DOWHAT Co., Ltd. Privacy Policy

DOWHAT Co., Ltd. (hereinafter referred to as the “Company”) establishes and discloses this Privacy Policy in accordance with the Personal Information Protection Act and other applicable laws in order to protect the personal information of users who use the Company’s website and reservation-related services (hereinafter referred to as the “Services”) and to promptly and smoothly handle related complaints.

Article 1 (Purpose of Processing Personal Information)

The Company processes personal information for the following purposes. The personal information being processed will not be used for purposes other than those listed below, and if the purpose of use changes, necessary measures such as obtaining separate consent will be implemented in accordance with Article 18 of the Personal Information Protection Act.

Member Service Management: Personal information is processed for purposes such as confirming intent to register as a member, maintaining and managing membership qualifications, providing services, and processing reservations and purchases.

Customer Inquiries and Consultation: Personal information is processed for purposes such as verifying the identity of the complainant, confirming the details of the complaint, contacting the user for fact-finding, providing notifications, and communicating the results of complaint processing.

Cases Where Processing Is Possible Without Consent (Amended Article 15(1) of the Act)

The Company may collect and use personal information without the user’s consent in the following cases:

When there are special provisions in laws or it is unavoidable to comply with legal obligations

When necessary for the conclusion and performance of a contract with the user

When necessary to protect the urgent life, body, or property interests of the user or a third party

When necessary for the legitimate interests of the Company that clearly outweigh the rights of the user

Article 2 (Items of Personal Information Processed)

① The Company processes the following personal information items.

When Using Services (Required)
Collected Items: ID (Email), Password, Nickname, Mobile Phone Number
Collection Method: Direct input by the user

When Making Reservations or Purchases (Required)
Collected Items:
[Common] Reservation details (reservation date and time, payment amount, business name)
[Reserver / Purchaser] Name, Mobile Phone Number, (if required) Date of Birth
[Visitor if different] Visitor Name, Mobile Phone Number, (if required) Date of Birth
Collection Method: Direct input by the user

When Reserving Overseas Accommodation
Collected Items: Reserver’s email address, guest’s name in English, age of children (if accompanied by children under 17)
Collection Method: Direct input by the user

When Issuing Reservation Confirmation
Collected Items: Reserver’s email address
Collection Method: Direct input by the user

When Requesting Cash Refund (Required)
Collected Items: Bank account number, account holder name
Collection Method: Direct input by the user

When Handling Complaints
Collected Items: Necessary items among the above information and additional items required for handling the complaint
Collection Method: Direct input by the user

Automatically Collected Information
Collected Items: IP address, cookies, service usage records (visit and usage records, payment records, access logs, improper usage records, etc.)
Collection Method: Automatically generated and collected during service use

② When collecting personal information from children under the age of 14, the Company obtains consent from a legal guardian and collects only the minimum personal information necessary for the service.

Method of obtaining consent from the legal guardian: Consent is confirmed through mobile phone identity verification of the legal guardian.

Matters regarding the processing of children’s personal information are provided in language and formats that children can easily understand.

Article 3 (Retention and Use Period of Personal Information)

① The Company processes and retains personal information within the retention and use period stipulated by relevant laws or within the retention and use period agreed upon by the user at the time of collection.

② The retention and processing periods are as follows:

Service membership registration and management → Retention period: Until withdrawal
Provision of goods or services → Retention period: Until completion of service provision and payment settlement

③ However, in the following cases, the information will be retained until the relevant reason is resolved.

When an investigation or inquiry is in progress due to violation of related laws → user information → until the investigation is completed

When claims or debts related to service use remain → transaction information → until settlement is completed

Records related to labeling and advertising under the Electronic Commerce Act → 6 months

Records related to contracts, withdrawal of subscription, payment, and supply of goods under the Electronic Commerce Act → 5 years

Records related to consumer complaints and dispute resolution → 3 years

Communication confirmation data under the Protection of Communications Secrets Act → 3 months

Article 4 (Provision of Personal Information to Third Parties)

① The Company provides personal information to third parties only with the consent of the user or when permitted by the Personal Information Protection Act or other relevant laws.

② The Company provides personal information to the following third parties.

Accommodation Service Providers
Purpose of Provision: Provision of reservation or purchased services, contract performance, complaint handling
Items Provided: Reservation number, reserver information (name, mobile phone number) or visitor information (name, mobile phone number)
Retention Period: Until completion of service provision

Article 5 (Outsourcing of Personal Information Processing)

① The Company outsources personal information processing tasks as follows to ensure smooth operations.

MTS Company
Task: Sending notification messages and SMS
Retention Period: Until the outsourcing contract is terminated

AWS Korea
Task: Cloud infrastructure management
Retention Period: Until the outsourcing contract is terminated

② If a subcontractor re-outsources the task to a third party, prior approval from the Company must be obtained, and the status of re-outsourcing will be disclosed through this Privacy Policy or the Company website.

③ When concluding outsourcing contracts, the Company specifies matters such as prohibition of processing personal information for purposes other than the entrusted task, technical and administrative protection measures, restriction of re-outsourcing, supervision of subcontractors, and liability for damages in accordance with Article 26 of the Personal Information Protection Act, and supervises whether subcontractors safely process personal information.

Article 6 (Overseas Transfer of Personal Information)

① The Company transfers personal information overseas as follows.

Amazon Web Services Inc.
Contact: aws-korea-privacy@amazon.com

Country of Transfer: United States (Oregon, Virginia AWS regions)
Time and Method of Transfer: Transferred through information networks whenever the service is used
Transferred Information: All personal information collected for service provision
Purpose of Use: Operation and management of cloud servers (personal information processing outsourcing)
Retention Period: Same as the retention period specified in Article 3

② Users may refuse the overseas transfer of personal information through the following method.

Method: Express refusal by email to the Personal Information Protection Officer or responsible department (clannad98@dowhat.io
)

Effect of Refusal: Upon receiving the refusal, the Company will stop overseas transfer by deleting all information except personal information that must be retained under relevant laws and contracts. However, if the transfer is refused, the Company’s services cannot be used.

③ In accordance with Article 28-8 of the Personal Information Protection Act, the Company implements protection measures to ensure that personal information is safely protected when transferred overseas.

Article 7 (Use and Provision of Personal Information Within a Reasonable Scope Related to the Purpose of Collection)

The Company may use or provide personal information without the user’s consent within a reasonable scope related to the original purpose of collection in accordance with Article 15(3) and Article 17(4) of the Personal Information Protection Act, considering the following factors:

Whether it is related to the original purpose of collection

Whether the additional use or provision is predictable based on the circumstances of collection or processing practices

Whether it unfairly infringes the interests of the user

Whether safety measures such as pseudonymization or encryption have been applied

Article 8 (Rights and Obligations of Users and Legal Representatives and Methods of Exercising Them)

① Users may exercise the following rights related to personal information protection at any time.

Request access to personal information

Request correction if there are errors

Request deletion

Request suspension of processing

Right to refuse or request explanation for automated decisions: Users may refuse or request an explanation of decisions made solely through automated systems (including artificial intelligence) if such decisions significantly affect their rights or obligations (effective October 2, 2025).

Right to request data portability: Users may request that the Company transmit their personal information to themselves or to a specialized personal information management institution under the Personal Information Protection Act, unless technically impossible or otherwise restricted by law (effective October 2, 2025).

② Rights under paragraph 1 may be exercised through written documents, email, fax, etc., and the Company will promptly take necessary measures.

③ Rights under paragraph 1 may also be exercised through a legal representative or an authorized agent. In such cases, a power of attorney in accordance with Form No. 11 of the Notice on Personal Information Processing Methods must be submitted. However, for children under the age of 14, such rights must be exercised directly by their legal guardian.

④ The exercise of rights such as access, correction, deletion, suspension of processing, and data transfer may be restricted in accordance with relevant laws.

⑤ Requests for correction or deletion cannot be made if the personal information is required to be collected under other laws.

⑥ When users request access, correction, deletion, suspension of processing, or data transfer, the Company verifies whether the requester is the user or a legitimate representative.

Article 9 (Destruction of Personal Information)

① When personal information becomes unnecessary due to the expiration of the retention period or achievement of the processing purpose, the Company will destroy the personal information without delay (within 5 days unless there is a legitimate reason).

② If personal information must be retained in accordance with relevant laws even after the retention period has expired or the processing purpose has been achieved, such information will be transferred to a separate database or stored in a separate location.

③ The procedures and methods of destruction are as follows.

Destruction Procedure: Personal information subject to destruction is selected and destroyed with the approval of the Company’s Personal Information Protection Officer.

Destruction Method: Personal information stored in electronic file form is destroyed using technical methods that prevent reproduction (such as low-level formatting or overwriting), and personal information stored in paper documents is destroyed by shredding or incineration.

Article 10 (Measures to Ensure the Security of Personal Information)

The Company takes the following measures in accordance with Article 29 of the Personal Information Protection Act and the Standards for Measures to Ensure the Security of Personal Information.

Administrative Measures: Establishment and implementation of internal management plans, regular employee training, designation of a Personal Information Protection Officer

Technical Measures

Access control and permission management for personal information processing systems (including account lock after authentication failure)

Encryption of personal information (one-way encryption of passwords with salt value)

Installation and periodic updates of security programs to prevent hacking

Retention of access logs for at least one year and prevention of tampering

Masking and security measures when printing or copying personal information

Physical Measures: Access control for server rooms and document storage areas

Article 11 (Installation, Operation, and Refusal of Automatic Personal Information Collection Devices)

① The Company uses cookies to store and retrieve usage information in order to provide personalized services.

② Cookies are small pieces of information sent by a web server (HTTP) to the user’s browser and may be stored on the user’s hard disk.

Purpose of Cookies: To analyze visit and usage patterns, popular search terms, and security access status across services and websites in order to provide optimized information to users.

③ Methods to refuse cookie storage are as follows.

Chrome: Settings → Privacy and Security → Third-party Cookies → Block third-party cookies
Edge: Settings → Cookies and Site Permissions → Manage and Delete Cookies and Site Data
Safari: Preferences → Privacy → Block all cookies
Firefox: Settings → Privacy and Security → Enhanced Tracking Protection → Strict

④ If cookies are refused, there may be difficulties in using customized services.

Article 12 (Collection and Use of Behavioral Information)

① The Company collects and uses behavioral information as follows to provide optimized customized services and benefits.

Collected Behavioral Information
Items: Website visit history, app usage history, search history
Collection Method: Automatically collected when visiting or using the web or app
Purpose: Providing personalized advertisements based on user interests
Retention Period: Web/app visit information for 2 years, product search information for 2 years

② Users may choose whether to receive personalized advertisements and can disable personalized advertising through the following methods.

Android: Settings → Google → Ads → Turn off Ads Personalization
iOS: Settings → Privacy & Security → Tracking → Allow Apps to Request to Track OFF
Web browsers: Refer to cookie blocking methods in Article 11

③ Behavioral information is used in a non-identifiable form and is not combined with personal information.

Article 13 (Processing of Pseudonymized Information)

The Company does not currently process pseudonymized information. If pseudonymized information is processed in the future for statistical purposes, scientific research, or public record preservation, related details will be disclosed through this Privacy Policy.

Article 14 (Personal Information Protection Officer)

① The Company designates a Personal Information Protection Officer responsible for overall personal information processing and handling related complaints.

Personal Information Protection Officer
Name: Juyoung Kim
Position: CEO
Contact: 010-8958-6689 / CEO@dowhat.io
/ 0303-3443-4521

② Users may contact the Personal Information Protection Officer or the department below regarding personal information protection inquiries, complaints, or damage relief arising from the use of the Company’s services.

Personal Information Protection Department
Department: Planning Team
Person in Charge: Changhyuk Kim
Contact: 010-2938-2684 / clannad98@dowhat.io
/ 0303-3443-4521

Article 15 (Remedies for Infringement of Rights)

① Users may apply for dispute resolution or consultation with the following institutions regarding personal information infringement.

Personal Information Dispute Mediation Committee
Phone: 1833-6972
Website: www.kopico.go.kr

Personal Information Infringement Report Center
Phone: 118
Website: privacy.kisa.or.kr

Supreme Prosecutors’ Office
Phone: 1301
Website: www.spo.go.kr

National Police Agency
Phone: 182
Website: ecrm.cyber.go.kr

② The Company strives to guarantee users’ rights to informational self-determination and to provide consultation and relief for personal information infringement.

③ A person whose rights or interests have been infringed due to a disposition or omission by the head of a public institution regarding requests under Articles 35, 36, 37, 37-2, and 38 of the Personal Information Protection Act may file an administrative appeal in accordance with the Administrative Appeals Act.

Central Administrative Appeals Commission
Phone: 110
Website: www.simpan.go.kr

Article 16 (Changes to the Privacy Policy)

The Company may modify this Privacy Policy to reflect changes in laws or services. If changes occur, the Company will announce them on its website at least 7 days before the effective date, and the revised Privacy Policy will take effect on the specified effective date.

This Privacy Policy is effective from March 1, 2026.

Privacy Policy Revision History

2026.03.01: Reflected amendments to the Personal Information Protection Act (effective September 15, 2024), added overseas transfer provisions, added rights to refuse automated decisions and request data portability, reflected security measures standards (October 2024), reflected Privacy Policy drafting guidelines (April 2025)

2024.01.00: Established
2021.06.15: Previous version