YELLOW BALLOON CITY BUS Co., Ltd. (hereinafter referred to as the "Company") complies with the 「Personal Information Protection Act」 and related laws and regulations to protect the freedom and rights of data subjects, lawfully processing and securely managing personal information. In accordance with Article 30 of the 「Personal Information Protection Act」, the Company hereby establishes and discloses the privacy policy to guide data subjects on the procedures and standards for personal information processing and to promptly and smoothly handle related complaints.
This privacy policy will be effective from March 26, 2024.
Article 1 (Purpose and Items of Personal Information Collection and Use)
- The Company processes personal information for the following purposes. The personal information processed will not be used for purposes other than the following, and if the purpose of use is changed, the Company will take necessary measures such as obtaining separate consent in accordance with Article 18 of the 「Personal Information Protection Act」.
- Website Membership Registration
- Product Consultation, Reservation, and Service Provision
- Others
Article 2 (Processing and Retention Period of Personal Information)
- The Company processes and retains personal information within the period of retention and use of personal information as required by law or agreed upon when collecting personal information from the data subject.
- The processing and retention periods for each category of personal information are as follows:
- Website membership registration: to be retained until completion of membership withdrawal (However, optional information will be retained until withdrawal of consent for receiving communications and completion of membership withdrawal).
- Product consultation and reservation: to be retained until the provision of service and according to retention periods required by relevant laws and regulations.
- Provision of product services: to be retained up to 5 years.
- Quotation inquiry: to be retained for 3 months after processing completion.
- Satisfaction survey: to be retained for 2 months after survey completion (However, in the case of a member, to be retained until completion of membership withdrawal).
- Satisfaction survey prize draw: to be destroyed immediately after winner selection (However, winner information will be retained for a maximum of 1 year).
- Customized service and marketing: to be retained until withdrawal of consent for receiving communications and completion of membership withdrawal.
- Application for correction/access/deletion of personal information: to be retained for 3 years from the application date.
- Computer communication, internet log records, access location tracking data: to be retained for 3 months (based on the Protection of Communications Secrets Act).
- However, in the following cases, the information shall be retained until the end of the relevant reason:
- In case of investigation or inquiry due to violation of related laws and regulations: to be retained until the end of the investigation or inquiry.
- In case of remaining rights and obligations related to service use: to be retained until settlement of relevant rights and obligations.
- In case of provision of goods or services: to be retained until completion of supply of goods or services and payment settlement.
Article 3 (Provision of Personal Information to Third Parties)
- The Company processes the personal information of the data subject within the scope specified for the purpose of processing personal information, and provides personal information to third parties only within the scope specified in Articles 17 and 18 of the 「Personal Information Protection Act」, such as consent of the data subject or special provisions of the law.
- The Company may provide personal information to business partners for smooth service provision, obtaining consent from the data subject and providing only the necessary minimum information.
- In the event of emergencies such as disasters, infectious diseases, incidents or accidents causing urgent life or bodily risks, urgent property losses, etc., the Company may provide personal information to relevant agencies without the consent of the data subject.
- In such cases, the Company will provide only the minimum necessary personal information based on applicable laws and regulations, and will not provide information for purposes other than those specified.
Article 4 (Entrustment of Processing of Personal Information)
- The Company entrusts personal information processing work for smooth operation as follows:
- When entering into entrustment contracts, the Company specifies in documents such as contracts the prohibition of personal information processing beyond the purpose of entrustment, technical and managerial protective measures, restrictions on re-entrustment, management and supervision of entrusted agencies, and liabilities including compensation for damages, and supervises whether the entrusted agencies handle personal information safely according to Article 26 of the 「Personal Information Protection Act」.
- In case of changes in the content of entrusted work or agencies, the Company will promptly disclose it through this privacy policy.
Article 5 (Transfer of Personal Information Overseas)
For the purpose of service provision and convenient service use by users, the Company transmits or manages users' information overseas as follows. If you wish to refuse the transfer of personal information overseas during the use of the service, please contact the responsible department at tbus@ybtour.co.kr. However, refusal to transfer overseas may result in service restrictions.
The details of the Company's transfer of personal information overseas are as follows:
AWS only performs the physical management of the server and does not have access to the personal information of users.
Article 6 (Procedure and Method of Personal Information Destruction)
- The Company promptly destroys personal information when it becomes unnecessary due to the expiration of the retention period or the achievement of the processing purpose, etc.
- If personal information must be retained according to other laws despite the expiration of the agreed-upon retention period from the data subject or the achievement of the processing purpose, the Company transfers the personal information to a separate database(DB) or retains it in a different location.
- The procedure and method of personal information destruction are as follows:
- Destruction Procedure: The Company selects personal information for destruction when the reason for destruction arises and obtains approval from the Company's data protection officer to proceed with the destruction.
- Destruction Method: Personal information recorded or stored in electronic file format is irreversibly destroyed to prevent retrieval, while personal information recorded or stored on paper documents is shredded or incinerated.
Article 7 (Rights and Obligations of Information Subjects and Legal Representatives, and Methods of Exercising Rights)
- Data subjects have the right to request access, correction, deletion, or suspension of processing of their personal information from the Company at any time.
- Rights can be exercised by written request, electronic mail, facsimile transmission (FAX), etc., to the Company in accordance with Article 41(1) of the Enforcement Decree of the Personal Information Protection Act, and the Company will promptly take action.
- Rights may also be exercised through legal representatives or delegated agents of the data subject. In such cases, a power of attorney according to Annexed Form No. 11 of the "Guidelines for Personal Information Processing Methods" must be submitted.
- The right of the data subject to request access and suspension of processing their personal information may be restricted according to Article 35(4) and Article 37(2) of the 「Personal Information Protection Act」.
- Requests for correction and deletion of personal information cannot be made if the collection of such information is explicitly specified by other laws.
- The Company verifies whether the requester of access, correction, deletion, or suspension of processing of personal information is the data subject or a legitimate representative.
- Membership registration is only available to those aged 14 and above, and personal information of children under 14, who require the consent of a legal representative for the collection and use of personal information, is not collected, in principle.
Article 8 (Measures for Ensuring the Security of Personal Information)
- The Company takes the following measures to ensure the security of personal information:
- Administrative Measures
a. The Company designates specific employees to handle personal information and implements measures to manage personal information by restricting access to authorized personnel.
b. Regular education on personal information protection is provided to personnel handling personal information.
c. Internal management plans are established and implemented to ensure the secure handling of personal information.
- Technical Measures
a. Personal information and passwords of users are encrypted for storage and management, ensuring that only the individual can access them. Important data is encrypted or locked using separate security features for files and transmitted data..
b. Access records to personal information processing systems are stored and managed for a minimum of 2 years.
c. Necessary measures are taken to control access to personal information by granting, modifying, and revoking access rights to databases handling personal information. Additionally, unauthorized access from external sources is controlled through the use of intrusion prevention systems.
d. Security programs are installed, regularly updated, and checked to prevent leakage or damage of personal information due to hacking or computer viruses. Systems are installed in restricted access areas and technically/physically monitored and blocked from external access.
- Physical Measures
a. Documents and auxiliary storage media, etc. containing personal information are stored in secure locations with locking devices.
b. Separate physical storage locations for personal information are established and access controls are established and operated for them.
- The company implements activities beyond what is stipulated by law, such as self-regulatory activities (regular improvement activities through voluntary inspections of personal information protection using the Personal Information Protection Portal), to ensure the security of personal information.
Article 9 (Installation, Operation, and Refusal Method of Automatic Personal Information Collection Devices)
- The Company uses 'cookies' to store and retrieve usage information periodically to provide personalized services to users.
- Cookies are small pieces of information sent by the server (http) operating the website to the user's computer browser and may be stored on the user's PC hard drive.
- Cookies are small pieces of information sent by the server (http) operating the website to the user's computer browser and may be stored on the user's PC hard drive.
- Users have the option to install, operate, or refuse cookies and can reject all cookie storage by configuring their web browser options.
a. Internet Explorer: Top right of the web browser > Internet Options > Privacy > Advanced > Cookie Blocking Settings
b. Microsoft Edge: Top right of the web browser > Settings > Cookies and Site Permissions > Select level under "Cookies and Stored Data"
c. Chrome: Top right of the web browser > Settings > Privacy and Security > Cookies and Other Site Data > Select level under the "Cookies" section
- Refusing cookie storage may cause difficulties in using customized services and may affect the use of some services such as automatic website login.
Article 10 (Collection, Use, and Rejection of Behavioral Information)
- The Company collects and utilizes behavioral information during the service usage process to provide optimized personalized services, benefits, and online customized advertisements to the data subjects.
- The Company collects behavioral information as follows:
- The Company only collects the minimum necessary behavioral information required for customized online advertisements. It does not collect sensitive behavioral information that may clearly infringe upon an individual's rights, interests, or privacy, such as thoughts, beliefs, family and kinship relationships, education, medical history, or other social activity records.
- The Company does not collect behavioral information for personalized advertising purposes from online services with users known to be under 14 years of age or from online services primarily used by children under 14 years of age. Personal information of children under 14 is not collected as a general principle.
- Data subjects can block or allow customized online advertisements all at once by changing cookie settings in web browsers. However, changing cookie settings may affect the use of some services such as automatic website login.
Blocking/Allowing Customized Advertisements via Web Browser
a. Internet Explorer: Top right of the web browser > Internet Options > Privacy > Advanced > Select Cookie Blocking or Allowing
b. Microsoft Edge: Top right of the web browser > Settings > Privacy, Search, and Services > "Tracking prevention" section > Select whether to block and the level of “Tracking Prevention”
Choose whether to always use "Strict" tracking prevention when searching with InPrivate > "Privacy" section > Choose whether to send "Do Not Track" requests.
c. Chrome: Top right of the web browser > Settings > Privacy and Security > Cookies and Other Site Data > "Cookies" section > Choose whether to block third-party cookies and site data
- Data subjects can contact the following contact point for inquiries, exercising the right to reject, filing complaints related to behavioral information.
- Personal Information Protection Department
- Department
- Operations Team
- Contact
- (Phone) +82-2-2263-9002 / (Email) tbus@ybtour.co.kr
Article 11 (Linked Sites)
- The Company may provide links to websites or materials of other companies to users. In this case, the Company does not have any control over external sites and materials, so it does not take responsibility for the truthfulness, usefulness, etc., of services or materials provided on the external websites, nor does it provide any guarantees.
- The Company's personal information processing policy does not apply to linked sites other than the Company's official site. When clicking on links contained on the Company's website to navigate pages of other companies' websites, users should verify the policies of the visited sites.
Article 12 (Rights and Obligations of Users)
- Users have the right to have their personal information protected and bear the obligation to refrain from infringing upon the information of others, such as through posts, as well as protect their own personal information. If users fail to fulfill their obligations and damages the information of others, they may be subject to punishment under the 「Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc.」.
- The Company shall not be held responsible for issues arising from the user's negligence, such as sharing their ID and password or leaving their account logged in unattended. It is recommended that users securely manage their IDs and passwords and regularly change their passwords to protect their personal information.
- Users are responsible for maintaining their personal information up to date, and any issues arising from incorrect information input are the responsibility of the user. If false information is used, such as unauthorized use of others' information, users may lose their membership status, face service restrictions, and be subject to punishment under relevant laws.
Article 13 (Personal Information Protection Manager and Request for Access to Personal Information)
- The Company appoints a personal information protection manager who is responsible for overseeing personal information processing and handling complaints and remedies related to personal information processing.
- Data subjects may request access to their personal information through the personal information protection manager in accordance with Article 35 of the 「Personal Information Protection Act」. The Company will strive to promptly process data subject's requests for access to personal information.
- Data subjects may inquire about all matters related to personal information protection, complaint handling, and damage relief arising from the use of the Company's services through the personal information protection manager. The Company will promptly respond to and handle data subject's inquiries.
Article 14 (Remedies for Violation of Data Subject's Rights)
- Data subjects may seek remedy for personal information infringement by applying for dispute resolution or counseling to the Personal Information Dispute Mediation Committee, the Personal Information Infringement Reporting Center of the Korea Internet & Security Agency, etc. For other reports or inquiries regarding personal information infringement, please contact the following institutions:
- Personal Information Dispute Mediation Committee: +82-1833-6972 (www.kopico.go.kr)
- Personal Information Infringement Reporting Center: +82-118 (privacy.kisa.or.kr)
- Supreme Prosecutors' Office: +82-1301 (www.spo.go.kr)
- National Police Agency: +82-182 (ecrm.cyber.go.kr)
- The company ensures the data subject's right to self-determination of personal information and strives to provide consultation and remedy for personal information breaches. If reporting or consultation is necessary, please contact the responsible department below:
- Customer Counseling and Reporting for Personal Information Protection
- Department
- Operations Team / General Manager: Hong Joon-pyo
- Contact
- (Phone) +82-2-2263-9002 / (Email) tbus@ybtour.co.kr
- In accordance with the provisions of Article 35 (Access to Personal Information), Article 36 (Correction or Erasure of Personal Information), and Article 37 (Suspension of Processing of Personal Information) of the 「Personal Information Protection Act」, individuals who have suffered infringement of rights or interests caused by disposition or omission of public power by a public authority may file administrative appeals in accordance with the Administrative Appeals Act.
Central Administrative Appeals Commission: +82-110 (www.simpan.go.kr)
Article 15 (Operation and Management of Video Information Processing Devices)
The Company operates and manages video information processing devices for the purpose of facility safety, fire prevention, crime prevention, and prevention of vehicle theft and damage in accordance with Article 25(1) of the 「Personal Information Protection Act」. For more details, please refer to the "Policy for Operation and Management of Video Information Processing Devices."
Article 16 (Changes to Privacy Policy)
- In the event that the Company changes this Privacy Policy, it will specify the reason for the change and the effective date, and notify users on the service screen before the effective date. However, if there are significant changes affecting the rights or obligations of users, it will be notified through the "Notice" section on the website or mobile app.
- This Privacy Policy shall be effective from March 26, 2024.