1. Scope of Personal Data and Commercial Data Processing This Privacy Policy applies to the personal data and commercial data processed in connection with the ecommerce solution services provided by SAEROSOFT INC. (the "Company"), including cloud-based services (SaaS), server management and hosting, on-premise software deployment, and customer-requested customization, feature additions, and system integration (SI). This Policy sets out the standards for processing merchant account information, employee information, merchant operational data, end-user transaction information, and operational logs accessed or generated during maintenance and incident response, and applies only to the extent necessary for compliance with law, contract performance, security, and dispute response. The effective date of this Policy is 2026/4/20, and the current version is v20260420.000.
2. Controller and Processor Roles The Company acts as a controller with respect to merchant employee accounts, internal user access logs, merchant billing, contract and settlement data, and server operation and hosting management data, for the purposes of ecommerce service operations, contract performance, security, and customer support. With respect to the personal data of the merchant's end users (including purchasers and recipients), the merchant is principally responsible for establishing the legal basis for collection, providing notices, and obtaining any required consents. The Company acts only as a processor within the scope delegated by the merchant or agreed by contract for purposes such as payment processing, order handling, settlement, shipping, notifications, customer support, hosting operations, incident response, data migration, customization, or SI performance. For on-premise deployments or customer-dedicated infrastructure environments, the allocation of roles and responsibilities may be adjusted by separate agreement with the customer.
3. Definitions - Personal Data: information relating to a living individual that identifies or can identify a person, including name, contact information, identifiers, access records, and device identifiers. - Personal Data Records: operational records relating to commerce, including payment, access, support, orders, settlement, tax, and logs. - Merchant Data: account, product, order, settlement, marketing, and operational data entered or updated by the merchant. - User: an employee account or other approved internal user authorized by the merchant to use the services. - Cross-Border Transfer: any case where personal data is stored or processed outside the Republic of Korea for cloud, backup, monitoring, messaging, development operations, or technical support purposes.
4. Categories of Personal Data Collected and Scope Required data (necessary for contract and service use): - Merchant business information (business name, business registration number, contact person name, department, title, phone number, email address, billing address, and tax information) - Administrator account information (email address, password or authentication information, authorization information, and access history) - Basic store configuration data and core data relating to products, options, pricing, inventory, orders, payments, shipping, and settlement - Records necessary for tax and billing processing, contract management, incident response, and dispute handling - System operation logs, access logs, error logs, and backup and recovery history generated in the course of hosting and server management
Optional data (for additional features or separately contracted services): - Marketing consent settings and customer behavior analysis-related consent settings - Extended logs and integration identifiers generated when connecting external solutions - Test data, sample data, and migration data additionally provided by the customer for custom development, customization, or SI performance
As a rule, the Company does not process resident registration numbers, passport numbers, driver's license numbers, or other unique identification numbers, and does not collect or use sensitive personal data. If such processing is required by law or is unavoidable under an individual contract, the Company will apply a separate legal basis and enhanced safeguards. If required information is not provided, use of the core service may be restricted. If optional information is not provided, certain additional features, custom development, analysis, or integration services may be limited.
5. Third-Party Integration Data Data received through APIs, webhooks, file uploads, connectors, SFTP/CLI, or similar channels will be processed only within the scope of integration defined in the contract and technical documentation. Any arbitrary reprocessing beyond the agreed scope is prohibited. The merchant is principally responsible for securing a lawful basis for collecting, using, providing, or transferring data that it transmits to the Company through third-party service integrations.
6. Legal Basis for Processing The Company processes personal data on one or more of the following legal bases: (i) performance of commercial agreements, hosting agreements, maintenance agreements, on-premise supply agreements, SI agreements, or customization agreements with the merchant; (ii) compliance with legal obligations; (iii) legitimate interests for security, fraud prevention, incident response, and dispute handling; and (iv) consent of the data subject or delegated processing based on the merchant's instruction. The Company processes personal data only to the minimum extent necessary to achieve the relevant purpose.
7. Purposes of Processing The Company processes personal data for the following purposes: - operation of service accounts, onboarding, and administrator access management - customer support, technical support, incident intake, and recovery - payment processing, billing, issuance of tax invoices, and accounting and tax administration - server management, hosting operations, system monitoring, and access control - security monitoring, anomaly detection, incident response, and log analysis - backup and recovery, data migration, customization, feature additions, and SI performance - audit response, dispute handling, legal compliance, and improvement of service quality - notices necessary for service operations, policy changes, and contract-related communications
8. Cookies and Technical Logs The Company may record IP addresses, browser or device information, access timestamps, request paths, session identifiers, and usage patterns during service sessions. Cookies and local storage may be used for anomaly detection, authentication issue analysis, incident reproduction, performance improvement, and maintaining login status. Users may refuse or delete cookies through their browser settings; however, some features such as login persistence and preference storage may be limited as a result. - Chrome/Edge: Settings > Privacy and Security > Cookies and Site Permissions - Safari: Preferences > Privacy - Firefox: Settings > Privacy & Security
9. Security Measures The Company applies the following technical and organizational safeguards to ensure the security of personal data: - segregation of access and application of the least privilege principle - administrator approval procedures and retention of access-rights change logs - multi-factor authentication or comparable authentication enhancement measures - encryption in transit and, where necessary, protection measures for data at rest - monitoring of abnormal access, security event detection, and alerting procedures - backup integrity management, retention of change history, and incident response procedures - environment segregation and multi-tenancy protection through project- and tenant-level separation Detailed security levels, access control methods, and log retention standards are governed by the internal security policy SAEROSOFT Information Security Policy v20260420.000.
10. Subprocessors and Outsourced Processing The Company may outsource certain tasks to provide the services, and each service provider is contractually required to comply with confidentiality, security, purpose limitation, onward subcontracting restrictions, deletion, and return obligations. - Cloud infrastructure (hosting/storage/backup/DR): customer-designated cloud providers or company-managed infrastructure providers, as disclosed in the applicable Commercial Documents or separate notices - Server operation and management: company-managed infrastructure operators or IDC providers, as disclosed in the applicable Commercial Documents or separate notices - Payment and settlement processing: Stripe, PayPal, or merchant-selected payment processors as specified in the Commercial Documents - Notification and messaging: Resend, Google SMTP, or another company-designated messaging or email delivery provider where enabled - Security and monitoring: the Companyโs internal operational systems and any separately contracted security or ticketing providers, if engaged - Development and deployment support: GitHub, Jenkins, and the Companyโs internal reporting tools - Migration, data transfer, customization, or SI subcontractors engaged upon customer request: as specified in the applicable Commercial Documents or separate notices The current list of processors, their English legal names, contact details, countries of transfer (if applicable), and detailed scope of processing are published through separate notices or the administrator page.
11. Cross-Border Transfer Personal data may be stored or processed outside the Republic of Korea where necessary for service operations, cloud hosting, backup, monitoring, messaging, customer support, or development operations. Where a cross-border transfer occurs, the Company will provide notice through a contract, addendum, or separate disclosure specifying the recipient, country and region of transfer, date and method of transfer, categories of data transferred, purpose of use, retention and use period, and applicable safeguards, and will comply with all legal requirements applicable to such transfer. The current status of cross-border transfers is provided through separate notices or the administrator page. In on-premise environments, data will in principle be processed within the environment designated by the customer, although remote access may be provided on a limited basis where necessary for maintenance or technical support and where contractually agreed.
12. Retention Periods and Deletion The Company retains personal data in accordance with applicable law, tax and accounting obligations, contractual necessity, and dispute response needs, as follows: - contract, withdrawal, service fulfillment, and customer service records: 5 years - payment, settlement, tax invoice, accounting, and tax supporting records: 5 years - ecommerce-related advertising and consumer complaint or dispute records: 3 years - access logs, administrator access records, system usage logs, security inspection records, and access rights change history: at least 1 year, and up to 5 years where necessary for incident investigation or dispute response - incident response logs, backup and recovery history, and security event records: 1 year by default, and longer where necessary for investigation, law enforcement cooperation, dispute response, or legal obligations - merchant employee account information: deleted without undue delay after account deactivation or contract termination, unless separate retention is required by law or for dispute response - end-user transaction data: retained for the applicable statutory or contractual period relating to order processing and then deleted or anonymized - test data, sample data, and migration data provided in the course of customization, feature additions, or SI: deleted within 3 months after inspection and stabilization are completed, unless a different period is specified in an individual contract - records required to be retained by law: separately stored for the statutory retention period and then deleted or anonymized without undue delay Deletion methods are as follows: - electronic files: permanent deletion in a manner that prevents recovery, destruction of encryption keys, or equivalent secure deletion measures - printed materials, paper records, and removable storage media: shredding, incineration, permanent deletion, or other physical destruction methods Detailed retention and deletion standards of the Company are governed by SAEROSOFT Data Retention and Deletion Standard v20260420.000.
13. Accuracy and Integrity of Data Rules regarding accuracy of information are operated together with the merchant's obligations under the Terms of Service and Commercial Documents. The Company may restrict or suspend processing only where a material inaccuracy or illegality in required retained information is objectively confirmed. The merchant is responsible for maintaining the accuracy, legality, and timeliness of the data it enters or integrates.
14. Data Subject Rights and Requests Data subjects may exercise rights recognized by applicable law against the Company, including rights to access, correct, delete, restrict, or object to the processing of personal data. However, where the Company processes personal data solely as a processor, such rights should in principle be exercised through the merchant that originally collected the information, and the Company will cooperate within the scope required by law and contract. Requests must be submitted by the data subject or a duly authorized representative to the Company's legal contact point or help@saerosoft.com, together with sufficient information to verify identity. The Company will review and process such requests within the period required by applicable law and may notify the requester if any legal restriction applies. The Chief Privacy Officer (CPO) and responsible department are as follows: - Title: Chief Privacy Officer (CPO) - Name: JEON JAE HYEONG - Department: supporting team - Email: tinywind@saerosoft.com - Phone: +82-10-9438-7376 - Postal Address: ์์ธํน๋ณ์ ์์ด๊ตฌ ์์ด๋๋ก 396, 1501, 1502ํธ(์์ด๋, ๊ฐ๋จ๋น๋ฉ) External remedies for privacy rights infringement are as follows: - Personal Information Dispute Mediation Committee: 1833-6972, https://www.kopico.go.kr - Personal Information Infringement Report Center (KISA): 118, https://privacy.kisa.or.kr - Supreme Prosecutors' Office of Korea: https://www.spo.go.kr - Korean National Police Agency Cyber Bureau: 182
15. Incident Response If signs of loss, theft, leakage, falsification, alteration, or damage of personal data are detected, the Company will take measures without undue delay, including isolation, preservation of evidence, root cause analysis, internal escalation, containment, and recovery. Where the Company becomes aware of a personal data breach, it will notify affected data subjects without undue delay and report to the competent authorities where legally required. Internally, the Company will begin initial response actions as quickly as possible after incident detection and, absent special circumstances, aims to commence incident assessment and containment within 24 hours. Notifications may include the categories of data affected, the time and circumstances of the incident, methods to minimize harm, the Company's response measures, and contact points for inquiries. The reporting and inquiry channels for personal data incidents are help@saerosoft.com and help@saerosoft.com.
16. Environment Segregation and Multi-Tenancy As part of the security measures described in Section 9, the Company operates project- and tenant-level data segregation, access path segregation, and procedures for logging and promptly applying changes to access rights. This section forms part of the Company's technical safeguards, and the detailed implementation may vary according to the internal security policy and individual contracts.
17. Post-Termination Handling Even after contract termination, the Company may retain relevant data to the extent necessary for dispute response, accounting and tax compliance, ecommerce compliance, and other legal obligations. The merchant may request data export, transfer, provision of backup copies, changes in retention methods, or deletion support under the contract or separate work order, and the scope of return or deletion for on-premise, customization, or SI deliverables will be governed by the relevant individual contract. Data whose statutory retention period has expired will be deleted or anonymized without undue delay. Even where the customer requests deletion, information subject to mandatory legal retention will be separately stored for the applicable period and deleted thereafter. The planned deletion date or export availability period after termination shall be governed by export requests within 30 days after termination and deletion or anonymization within 60 days thereafter.
18. Children's Data As a rule, the Company does not intend to independently collect or use the personal data of children under 14 years of age. Where personal data of children under 14 is unavoidably included in service operations or otherwise processed, the Company must confirm the consent of a legal representative or another lawful basis under applicable law. If such confirmation cannot be obtained, the Company may take necessary measures, including restricting processing, requesting deletion, or limiting service use.
19. Legal Requests and Regulatory Response The Company will respond to lawful requests from investigative authorities, supervisory authorities, and regulatory bodies through verifiable legal procedures. Where warrants, official requests, or demands for materials are received, the Company will prioritize applicable record preservation and lawful disclosure protocols. Where reasonably possible, and subject to applicable law and contract, the Company may notify the relevant customer or merchant of such request.
20. Marketing and Notices Notices necessary for service operations, including account, billing, security, maintenance, and policy changes, may be sent within the scope permitted by this Policy and the Terms of Service. Marketing messages will be sent only where the consent requirements under applicable law have been satisfied. Notice channels may include email, in-service notices, administrator console alerts, or other channels designated by the Company.
21. Changes to this Policy The Company may amend this Policy where required due to changes in law, adjustments to purposes of processing or retention periods, changes in service structure, hosting or outsourcing structure, or changes in security architecture. Material changes will be announced in advance through the service notice board or policy board and email, together with the version number, effective date, and summary of major changes. The current Privacy Policy may be reviewed at https://intro.ecommerce.saerosoft.com/en/policies/privacy-policy. The Company's official contact details are as follows: - Legal Name: SAEROSOFT INC. - Korean Company Name: ์ฃผ์ํ์ฌ ์๋ก์ํํธ - General Contact Email: saero@saerosoft.com - General Contact Phone Number: +82-10-9438-7376 - Principal Office Address: 396, Seocho-daero, Seocho-gu, Seoul, Republic of Korea - Phnom Penh Sales/Support Office: 257 Unit, Boryeong/Boyoung Town, Phnom Penh, Cambodia