Have&B Co., Ltd. (hereinafter referred to as the 'Company') values the personal information of customers and complies with the “Personal Information Protection Act”.

Through the personal information processing policy, the company informs you of the purpose and method of using the personal information provided by customers and what measures are being taken to protect personal information.
When the company revises the personal information processing policy, it will be notified through the website notice (or individual notice).

○ This policy was enacted on November 11, 2022, and changes are applied on November 28, 2022.

The company collects the following personal information for membership registration, consultation, and service application through the Dr. Jart website.

○ Online membership

• Service

  online malloffline store

• Collection Point

  When registering as a memberVTO run

• Purpose of processing

  (essential)Confirmation of identity and intention to sign up for membership, identification of members, and provision of membership services

  Transmission of personalized advertisements through electronic transmission media, information on events and promotions, development and specialization of new services (products), identification of access frequency, or statistics on service use by members

  birthday benefits(essential)Provide virtual tryon service

• Retention period and basis

  When membership is withdrawnstatutory duty periodWhen consent is withdrawn24 hours(VTO run)

In principle, after the purpose of personal information collection and use is achieved, or if membership withdrawal or information deletion is requested, the information is destroyed within a maximum of 5 business days. Non-members' website reservation application-related information is retained and used for 90 days from the date of reservation. However, if it is necessary to preserve it in accordance with the relevant laws and regulations, the company retains member information for a certain period of time as set forth in the relevant laws and regulations as follows.

○ Records on contract or subscription withdrawal: 5 years (Act on Consumer Protection in Electronic Commerce, etc.)
○ Records on payment and supply of goods: 5 years (Act on Consumer Protection in Electronic Commerce, etc.)
○ Consumer’s Records on handling complaints or disputes: 3 years (Act on Consumer Protection in Electronic Commerce, etc.)
○ Records on collection/processing and use of credit information: 3 years (Act on Use and Protection of Credit Information)
○ Website Visitation record: 3 months (Communications Secrets Protection Act)

In accordance with Article 39-6 of the Personal Information Protection Act and Article 48-5 of the Enforcement Decree of the same Act, the company separates the personal information of users who have not used the company's service for one year from the personal information of general users and takes necessary measures such as storing it separately. . The company notifies users via e-mail, etc. 30 days prior to the date of conversion to dormant account.

Separately stored personal information is not used or provided unless there is a special provision in the relevant laws and regulations, and it is retained for a certain period of time in accordance with the relevant laws and regulations and is destroyed after the relevant period. However, personal information that has not been destroyed will be provided again at the time of resumption of service use according to the user's request.

In principle, the company destroys the information within a maximum of 5 business days after the purpose of collecting and using personal information is achieved. The destruction procedure and method are as follows.

○ Destruction procedure

The information entered by the member for membership registration, etc. is transferred to a separate DB after the purpose is achieved (separate filing cabinet in case of paper), Reference) After being stored for a certain period of time, it is destroyed. Personal information transferred to a separate DB is not used for any purpose other than retention unless otherwise required by law.

○ Destruction method

Personal information printed or written on paper is shredded with a shredder or destroyed by incineration, and personal information stored in the form of an electronic file is deleted using a technical method that cannot reproduce the record.

In principle, the company does not disclose users' personal information to the outside world. However, the following cases are exceptions.

• When users agree in advance
• In accordance with the provisions of the law or when there is a request from an investigative agency in accordance with the procedures and methods set forth in the law for the purpose of investigation
• A specific individual as necessary for the purpose of creating statistics and academic research If you provide personal information in an unrecognizable form

In order to provide better service, the company entrusts the following personal information processing tasks. In the case of entrusting the processing of personal information to a consignee, the prohibition of processing personal information for purposes other than the purpose of entrusted business, technical and managerial protection measures, restrictions on re-entrustment, management and supervision of the consignee, compensation for damages, etc. We are complying with this.

• Entrusted person - Entrusted business details

  astems - integrated member

  happy talk - Operation of customer consultation chatting solution

  humus on - SMS service, Kakao AlimTalk, e-mail transmission system operation

  Creama Factory Co., Ltd. - Write product reviews and pay points

  Pantos Co., Ltd. - Delivery business agency

  Naver Financial Co., Ltd. - product payment

  Kakao Co., Ltd. - product payment

  Korea Cyber Payment Co., Ltd. (NHN KCP) - Real name verification and identity verification when verifying mobile phone

  BS support - Enterprise management system operation and maintenance

  NHN Data Co., Ltd. - web log analytics

  Play Auto - Product registration and product delivery agency

  bizcon - Gift cone delivery agency

In order to provide more professional services, we entrust the handling of the following to a professional overseas company, and in this process, the user's personal information may be transferred overseas.

• Salesforce

  (Data Protection Officer: security@salesforce.com )

  Former country : USA

  Items of personal information to be transferred : Name, phone number, cell phone number, email address, mailing address, gender, date of birth, consultation details, transaction details, refund account number, medical records

  Transfer purpose : Data storage and maintenance

  Retention and use period Timing and Procedures for : hold for 3 years Transfer and storage to a data center in the United State

• Adobe Campaign

  (Data Protection Officer: DPO@adobe.com )

  Former country : Singapore

  Items of personal information to be transferred : Name, email address, phone number, SNS ID, address, gender, date of birth, skin condition information, consent/rejection of marketing information

  Transfer purpose : marketing activities

  Retention and use period Timing and Procedures for : Until the purpose of use is achieved

• Verticurl Pte. Ltd.

  (Information protection officer: elctechteam@verticurl.com )

  Former country : Hong Kong

  Items of personal information to be transferred : Name, email address, phone number, SNS ID, address, gender, date of birth, skin condition information, consent/rejection of marketing information

  Transfer purpose : marketing activities

  Retention and use period Timing and Procedures for : Hold for 30 days

• Estee Lauder Asia Pacific Limited

  (Information protection officer: privacy@estee.com )

  Former country : Singapore

  Items of personal information to be transferred : Name, email address, phone number, SNS ID, address, gender, date of birth, skin condition information, transaction history, loyalty program points and redemption transaction history, online consultation records, consumer feedback

  Transfer purpose : Customer relationship management, data processing and analysis, marketing activities

  Retention and use period Timing and Procedures for : Until the purpose of use is achieved

• Amazon Web Services Japan KK

  (Data Protection Officer: aws-korea-privacy@amazon.com )

  Former country : japan

  Items of personal information to be transferred : Name, phone number, consultation reservation date/ time/store/service

  Transfer purpose : Online counseling reservation information sent via text message

  Retention and use period Timing and Procedures for : 7 days from the date of shipment

• ELC Online Inc.

  (Information protection officer: privacy@estee.com )

  Former country : Korea, USA

  Items of personal information to be transferred : Name, address, date of birth, skin type, ,loyalty points, consultation content, email and IP address

  Transfer purpose : Online ordering and shipping information, product reviews and ratings

  Retention and use period Timing and Procedures for : Online order and delivery information: Up to 1 year from the customer's final use of the website Product reviews and ratings: Until the purpose of use is achieved

• Meta Platforms, Inc.

  Privacy Policy Questions | Facebook

  Former country : Homepage - Meta Data Centers ( fb.com )

  Items of personal information to be transferred : Full name, email address, phone number, country

  Transfer purpose : Marketing activities and personalized advertising

  Retention and use period Timing and Procedures for : Until the purpose of use is achieved

• Google Asia Pacific Pte. Ltd.

  Privacy Help Center - Policies Help (google.com)

  Former country : Discover our data center locations ( google.com )

  Items of personal information to be transferred : Full name, email address, phone number, country

  Transfer purpose : Marketing activities and personalized advertising

  Retention and use period Timing and Procedures for : Until the purpose of use is achieved

Users and legal representatives may exercise their rights such as viewing, correcting, deleting, and requesting suspension of processing of personal information held by the company. In this case, you must submit a power of attorney in accordance with the “Public Notice on Personal Information Processing Methods (No. 2020-7)” Annex No. 11.
The user's right to request access to and suspension of processing of personal information may be restricted in accordance with Article 35 Paragraph 4 and Article 37 Paragraph 2 of the Personal Information Protection Act. Requests for correction and deletion of personal information cannot be requested if the personal information is specified as the subject of collection in other laws and regulations. Confirm whether the person who made the request, such as a request for viewing, a request for correction or deletion, or a request for suspension of processing according to user rights, is the person or a legitimate agent.

The company uses various technologies to collect information about users' visits to the Dr. For example, we may collect a numeric IP address that identifies a user's computer, etc., indicating the geographic location of the user. In some cases, the company may use these technologies in conjunction with the personal information users provide on the Dr. Jart+ site. With this technology, the company obtains information such as whether users have visited the Dr. Jart site in the past. In addition, these technologies allow users to store their favorite products. The collected information may be used for purposes such as market research, data analysis, system management, etc., and may also be used to fulfill the contents and legal obligations of the company's terms and conditions, and to comply with the company's policies and procedures. A description of each technology is provided below. Users will be offered the opportunity to opt-out of the use of cookies (described below) along with their personal information during the registration process on the Dr. Jart site.

The Company contracts with third-party advertising networks to collect IP addresses and other information through cookies, web server logs, web beacons and/or use of third-party websites and mails, as described below, and advertisements by the Company on third-party websites. You can. Third parties may use this information to provide advertisements for products and services (including products and services of companies other than our own) that are relevant to your interests, in which case users may view such advertisements on the Dr. Jart+ website or other websites. may come across. This course can also be used to manage and track a company's marketing effectiveness. Please note that the Company may utilize such targeted advertisements within the scope permitted by relevant laws and regulations.

In addition, the company may display advertisements tailored to interests based on platforms operated by social networks. The Company may convert users' email addresses, phone numbers and other information into unique values that allow these platforms to match data collected from members or users of such platforms. This allows interest-based, personalized advertising to be displayed on those platforms. If you would like to opt out of personalized advertising, you will need to change your advertising preferences on that platform. These platforms may have their own privacy notices and policies, and we encourage you to review them.

The company operates 'cookies' that store and find your information from time to time. A cookie is a very small text file sent to your browser by the server used to run the Dr. Jart+ website and stored on your computer's hard disk. The company uses cookies for the following purposes.

○ Purpose of use, such as cookies

• Target marketing and personalized services provided by analyzing the access frequency and visit time of members and non-members, identifying users' tastes and areas of interest, tracking traces, and identifying the degree of participation in various events and the number of visits. You have a choice. Therefore, you can allow all cookies by setting options in your web browser, go through confirmation whenever a cookie is saved, or refuse to save all cookies.

○ How to change cookie settings

● Internet Explorer: Tools menu at the top of the web browser > Internet Options > Personal information > Personal information processing level setting
● Microsoft Edge: '...' at the top right of the web browser ' Menu > Settings > Privacy, Search & Services > Tracking Prevention
● Chrome: menu at the top right of the web browser > Settings > Show advanced settings > Privacy > Content Settings > Block third-party cookies and site data
● Safari: Preferences menu > Privacy tab > Cookies and website data level settings

Webbeacons (also referred to as clear gifs and pixel tags), tracking links and/or similar technologies consist of a few lines of code, are embedded in the Dr Jart site, and are not visible to users of the Dr Jart site. . These devices, often used in conjunction with cookies, enable web servers to record your operating system type, browser type, domain and other system settings, as well as specifics such as the language the system uses, the country and time zone where the device is located, and , The web server log may record the address of the web page connected to the Dr. Jart+ website and the IP address used by the user to connect to the Internet. Web beacons may relay information to third parties, such as Internet service providers, and may be used to track customer responses to specific advertisements, target interactive advertisements more effectively, and increase customer support and usability. there is. If you refuse cookies (see Cookies section above), web beacons will be blocked from relaying information about you, and your use of the Dr. Jart+ website may be partially restricted.

The company continues to make efforts to increase user convenience on the Dr. Jart site. For this purpose, the company applies and uses a third-party web analysis service called "Adobe Site Catalyst" to the Dr. Jart site there is. The Adobe Site Catalyst service utilizes technologies such as cookies, web server logs, and web beacons on behalf of the company to provide analysis data on how users visit, use, and view the Dr. Jart+ website. The information collected by these means (including IP address) is provided only to the respective service providers for the purpose of evaluating the use of the website. Users can stop Adobe Site Catalyst from running a service that analyzes users' usage patterns on the Dr. Jart+ site. If you would like more information about the different levels of privacy and confidentiality choices you may make in connection with Adobe Site Catalyst, and wish to exercise your choices, please visit the Adobe Privacy Center at https://www.adobe.com/kr/privacy/opt-out.html ).
The Company may use third party web analytics services such as Google Analytics for the same purposes as described above. If you do not want to use Google Analytics, please visit the Dr. Jart+ site and download the Google Analytics add-on browser provided by Google.
For more information on privacy and Google Analytics, please refer to the Google Analytics overview on the Google site: https://policies.google.com/privacy?hl=ko
For more information about data disclosure options in Google Analytics, please refer to the FAQ provided by Google: https://policies.google.com/privacy?hl=ko
The company's business partners and service providers may also use cookies on Dr. Jart+'s site. However, the company does not have access to or control over these cookies and is not responsible for their use.

The Company offers you several choices regarding how we use your personal information or how we communicate with you. To update your decision, request or submit a request to remove your information from our mailing list, please contact us as specified below.

○ Opting Out of Emails

Users may at any time opt out of sending promotional emails by clicking on the unsubscribe link attached to the Company's promotional emails or by contacting them as instructed below. In addition, users can opt-out of receiving promotional emails from the Dr. Jart website by visiting the Dr. Jart Customer Center website.

○ Users who refuse to receive mail

May request that the company not send promotional mail at any time through the method described in the promotional material. Users may also opt-out of receiving promotional mailings by contacting the Company in the manner specified below

○ Withdrawal of Consent

Users can withdraw all previously provided consent in relation to the processing of personal information at any time for legal reasons. The company will apply the user's decision immediately without delay. In some cases, if you withdraw your consent to the disclosure or use of your personal information, you may not be able to utilize some of our products or services.

○ Review, update and modification of personal information

In accordance with applicable laws, users have the right to access personal information of users, receive details of personal information of users held by the company, and personal information of users. You can update information, correct inaccuracies, and delete or block information. The right to access personal information may be restricted in accordance with some legal requirements. Users may request review, correction or deletion of their personal information by sending an email to privacy@drjart.com .

○ Deletion of personal information When

A user withdraws consent to the processing of personal information, the purpose of information collection has been achieved, or required by law, the company shreds, incinerates, or uses technical methods the documented information. We will delete and dispose of users' personal information by mobilizing methods that make electronic information unusable.

In order to prevent personal information handled by the company from being lost, stolen, leaked, falsified or damaged, the company establishes an internal management plan to check the operation status and takes protective measures in accordance with related laws such as Article 29 of the Personal Information Protection Act. , These measures include the following technical, managerial and physical safeguards.

○ Minimization of personnel in charge of personal information processing and implementation of personal information protection training: The company allows only those in charge of related tasks to process personal information, and conducts personal information protection training for executives and employees on a regular basis.

○ Encryption of personal information: The company encrypts and stores and manages users' passwords, and plans to use separate security functions such as encryption when storing and transmitting important data.

○ Technical measures against hacking: The company installs a security program to prevent leakage and damage of personal information caused by hacking or computer viruses, and periodically updates and inspects it. They are physically monitored and blocked.

○ Restriction of access to personal information: The company takes necessary measures to control access to personal information by granting, changing, or canceling access rights to personal information files, and controls unauthorized access from outside.

○ Prevention of physical access: The company controls unauthorized access to places where personal information is stored, such as computer rooms and data storage rooms.

The Dr. Jart+ website provides links to other websites for user convenience and information. The websites linked by the link are operated independently from the Dr. Jart+ website, and the Dr. Jart Privacy Policy does not apply. We recommend that you review the content first. Please note that the Company assumes no responsibility for the content or use of any website that is not owned or managed by the Company or for the protection of personal information.

In order to protect customers' personal information and handle complaints related to personal information, the company appoints the relevant department and personal information manager as follows.

Customer Service Department: Online Team
Contact: 070-5133-0447
Personal Information Manager Name: Kim In-hye
Contact: 070-5133-8953
Email: privacy@drjart.com

You may report all complaints related to personal information protection that occur while using the company's services to the person in charge of personal information protection or the department in charge. The company will provide prompt and sufficient answers to users' reports.

The organizations below are separate organizations from the company, so if you are not satisfied with the company's own personal information complaint handling or damage relief results, or if you need more detailed help, please contact us.

• Personal Information Infringement Report Center ( http://privacy.kisa.or.kr / without area code 118)
• Supreme Prosecutor's Office Internet Crime Investigation Center ( www.spo.go.kr / without area code 1301)
• National Police Agency Cyber Security Bureau ( http:/ /cyberbureau.police.go.kr / 182 without area code)

○ Changes in the personal information processing policy

The company will notify you through a pop-up window on the Internet homepage, e-mail notice, or store installation when there is a change in the personal information processing policy.

○ Destruction or separate storage of personal information of non-online users

In accordance with Article 39-6 of the Personal Information Protection Act, when destroying or separately storing personal information of online users who have not used it for one year, notify the user at least 30 days before the expiration date no see.

○ Notification of processing results, such as consent to receive advertising information for commercial purposes

Commercial purposes If a user expresses consent to receive, refuse to receive, or intends to withdraw consent to receive advertising information for commercial purposes, the processing result will be notified within 14 days.

○ 2016. 06. 07 Article 1 (Effective Date) This policy is effective from June 7, 2016 View

○ 2017. 11. 01 Article 1 (Effective Date) This policy is effective from November 01, 2017. View

○ 2018. 11. 01 Article 1 (Effective Date) This policy is effective from November 01, 2018. View

○ 2020. 07. 13 Article 1 (Effective Date) This policy will be effective from July 13, 2020. View

○ 2020. 10. 26 Article 1 (Effective Date) This policy will be effective from October 26, 2020. View

○ 2020. 12 .26 Article 1 (Effective Date) This policy will be effective from December 26, 2020. View

○ 2021. 08.01 Article 1 (Effective Date) This policy will be effective from August 01, 2021. View

○ 2021. 11 .30 Article 1 (Effective Date) This policy will be effective from November 30, 2021. View