personal information due to hacking or computer viruses. Systems are placed in restricted access areas and are monitored and blocked technically and physically.
⑤ Encryption of personal information:
Users’ personal information and passwords are stored in encrypted form. Encryption is implemented in accordance with the “Policy on Personal Information Encryption.” Communication between servers and clients uses SSL encrypted transmission.
⑥ Retention and prevention of tampering of access records:
Records of access to the personal information processing system are retained and managed for at least two years, and security features are used to prevent tampering, theft, or loss of access records.
⑦ Restriction of access to personal information:
Access rights to databases handling personal information are granted, changed, and revoked as necessary, and unauthorized access from outside is controlled through intrusion prevention systems.
⑧ Use of locking devices for document security:
Documents and storage media containing personal information are stored in secure locations with locking devices.
⑨ Access control for unauthorized personnel:
A separate physical storage area for personal information is maintained with access control procedures in place.
12. Remedies for Infringement of the Rights of Data Subjects
Data subjects may contact the institutions below for remedies, counseling, and other assistance related to personal information infringement:
- Personal Information Dispute Mediation Committee: 1833-6972 (http://kopico.go.kr)
- Personal Information Infringement Reporting Center: 118 (http://privacy.kisa.or.kr)
- Supreme Prosecutors’ Office Cybercrime Investigation Division: 1301 (http://spo.go.kr)
- National Police Agency Cyber Safety Bureau: 182 (http://cyberbureau.police.go.kr)
13. Obligation to Notify Prior to Revisions of the Privacy Policy
This privacy policy shall take effect from the date of implementation. In the event of additions, deletions, or modifications due to changes in laws or internal policies, such changes will be announced via notices at least 7 days prior to the effective date.
14. Items of Behavioral Information Collected
- Personal information: Date of birth, gender, address, mobile phone number
- Device and access environment: OS information, location information, access IP
- Payment and account information: Payment amount, transaction time, merchant information, name of financial institution
- Service usage history: App/web visit history, behavior data such as clicks/scrolls, usage frequency
15. Methods of Collecting Behavioral Information
Behavioral information is automatically collected during the user’s service usage.
16. Purpose of Collecting Behavioral Information
Behavioral information is collected to analyze user service usage patterns and provide personalized advertising.
17. How Users Can Exercise Control
App → More → Service Agreement → Withdraw consent for personalized advertising
18. Retention and Use Period of Behavioral Information & Post-Retention Processing
Behavioral information is retained and used for up to 12 months from the date of collection, after which it is deleted on a daily basis.
19. Inquiries and Remedies Regarding Behavioral Information
ㅤ | Name | Position | Contact |
Security/IT Dept | Byeonghee Lee | CISO / CPO | support@travel-wallet.com
02-522-0400 |
Privacy Policy Version: Ver 2.15
Announcement Date: March 31, 2025
Effective Date: April 7, 2025