Privacy Policy

Home>Privacy Policy

Lululab Inc. (hereinafter referred to as the ""Company"") cherishes and values personal information of users who use the services provided by the Company and is endeavoring to protect personal information of the users. The Company established this Privacy Policy to protect personal information of users in accordance with applicable laws including, in particular, the Act on Promotion of Information and Communications Network Utilization and Information Protection (hereinafter referred to as the “Information and Communications Network Act”), Personal Information Protection Act and the EU General Data Protection Regulation (hereinafter referred to as the “GDPR”), and to handle related complaints promptly and smoothly. In addition, by posting this Privacy Policy on its website (or its mobile application), the Company is taking a measure to ensure that this Privacy Policy is readily available to users at all times.


1. Identity of the Controller, Purpose of Processing Personal Information and Items of Personal Information to Be Processed)

a. The Company determines the purposes and means of the processing of personal information regarding the relevant services, and qualifies as a controller in the sense of Art. 4 No. 7 GDPR. For contact details, please see our contact information page. The Company collects personal information of each user during sign-up process, and processes the type of personal information listed below for the purposes stated below. The Company shall not use the personal information so collected other than for such purposes and, if the purpose of use is changed, will take necessary actions, including getting a separate consent of users, where required in accordance with the Information and Communications Network Act, the Personal Information Protection Act or any other applicable data protection laws.
a-1 * Purpose of Collection and Use, Legal Basis for Processing : Confirmation of member’s intent to sign up (or confirmation of consent to the use of services); user identification and authentication for supply of membership-only services; maintenance and management of member qualifications; age verification; confirmation of consent of legal representative in the case of processing personal information of child under the age of 14; prevention of unauthorized use by a delinquent member; and (in handling complaint) verification of the identity of the complainant, confirmation of the complaint, contact or notification for fact-finding and notification of results Legal bases for processing: - performance of contract - compliance with legal obligation - legitimate interests to communicate with you and improve our services * Type of Information : Name, personal identification value, date of birth, gender, country, mobile phone number, Korean citizen/foreigner status and, in case of online member, ID and password * Category : Required

a-2 * Purpose of Collection and Use, Legal Basis for Processing : (If explicitly consented to by a user) analyzing skin information and providing solutions Legal basis for processing: consent * Type of Information : Photos, country, survey related to skin information, e-mail address and mobile phone number * Category : Required * Type of Information : Skin type, skin concerns, preferred cosmetics * Category : Optional

a-3 * Purpose of Collection and Use, Legal Basis for Processing : Use of payment services (including cancellation and refund) Legal bases for processing: performance of contract * Type of Information : For credit card payment: minimum information required for payment, such as credit card type, card number and expiry date For account transfer: bank name, account number and name of applicant For mobile phone payment: mobile phone number and name of carrier For credit card easy-payment: credit card information (issuer, credit card number, expiry date and CVC) and payment password * Category : Required

a-4 * Purpose of Collection and Use, Legal Basis for Processing : Delivery of ordered goods Legal basis for processing: performance of contract * Type of Information : Name of ordering person, landline or mobile telephone number, e-mail address, order password, recipient’s name, shipping address and telephone number and other requested information * Category : Required

a-5 * Purpose of Collection and Use, Legal Basis for Processing : Delivery of notices; identification of user intent; handling of complaints; and (if consented to by user) providing information on services, business and policies or other events of the Company or its partner company and shipping related giveaways and other goods Legal bases for processing: compliance with legal obligation, consent * Type of Information : Phone number, mobile phone number, e-mail address and consent on receiving information (e-mail, EM, TM, SMS, LMS and CMS) * Category : Required

a-6 * Purpose of Collection and Use, Legal Basis for Processing : (If consented to by user) providing information on services, business and policies or other events of the Company or its partner company and shipping related giveaways and other goods Legal basis for processing: consent * Type of Information : E-mail address, address and consent on receiving the information (email and DM) * Category : Required

a-7 * Purpose of Collection and Use, Legal Basis for Processing : (If consented to by user) other marketing activities, including statistical analysis on use history of the Company or its partner company, recommendation of products or services, product research and development and update management Legal bases: legitimate interest to protect the services * Type of Information : Gender, date of birth, photos, country, survey related to skin analysis, preferred cosmetics, skin type, skin concerns, * Category : Required * Type of Information : Device control number (automatically generated upon installation of application ) * Category : Optional

b. IP address, date and time of visit, service use record, bad use history and the like can be automatically generated and collected during use of online service or processing of information. We use this information to monitor and analyze how users use online services (including mobile services) and to maintain and improve online services (Legal basis: legitimate interest to maintain and improve our services).

c. During use of online services (including mobile services), information on devices (including model, operating system, browser, etc.) may be collected for the purpose of, inter alia, user verification, supply of services and prevention of unlawful use and, in case of mobile services, carrier information may also be collected and used for providing services particular to mobile services, including PUSH service, application version upgrades, etc. (Legal basis: legitimate interests to protect and improve our services).

d. The Company collects personal information of users in the following instances in addition to the user’s sign-up process, for which the Company specifies the purpose of collection to the user. In such case, the collection of personal information may be done through web pages, applications, e-mail, fax or telephone • For customer services: collection of information for handling customer service, mediating disputes, processing customer requests and retaining records (Legal basis: legitimate interest to provide customer service and to resolve disputes) • For surveys or giveaway events: selective collection of personal information for, inter alia, statistical analysis or providing giveaways (Legal basis: legitimate interest to perform surveys and events) • For marketing contest and other events hosted by the Company: collection of personal information for participation in contests or events (Legal basis: legitimate interest to carry out marketing contests and events)

e. In order to verify the identity of a user for use of the service, the Company may process the foreigner registration number of the user with a separate consent of the data subject (Legal basis: legitimate interest to protect the services).

f. The Company does not, without a separate express consent of a user, collect any personal information, including on ideology, affiliation with a labor union or political party, political view, religion and criminal record, which can significantly infringe on privacy of the user, or any other special category of personal data.

g. A user may refuse to provide his/her personal information. However, if a user refuses to provide the required personal information, the user may not be allowed to sign up for membership and may not be able to use the offered services and benefits.

h. Personal information of a user which requires the user’s consent is collected after obtaining such consent of the user prior to his/her use of the specific service, which consent is given by way of checking separate online checkboxes or through offline documentation. If a user checks an online checkbox or marks on the consent field of the offline document, the user consents to the collection and processing of the relevant personal information.


2. Period of Retention and Use of Personal Information

a. The Company will process and keep personal information for a period of retention and use of the personal information in accordance with applicable laws or for a period of retention and use of the personal information consented to by a user at the time the personal information was collected.

b. As a general rule, the Company will delete personal information of a user set forth in Article 1 when the personal information is no longer necessary for the purposes for which it was collected. This is, in particular, the case, if the following applies: • Membership registration information: When a user withdraws his/her membership or is expelled as a member • Supply of goods or services: When the supply of goods or services is completed or when the payment or settlement of charges is completed • Shipping information: When goods or services are delivered or provided to the user • Information collected for events: When the event is completed

c. If, notwithstanding that personal information retention period is expired or the purpose of processing personal information has been attained, the personal information must be retained for a certain period of time pursuant to applicable law or the internal policy of the Company, including, without limitation, the examples specified below, the Company shall transfer the personal information to a separate database (DB) or otherwise keep the personal information at a different storage place.
c-1 * Law/Internal Policy: Article 15-2(2) of the Protection of Communications Secrets Act * Purpose of Retention/Use : Request for communication-related factual verification data and communication restriction measures executed by a prosecutor, law enforcement officer or intelligence investigation agency in accordance with the Protection of Communications Secrets Act * Retained Item : Caller ID, recipient’s number and, I/O date and time * Retention/ Use Period : 12 months * Retained Item : Log records, access location information, etc. * Retention/ Use Period : 3 months

c-2 * Law/Internal Policy: Article 6(3) of Act on the Consumer Protection in Electronic Commerce * Purpose of Retention/Use : Records on labeling and advertisement * Retained Item : Labeling and advertisement records * Retention/ Use Period : 6 months * Purpose of Retention/Use : Records on payments and supply of goods, etc. * Retained Item : Records on payments and supply of goods, etc. * Retention/ Use Period : 5 years * Purpose of Retention/Use : Records on contracts or subscription withdrawals * Retained Item : Consumer identification information, records of contracts/subscription withdrawals * Retention/ Use Period : 5 years * Purpose of Retention/Use : Records on consumer complaints or dispute resolutions * Retained Item : Consumer identification information, dispute resolution records * Retention/ Use Period : 3 years

c-3 * Law/Internal Policy : Article 85(3) of the Framework Act on National Taxes * Purpose of Retention/Use : Preservation of books and evidentiary documents related to transactions * Retained Item : Books and evidentiary documents related to transactions, including names, resident registration numbers, telephone numbers, billing addresses and payment details * Retention/ Use Period : 5 years

c-4 * Law/Internal Policy : Article 33 of the Commercial Act * Purpose of Retention/Use : Preservation of commercial books, etc. * Retained Item : Important documents related to commercial books and operation * Retention/ Use Period : 10 years * Retained Item : Slips * Retention/ Use Period : 5years

c-5 * Law/Internal Policy: Internal Policy of the Company * Purpose of Retention/Use : Abuse of membership registration (prevention of illegal use) * Retained Item : ID, user identification value * Retention/ Use Period : 3 years from withdrawal

d. If a user has not used the Company’s services for a period of one (1) year, the Company will delete or separately store personal information of the user upon giving a prior notice to the user. In relation to this, the Company informs a user of the fact that personal information is deleted or separately stored or managed, the expiry date of service non-use period and items of the personal information to be deleted, by e-mail, telephone, facsimile or other similar means at least 30 days before the expiry date of non-use period.


3. Procedure and Method of Deletion of Personal Information

The Company deletes personal information immediately when the personal information becomes unnecessary, including upon expiry of the retention/use period applicable to the personal information and upon attainment of the purpose for which the personal information was processed. The procedure and method of deleting personal information are as follows:
a. Deletion Procedures: The Company selects personal information in respect of which an event requiring destruction has occurred, and deletes the personal information with the approval of the Company’s personal information protection officer.

b. Destruction Method: In the case of personal information recorded or stored in electronic files, the Company deletes the personal information by using the technical or physical method ensuring that the personal information is not restorable or reproducible, and in the case of personal information recorded or stored in paper documents, the Company shreds the personal information with a shredder or incinerate the personal information.


4. Provision of Personal Information to Third Parties
a. The Company shall use personal information of each user only within the scope of the purpose of collection and use of the personal information, and without the prior consent of a user, shall not use the personal information beyond such purpose or provide the personal information outside the Company, with the exceptions: • as provided in any statute, including the Personal Information Protection Act, the Act on Real Name Financial Transactions and Confidentiality, the Credit Information Use and Protection Act, the Framework Act on Telecommunications, the Telecommunication Business Act, the Local Tax Act, the Consumer Protection Act and the Criminal Procedure Act or any other applicable laws • where such information is necessary for settling fees for supply of information and communication services • where the transfer of personal information to other service providers or business partners is necessary for the performance of our services; this may include, in particular, the transfer of personal information for the processing of payment transactions, delivery of goods or mailings, provision of customer support and IT support

b. A user may refuse to give consent to the provision of personal information to a third party, where applicable, provided that in such case the user may be restricted from using the service provided by the third party.

c. When providing personal information of a user to a third party in a foreign country, the Company shall inform the user of the same and obtain a separate consent, where necessary.


5. Entrustment of Personal Information Processing
a. In principle, the Company intends to handle and process the personal information processing work by itself. However, the Company may entrust the personal information processing work to a third party to perform contracts on providing services and improve convenience of users, in which case the Company will follow the procedure set forth and described in (b) below.

b. When entering into entrustment arrangements with any third party, the Company shall specify the responsibilities of the entrusted parties in the relevant agreements or other documents, including prohibition of processing personal information other than specifically for the purpose of performing the entrusted work, technical and administrative protective measures, restriction on re-entrustment, supervision over the entrusted party and indemnification, and the Company shall monitor whether the entrusted party safely processes personal information of users.

c. In the event of any change in the entrusted parties or the entrusted work, the Company shall promptly disclose such change through this Privacy Policy.

d. In the event the Company entrusts personal information processing work for events and promotions other than as required for the performance of service use contracts, the Company shall inform user of the entrusted work and obtain a separate consent.


6. Rights and Obligations of Users and Legal Representatives under the Information and Communications Network Act and the Personal Information Protection Act and How to Exercise Them

a. With respect to any of his/her personal information collected by the Company, a user may, at any time, request access (inspection), correction (modification), withdrawal of any given consent (withdrawal from membership or termination of contract), deletion or suspended processing. In addition, the Company shall take all measures necessary to ensure that the withdrawal of consent to collection of personal information (withdrawal from membership) can be done easier than the way the personal information is collected.

b. Pursuant to Article 30 of the Information and Communications Network Act, a user may exercise the rights under clause (a) by writing, phone, e-mail, fax, etc. to the personal information protection officer or staff of the Company and the Company shall promptly take measures in such regard.

c. A user may exercise the rights under clause (a) through his/her legal representative or authorized proxy, in which case, such person acting for the user shall submit a power of attorney in the form attached as Appendix No. 11 Form to the Enforcement Decree of the Personal Information Protection Act.

d. The exercise by a user of the rights under clause (a) may be limited in following cases pursuant to Article 35(4) or Article 37(2) of the Personal Information Protection Act: • Where the exercise by the user of the rights under clause (a) is prohibited or restricted by law • Where the exercise by the user of the rights under clause (a) is reasonably expected to cause death or bodily injury of another person or to unduly damage another person’s property and other interests • Where the exercise by the user of the rights under clause (a) significantly interferes with a public institution’s conduct of any work specified in each sub-item of Article 35(2)(4)(iii) of the Personal Information Protection Act, or in the case of a public institution not processing personal information, where the public institution is unable to carry out its work as prescribed in other statutes • (In the case of a request for suspended processing) where (i) the Company will be unable to provide services under a contract with a user or otherwise perform the contract if the personal information cannot be processed and (ii) the user has not clearly expressed its intention to terminate contract

e. In the event of a request for access, correction, deletion or suspended processing is made in relation to personal information of a user, the Company checks whether the person making such request is the user or his/her authorized representative.

f. If a user requests a correction of any error in personal information, the Company shall not use or provide such personal information to a third party until the personal information is corrected. In addition, if the Company has already provided or entrusted incorrect personal information to a third party, the Company shall promptly request correction of the personal information.

g. A user shall maintain his/her personal information up to date and be responsible for any problem arising from his/her entry of incorrect information.

h. A user shall be responsible for maintaining security of his/her personal information, including ID, password and e-mail, and shall not assign, transfer or lend such information to a third party. A user shall bear all civil and criminal liabilities caused by transferring or lending such information to a third party.

i. If a user signs up for membership through illegal use of another’s personal information, then such user’s membership may be forfeited by the Company or such user may be subject to civil or criminal liabilities in accordance with the law related to protection of personal information.

j. The Company shall not be responsible for any loss or damage not attributable to the Company’s fault, including any accident caused by negligence of a user or occurring within an area not managed by the Company (for example, personal information of users which are collected and used by the cosmetics store, skin clinic or skin care shop, etc. purchasing or lending the precuts of the Company), to the extent the Company has fulfilled its obligations as a personal information processor; provided that the Company takes such measures for ensuring the safety of personal information as provided in Article 7 below and, in the event a user’s personal information is lost, leaked, falsified or damaged due to negligence of the Company’s internal manager or an accident in technical management, the Company shall inform the user of such fact and seek for proper actions and remedies.


7. Measures to Ensure the Safe Processing of Personal Information

In processing personal information of users, the Company takes the following technical, managerial and physical measures to prevent the personal information from being lost, stolen, leaked, falsified or damaged and to ensure the safe processing of the personal information.

a. Establishment and implementation of internal management plan for safe processing of personal information • Matters concerning composition and operation of personal information protection division, such as designation of personal information protection officer • Matters concerning training of persons who process personal information of users under the direction and supervision of an information and communications service provider (such person, a ""personal information processor"")

b. Installation and operation of access control devices, such as intrusion prevention system, to block unauthorized access to personal information • Establishment and enforcement of requirements for granting, changing or cancelling access to the database system which is systematically configured to process the personal information (""personal information processing system"") • Installation and operation of intrusion detection system and intrusion blocking system for the personal information processing system • Establishment and administration of requirements for passwords, such as method of creation and interval of change

c. Measures to prevent falsification and forgery of access records • (Where a personal information processor accesses the personal information processing system to process personal information) storage of access date and time and other processing details and confirmation and supervision thereof • Backup storage of access records on the personal information processing system in a separate storage device

d. Security measures using encryption technology to safely store and transmit personal information • One-way storage encryption of passwords • Storage encryption of resident registration numbers, passport numbers, driver's license numbers, alien registration numbers, credit card numbers, bank account information and biometric data • Use of a secure server in transmitting and receiving a user’s personal information and authentication information through an information and communications network

e. Measures for protection from computer viruses, including installation and maintenance of anti-virus software • Installation and periodic update and inspection of anti-virus software on information devices used by the personal information processing system and personal information processors, for the purpose of checking and curing any infiltration of computer virus, spyware and other malicious software at all times.

f. Other necessary protective measures to ensure the safety of personal information • Establishment and operation of access control procedures for computer rooms, data archive or other physical storage areas in which personal information are stored. • Specifying the purpose of use at the time of output of personal information from the personal information processing system (such as print, screen display and file creation) and minimizing prints depending on the purpose of use usage by specifying the usage in printout out the personal information on the personal information processing system


8. Installation, Operation and Rejection of Cookies or other Automatic Data Collection or Tracking Tools

[If cookies are used] a. In order to provide personalized services to each user, the Company may use a “cookie” (a tool for automatically collecting personal information, including internet access information files) which saves and retrieves information on the user (a “cookie” identifies the user's computer, but does not personally identify the user).

b. A cookie is a small piece of information sent to a user’s computer browser (such as, Chrome, Internet Explorer, etc.) by a server (http) used in operation of a website and may also be stored on a hard drive of the user’s PC. • Purpose of using cookies: Cookies are used to identify a user’s visits, using patterns, popular keywords, security access status, etc. with respect to each service and website visited by the user and provide personalized services optimized for the user. • Installation, operation and rejection of cookie: A user may reject (or partially accept) cookies through option settings after choosing ‘Tool’ menu on the top of a web browser selecting ‘Internet Options’ clicking ‘Personal Information’ tab. • If a user rejects cookies, the user may experience difficulties in using personalized services. or [If cookies are not used] The Company does not use a “cookie” that saves and retrieves usage information of the user.


9. Personal Information Protection Officer and EU Representative

a. The Company designates and operates the following personal information protection officer and personal information protection division in charge of personal information matters in general to handle and remedy data subject’s complaints and carry out other customer services related to the processing of personal information. * Personal Information Protection Officer - Name: Nancy. Heo - Position: DPO - Contact: +82-2-597-0502 - E-mail: lululab@lulu-lab.com * Personal Information Protection Division - Division Name: Data Protection Management Team - Contact: Nancy. Heo - Contact: +82-2-597-0502 - E-mail: support@lulu-lab.com

b. A user may direct all communications concerning personal information protection matters which arise in the course of using the Company’s services, including inquiries, complaints, requests for remedies and requests for access to personal information, to the personal information protection officer and division. The Company shall answer and handle inquiries of users without delay.

c. The Company designates the following EU representative to be addressed by the competent EU supervisory authorities as well as the affected data subjects within the EU: [PLEASE INSERT NAME AND CONTACT DETAILS].


10. Remedies for Violation of Rights

A user may make inquiries in relation to damage relief, consultation, etc. regarding any personal information breach to the following organizations. However, the following organizations are independent from the Company and thus a user should first request the handling of his/her personal information related complaint and remedy to the Company and, only if the user is not satisfied with the results or needs further assistance, make inquiries to the following organizations.

* 118 Center for Cyber Difficulties (Korea Internet , Security Agency) - Service: personal information breach report, application for consultation - Homepage: http://privacy.kisa.or.kr - Phone number: (No area code) 118 - Address: 118 Center for Cyber Difficulties, 3F, Jinheung-gil 9, Naju-si, Jeonnam, 58324, Korea

* Personal Information Dispute Mediation Committee (KOPICO) - Service: Application for personal information dispute mediation, collective dispute mediation (civil resolution) - Homepage: http://www.kopico.go.kr - Phone number: (no area code) 1833-6972 - Address: 209, Sejong-daero, Jongno-gu, Seoul, 03171, Korea

* Cyber Crime Investigation Center, Supreme Prosecutors’ Office, - Homepage: http://www.spo.go.kr - Phone number: (no area code) 1301

* Cyber Safety Bureau, National Police Agency - Homepage: http://cyberbureau.police.go.kr - Phone number: (no area code) 182


11. Change in Privacy Policy

a. This Privacy Policy may be changed or amended if necessary, including based on law, government policy or the Company’s internal policy, and any addition, deletion or change herein will be notified through “Notification” on the Company’s website at least 7 days or, 30 days in the case of any material change in a user’s rights, prior to the effective date of such addition, deletion or change.

b. This Privacy Policy applies from February 1, 2019, and the Company discloses the pre-revision version of Privacy Policy through “Notification” on the Company’s website.
Privacy Policy Version Information: Privacy Policy Revision Date: Privacy Policy Enforcement Date:

12. International Data Transfers
We transfer personal information from the user’s location to Korea. As of now, there is adequacy decision by the EU Commission regarding Korea. We have implemented suitable safeguards. You can obtain further details by contacting us.


13. Privacy Rights Regarding the EU General Data Protection Regulation
a) Each user has the right to request information at any time about all of the user’s personal data that the Company processes.
b) If a user’s personal data are inaccurate or incomplete, the user has the right to correction and amendment.
c) User may request the deletion of the user’s personal data at any time, unless the Company is legally obligated or entitled to process the user’s data further.
d) In case of legal requirements, a user may request a limitation on the processing of the user’s personal data
e) User has the right to object to processing if the data processing is performed for the purposes of direct advertising or profiling. If processing is performed as a result of the balancing of interests, the user may object to the processing stating reasons arising from the user’s particular situation.
f) Where data processing is performed on the basis of user’s consent or as part of a contract, the user has the right to transfer the data provided by the user, unless the rights and freedoms of other persons are impaired.
g) Where the Company processes user’s data on the basis of a declaration of consent, the user has the right to revoke this consent at any time with effect for the future. Any processing performed prior to revocation will remain unaffected by the .
h) In addition, user has the right to file a complaint to a European data protection supervisory authority at any time if the user is of the opinion that data processing has occurred in breach of an applicable European data protection law. [1] Under the GDPR, it is mandatory to provide the data subject with information on the identity and contact details of the controller. The required contact details need to include the name and address of the controller and, in addition, an email address or (alternatively) a telephone number.




[Unauthorized collection of E-mail]
This web site does not allow unauthorized collection of e-mail addresses using e-mail collecting programs or other technical devices. In case of violation, it can be punished by [Information Communication Network Promotion and Information Protection Act].