Privacy policy
Dududo Store
This Privacy Policy (hereinafter 'Policy') has been prepared by Creative Mut Co., Ltd. (hereinafter 'Company') and applies to all users (hereinafter 'Members') of all websites, apps, digital content, communities, stores, mini-services, and other related services (hereinafter 'Services') provided under the Dududo brand. In this Policy, 'App' refers to all apps provided by the Company (including apps provided through third-party stores, marketplaces, or other methods), and 'Site' refers to all websites operated or maintained by or on behalf of the Company. However, where individual services operate their own privacy policies, those policies shall apply. This Policy may be revised or updated from time to time, and Members are encouraged to review it regularly.
※ Dududo Store is operated through Shopify. For details on Shopify's data processing, please refer to Shopify's Privacy Policy (https://www.shopify.com/legal/privacy).
1. Purpose of Collection and Use of Personal Information
The Company processes personal information for the following purposes. Personal information being processed will not be used for purposes other than the following, and if the purpose of use changes, necessary measures such as obtaining separate consent will be taken.
- Service Provision: Account registration and authentication, community and content service provision, detection and prevention of fraudulent use, statistics and analysis, event operation (confirmation of entrants, prize provision and delivery to winners, complaint handling)
- Store Service Provision: Product order and payment processing, delivery and return processing, confirmation of event entrants and selection of winners, prize delivery
- Service Improvement and Personalization: Analysis of users' service usage patterns, provision of customized content and features
- Communication and Marketing: Subject to prior consent in accordance with applicable laws, provision of services sending news and other information of interest to members via email, app push notifications, and other contact methods; provision of customized services; management of consent and opt-out records
- Location-Based Services: Utilization of IP address-based approximate location information for country/region matching, content filtering, etc.
- Customer Support: Handling inquiries and complaints related to service use and products
2. Personal Information Items Collected
The Company collects the following personal information for service use.
2.1 Required Items
- Social login information: Email, profile image, nickname
- Service usage records: Access date and time, usage history, in-service activity records (posts, comments, likes, follows, etc.)
- Device and access information: IP address, device identifier, operating system, browser information
- Location information: IP address-based approximate location (country, region level)
- Upon product purchase: Orderer name, recipient name, delivery address, contact information, email, payment-related information (payment method, transaction details, etc.)
2.2 Optional Items
- Event participation information: Additional information provided when entering events (name, address, contact information, etc. for winner information collection and delivery)
- Marketing consent information
2.3 Automatically Collected Items
- Service usage information collected through cookies and similar technologies
3. Retention and Use Period of Personal Information
The Company processes and retains personal information within the retention and use period stipulated by law or the period agreed upon by users.
- Until member withdrawal (however, retained for the applicable period if retention is required under relevant laws)
- Act on Consumer Protection in Electronic Commerce: Records of contract or subscription withdrawal: 5 years; Records of payment and supply of goods: 5 years; Records of consumer complaints or disputes: 3 years
- Protection of Communications Secrets Act: Login records: 3 months
- Prize-related information of event winners: 3 months after prize delivery is completed
4. Provision of Personal Information to Third Parties
In principle, the Company does not provide users' personal information to third parties. However, exceptions are made in the following cases:
- Where the user has given prior consent
- Where required by laws and regulations, or where a request has been made by an investigative authority in accordance with procedures and methods stipulated by law for investigative purposes
5. Entrustment of Personal Information Processing
The Company entrusts personal information processing as follows to ensure smooth service provision.
Trustee |
Entrusted Work |
Retention Period |
Amazon Web Services, Inc. |
Data storage and server infrastructure operation |
Until member withdrawal or termination of entrustment contract |
Oracle Cloud Infrastructure (OCI) |
Data storage and database, server infrastructure operation |
Until member withdrawal or termination of entrustment contract |
Neon, LLC |
Database operation and data storage |
Until member withdrawal or termination of entrustment contract |
Supabase Inc |
Database operation and backend service provision |
Until member withdrawal or termination of entrustment contract |
Cloudflare Inc |
Content Delivery Network (CDN) and security service provision |
Until member withdrawal or termination of entrustment contract |
Google LLC |
Social login (Google account authentication) |
Until member withdrawal or termination of entrustment contract |
Apple Inc. |
Social login (Apple account authentication) |
Until member withdrawal or termination of entrustment contract |
Shopify Inc. |
Store operation, order management, data storage and hosting |
Until end of service use period or legal retention period |
EasyAdmin |
Order collection and processing (domestic order integration) |
Until end of service use period or termination of entrustment contract |
3PL |
Product delivery, exchange, return processing |
Until delivery completion or completion of related work |
Properson Co., Ltd. (Domestic logistics) |
Domestic product delivery and return processing |
Until delivery completion or completion of related work |
Eximbay |
Payment processing and authorization |
Until payment completion and legal retention period |
PayPal |
Payment processing and fraud prevention |
Until payment completion and legal retention period |
Customer Service Agency |
Customer inquiry response, complaint handling and dispute resolution |
3 years |
The Company specifies matters related to the prohibition of personal information processing outside the scope of entrusted work, technical and administrative protective measures, restrictions on re-entrustment, supervision and management of trustees, and liability for damages, etc., in contracts and other documents when concluding entrustment contracts in accordance with the Personal Information Protection Act, and supervises whether trustees process personal information safely.
6. Destruction of Personal Information
The Company destroys personal information without delay when it becomes unnecessary, such as when the personal information retention period has elapsed or the purpose of processing has been achieved. The procedures and methods of destruction are as follows:
- Destruction Procedure: Unnecessary personal information is destroyed with the approval of the Personal Information Protection Officer.
- Destruction Method: Information in the form of electronic files is deleted using technical methods that make recovery and regeneration impossible, and personal information printed on paper is shredded or incinerated.
7. Rights and Obligations of Data Subjects and How to Exercise Them
Users may exercise the following rights as data subjects:
- Request to access personal information
- Request for correction if there are errors, etc.
- Request for deletion
- Request to suspend processing
8. Measures to Ensure Security of Personal Information
The Company takes the following measures to ensure the security of personal information:
- Encryption of personal information: Key personal information such as members' passwords is encrypted for storage and management, and encrypted communications such as SSL/TLS are used for data transmission.
- Access rights management: Personnel handling personal information are kept to a minimum, and access rights are managed.
- Retention of access records: Access records for personal information processing systems are kept and managed for a minimum of one year.
9. Installation, Operation, and Rejection of Cookies
The Company uses cookies to provide appropriate services to users.
- Purpose of cookie use: Maintaining users' service environment settings such as language settings, collecting usage statistics, and improving services
- Rejection of cookies: Users may refuse cookie storage through web browser settings. However, if cookie storage is refused, difficulties may arise in using some services.
Detailed information on cookies related to Shopify can be found at https://www.shopify.com/legal/cookies.
10. Cross-Border Transfer of Personal Information
The Company transfers personal information overseas as follows for service provision.
| Recipient | Country | Purpose | Items Transferred | Retention Period |
| Amazon Web Services, Inc. | USA (AWS Seoul Region and Global Infrastructure) | Data storage and service operation via cloud server | All personal information required for service use | Until member withdrawal or termination of entrustment contract |
| Firebase | USA | Push notification delivery and service operation | Device information, app usage information | Until member withdrawal or termination of entrustment contract |
| Neon, LLC | Australia | Database operation and data storage | Member information, service usage data | Until member withdrawal or termination of entrustment contract |
| Supabase Inc | USA | Database operation and backend service provision | Member information, service usage data | Until member withdrawal or termination of entrustment contract |
| Cloudflare Inc | USA and worldwide | Content delivery (CDN) and security service provision | IP address, access information | Until member withdrawal or termination of entrustment contract |
| PayPal | USA, etc. | Payment processing and fraud prevention | Name, email, payment information, transaction history | Until payment completion and legal retention period |
| 3PL | China, etc. | Product delivery and return processing | Recipient name, delivery address, contact information, order information | Until delivery completion or completion of related work |
11. Personal Information Protection Officer
The following Personal Information Protection Officer has been designated to oversee personal information processing work and handle complaints and damage relief related to personal information processing:
-
Name: Jang Won
-
Position: General Manager
-
Email: platform_service@creativemut.com
12. Application to Sub-Services
This Policy applies in common to all sub-services operated under the Dududo umbrella brand (e.g., Kabinet by Dududo and other currently and future launched services).
Each sub-service references this Policy, and if additional personal information processing is required due to service characteristics, separate supplementary notices will be provided. For example, when purchasing products from Dududo Store, purchase-related items specified in Article 2 of this Policy are additionally collected for delivery and payment processing.
13. Changes to Privacy Policy
This Privacy Policy applies from the effective date, and if there are additions, deletions, or corrections to the content due to changes in laws and policies, notice will be given through announcements or email from 7 days before the effective date of changes (30 days before for changes unfavorable to users).