Republic of Korea

Privacy Policy for Foris DAX Korea Limited

This is the Privacy Policy for Foris DAX Korea Limited (hereinafter referred to as "Privacy Policy").

Foris DAX Korea Limited (hereinafter referred to as "the Company") is committed to protecting the personal information provided by users for the use of the 'Crypto.Com Main App Service.' The Company is dedicated to ensuring the protection of personal information provided by users in accordance with relevant laws related to personal information protection, including the "Personal Information Protection Act."

This service is not intended for individuals under 19 years of age, and the Company does not collect data related to minors.

The Company makes the Privacy Policy easily accessible to users on its website and within the app service. This Privacy Policy may be subject to changes in accordance with applicable laws and the Company's internal policies. To ensure easy access to revisions, the Company conducts version management.

Effective Date: 31 Jul 2024

Article 1 (Purpose of processing personal information)

The Company processes user personal information for the following purposes. The processed personal information will not be used for any purpose other than the following, and if the purpose of use is changed, necessary measures will be taken in accordance with Article 18 of the Personal Information Protection Act, including obtaining separate consent. Refer to the details in Article 7 for specific items of personal information processing.

1. Membership registration and management

As part of the membership registration, account creation, and account management, personal information is processed for following purposes: User identification during registration and login, user verification, customer verification, user information management, dissemination of various notifications, and handling the withdrawal process.

2. Service or product provision

As part of the Service and product provision, personal information is processed for the following purposes: provision of services and app features (app installation, registration, operation, execution and management, transaction order processing, etc.), services and promotions, prevention of abuse, payments, commission and fee processing, unpaid amount processing, compliance with applicable laws and complaint handling (illegal fund transactions, terrorism prevention, sanctions screening, fraud, etc.), detection, investigation, reporting and prevention of financial crimes, account security, response to account information and/or change requests, management and protection of our business, site, app, and social media channels (problem-solving, data analysis, testing, system maintenance, support, reporting, data hosting), financial institution services, crime and fraud prevention, risk measurement, quality assurance, and training purposes of voice call records.

3. Event information and notifications

For various types of events related to the business relationship with users, personal information is processed for the following purposes: user review writing, survey participation requests, guidance on the development of company services and products, data usage for studying user service usage patterns, prize draws, survey participation requests, preference surveys, marketing through market data collection, measuring and understanding the effectiveness of advertising through the provision of website content and advertisements, improving websites, products/services, marketing, customer relations, and experiences, product and service recommendations, utilization of social media platforms or advertising platform services.

4. Handling complaints

5. Personal information processed for the purpose of handling complaints and grievances. In the process of providing the service, the Company may use personal information without the consent of the user in accordance with Article 15, Paragraph 3 or Article 17, Paragraph 4 of the Personal Information Protection Act. In this case, the company considers the following criteria in determining its operations:

Whether the use of personal information is related to the initial purpose of collection
Whether, in view of the circumstances in which the personal information was collected or the general processing practices, there is a reasonable expectation that the personal information could be used additionally
Whether the use of personal information unfairly infringes upon the interests of the user
Whether necessary measures such as pseudonymization or encryption have been taken to ensure the security of the personal information

Article 2 (Processing and retention period of personal information)

1. The Company processes and retains personal information within the scope of the legal requirements for processing and retention periods of personal information or within the period of consent obtained from users at the time of collecting personal information.

2. Each individual personal information processing and retention period is as follows:

Membership registration and management: Until withdrawal of membership
Service or product provision: Until completion of service or product provision and related cost payment and settlement. However, usage records and behavioral information generated during service usage for purposes of fraud prevention, complaint handling, and litigation response will be retained for 5 years after membership withdrawal.
Event information and notifications: Until the end of the relevant event
Handling complaints: 5 years after membership withdrawal or in accordance with the retention period prescribed by applicable laws (compliance with the retention institution specified by the relevant law if the relevant law is more than 5 years).

3. Notwithstanding the provisions of Paragraph 2, personal information processing and retention may be performed until the end of the following cases. However, in cases where the personal information processing and retention period is different, the longest retention period will be followed.

4. Until the end of the relevant period in the case of falling under the reasons set forth in the relevant laws and regulations in each of the following items:

Item

Legal Basis

Storage Period

Records related to contract or withdrawal of subscription, etc.

Act on Consumer Protection in Electronic Commerce, etc.

5 years

Records on payment of fee and supply of goods, etc.

Act on Consumer Protection in Electronic Commerce, etc.

5 years

Records on handling of consumer complaints or disputes, including call and reply details, etc.

Act on Consumer Protection in Electronic Commerce, etc.

3 years

Records on display/advertisement

Act on Consumer Protection in Electronic Commerce, etc.

6 months

Records such as login logs, etc.

Protection of Communications Secrets Act

3 months

Records on the collection, processing, and use of credit information

Use and Protection of Credit Information Act

3 years

Account books and documentary evidence concerning all transactions set by tax laws

National Tax Basic Act

5 years

5. In case an investigation or inquiry is being conducted due to a violation of relevant laws, the processing and retention will continue until the conclusion of the said investigation or inquiry.

6. In case there are remaining rights and obligations arising from the use of the service, the processing and retention will continue until the settlement of the corresponding rights and obligations.

7. In case of ongoing legal disputes, such as lawsuits, between the user and the company, the processing and retention will continue until the conclusion of the relevant legal proceedings

Article 3 (Provision of Personal Information to Third Parties)

1. The Company processes user's personal information only within the scope specified in Article 1 (Purpose of Personal Information Processing) of the Privacy Policy. Personal information will be provided to third parties only in cases specified in Article 17 (Provision of Personal Information) and Article 18 (Restrictions on Use and Provision of Personal Information for Purposes other than the Purpose of Collection) of the Personal Information Protection Act, such as with the consent of the information subject, when there is a special provision of the law, or when it is necessary to comply with legal obligations.

Status of Third-Party Provision of Personal Information: None

2. The Company obtains prior consent from users before providing the following personal information to third parties. The recipients may change without notice depending on the nature of affiliated services and contractual agreements.

3. Details on the provision of personal information to third parties

Third Party Name

Purpose

PII sharing Item

Retention period

Foris Limited

Mainapp service

Items defined in the Article 7

5 years after account deletion

Article 4 (Consignment of personal information processing)

1. The Company entrusts certain tasks necessary for providing services to external companies to perform personal information processing. The Company also manages and supervises entrusted companies to ensure compliance with relevant laws.

2. The company entrusts the following personal information processing tasks.

2.1. Personal information processing Subcontractor

Consignment company

Consignment purpose

Nice Corporation (Korea)

Use of real name verification service, cell phone identity verification, account verification

UseB Co., Ltd (Korea)

Identity verification through OCR scanning and KRW bank account authentication

Foris Limited (HK)

Email Notification

Travel Rule implementation

Customer service inquiry handling Data storage and service operation

2.2. Personal information processing re-subcontractor

Consignment company

Consignment purpose

Amazon Web Services, Inc (HK)

Data storage and service operation

Article 5 (Overseas Transfer of Personal Information)

The company transfers personal information overseas as follows.

1. Foreign companies providing personal information

The company provides the following personal information to third parties overseas with prior consent from users. Overseas transfer providers may change without notice depending on the nature of affiliated services and contracts.

Details of providers for overseas transfer of personal information

Provider

Receiver

Purposes of Provision

Type of Information being provided

Method/Timing of provision

Period of keeping/use of information

Foris DAX Korea Limited (Korea)

VerifyVASP Network

Verify Name and address

Name (Eng, Kor), Date of Birth, Digital asset address

Digital asset deposit and withdrawal, Use the network to transfer the asset

5 years

Article 6 (Rights and Obligations of Users and Legal Representatives and Method of Exercising)

1. Users may at any time exercise their rights, such as access, correction, deletion, and suspension of processing of personal information, against the Company. However, the exercise of rights such as access, correction, deletion, and suspension of processing of personal information by users may be restricted in accordance with the provisions of Article 35, Paragraph 4, Article 36, Paragraph 1, Article 37, Paragraph 2, and other relevant laws concerning the protection of personal information.

2. The exercise of user rights shall be carried out in writing, by email, fax, etc., in accordance with Article 41, Paragraph 1 of the Enforcement Decree of the Personal Information Protection Act, and the Company shall promptly take measures accordingly.

3. The rights under Paragraph 1 may be exercised through a legal representative of the user or a delegated person. In this case, a power of attorney pursuant to the format of Attachment 11 of the "Guidelines for Personal Information Processing Methods" must be submitted.

4. In the case where personal information is specified as a collection target under other laws, a request for correction and deletion of personal information cannot be made.

5. When a user requests access, correction, deletion, or suspension of processing based on their usage rights, the Company confirms whether the requester is the user himself/herself or a legitimate representative.

Article 7 (Items of personal information to be processed)

1. The Company collects and uses essential information and optional information for the establishment, maintenance, execution, management of digital asset transactions, and the provision of product services as follows: The specific information would be listed here.

Purposes

Items of personal information collection and use

Registration and Management

Registration and Log-in

E-mail, Biometric Information, App Passcode

Service and Product Provision

Mobile Phone Authentication

User name
Date of birth and gender
Mobile phone number
Mobile carrier

App Passcode Settings

App Passcode

Customer Verification

User name
English surname
English first name
Address

Occupation
Workplace information (Workplace name, Workplace address)
Purpose of transaction
Source of funds

Copy of Identity Card
Name, Social Security Number, Driver’s License and issuance date (applicable only for residents)

Bank name
Account number

Digital Asset Transaction

Transaction date and time
Quantity
Type
Asset name
Deposit and withdrawal record
Digital asset transaction information

Inheritance

Deceased's information: Name, Date of Birth, Address, Death Certificate
Inheritor's information: Name, Date of Birth, Address, Contact, Relationship with Deceased, Real Name Verification Document, Unique Identifying Number, Account Information
Appointment of Proxy (if applicable)
Basic Certificate (if inheritance is a minor)

Handover

Name
Date of Birth
Mobile Phone Number
Email
Copy of Identity Card

Personal Wallet Address

Personal Wallet Address

Technical Information for Using the Service

Internet Connection Data
Internet Protocol (IP) Address
Operator and Network Provider
Login Information
Type and Version of OS
Type, Category, and Model of Mobile Device
Time Zone and Location Settings
Language Settings
App Version and SDK Version
Type and Version of Browser Plugins
Other Information Collected for Measuring Crash Logs and Technical Diagnostics
Other Information Stored or Accessed on Device when Visiting a Site or Using a Service or App

Event Provision

Event Participation and Deliverables

Name
Mobile Phone Number
E-mail address

Complaints

Additional documents for customer verification

Purpose of transaction
Source of transaction funds
Company and company address
Resident Registration Copy
Unique identification information

Additional Verification for Remediation of Abnormal Deposit and Withdrawal Accounts

Name
Date of Birth
Mobile Phone Number
Proof Photo

Source of Funds Verification

Virtual Asset Account
Value Storage Account
Amount related to the account
Source of funds and relevant documents
Deposit date and time
Type of digital assets deposited
Details about the deposit and withdrawal
Other details of transactions performed using the service, site or app
Information on investment objectives
Investment experiences
Information on previous investments

Report on Transaction Support

Name
Email
Last 4 digits of Mobile Phone Number
Report Content
Provided Files
User Identification Number
Whether it is an app account and information connected to the email of the account
Content requested by the user about the product or service
Interests, preferences, and feedback
Other information generated when communicating with the company such as customer support requests
Last 4 digits of PII card during Registration

Personal Information Amendment

Name
Detailed residential information
Address and House/Office address
E-mail address and phone number
Document verifying address

2. The Company may collect and use personal information within the scope of the collection purpose when any of the following subparagraphs under Article 15 (Collection and Use of Personal Information) of the Personal Information Protection Act applies:

When it is necessary to comply with a legal obligation or special regulations
When it is necessary for the conclusion and performance of a contract with the data subject
When it is necessary for the vital interests of the data subject or a third party in a situation where the data subject or their legal representative is unable to express intent or where obtaining prior consent is not possible due to unknown address or similar reasons
When it is necessary for the legitimate interests of the personal information processor, and such interests override the rights of the data subject, provided that the legitimate interests of the personal information processor are clear, substantial, and do not excessively infringe upon the rights of the data subject.

Article 8 (Destruction of personal information)

1. The Company shall promptly destroy personal information when it becomes unnecessary, such as upon the expiration of the retention period or the achievement of the processing purpose.

2. The Company shall safeguard dormant and deidentified user data.. In fact, personal information of users without mobile phone verification information shall be destroyed after 6 months.

3. The process of personal information destruction involves selecting personal information for destruction when the retention period expires or the processing purpose is achieved, and then proceeding with automatic system deletion or obtaining approval from the personal information protection officer.

4. Methods of personal information destruction are as follows:

Personal information stored in electronic files shall be permanently deleted to prevent record reproduction.
Personal information recorded or stored on paper documents shall be shredded or incinerated.

Article 9 (Measures to Ensure Safety of Personal Information)

The company is taking necessary administrative, technical, and physical measures for ensuring security as stipulated in Article 29 of the Personal Information Protection Act.

1. Administrative Measures:

Establishment of Internal Management Plan: The company has established and implemented an internal management plan to ensure the secure handling of personal information.
Minimization and Training of Personal Information Handlers: The company limits the number of personnel handling personal information to a minimum required for their duties. Through training and other administrative measures, the company raises awareness about the importance of personal information protection among these handlers.

2. Technical Measures:

Access Control Management for Personal Information Processing Systems: The company grants, changes, and revokes access permissions to databases processing personal information, in order to control access to personal information. It also employs intrusion prevention systems to control unauthorized external access.
Encryption of Personal Information: The company encrypts and stores unique identifying information of users, and other personal information using secure encryption algorithms.
Technical Measures for Preparedness Against Hacking and Similar Threats: The company strives to prevent leakage or damage of user's personal information due to hacking, computer viruses, and similar threats. It backs up data to prepare against potential damage, utilizes up-to-date antivirus programs to prevent leakage or damage of user data, and ensures secure transmission of personal information over networks through encrypted communication.

3. Physical Measures:

The company installs systems in areas with controlled access from external sources to prevent leakage or damage of user's personal information. It establishes and operates entry and exit control procedures.

Article 10 (Matters concerning the installation, operation, and refusal of automatic personal information collection devices)

1. The Company uses 'cookies' to store and retrieve user information for the purpose of providing service convenience to users. The Company uses cookie information only on its website and does not use it in its app services.

2. Cookies are small pieces of information sent to the customer's computer browser (Internet Explorer, etc.) by the website.

Purpose of Using Cookies

Through cookies, user preferences and settings are stored to provide a faster web environment and to improve services for user convenience. This allows users to use the services more easily.

Installation, Operation, and Rejection of Cookies

Users have the choice regarding the installation of cookies and can refuse or delete such storage at any time.

How to Reject Cookie Settings

Microsoft Edge: Settings > Site Permissions > Cookies and Site Data > Cookie Level Settings
Chrome: Choose the settings menu > Privacy and Security > Cookies and Other Site Data > Cookie Level Settings
Safari: Choose the Preferences menu > Privacy tab > Cookie and Website Data Level Settings

Article 11 (Management of Behavioral Information)

1. Behavioral information refers to online user activity information that can be understood and analyzed, such as website visit history, purchase and search history, user interests, preferences, and tendencies.

2. The Company processes behavioral information for purposes such as product and service development, customer analysis, and providing services based on user behavior.

Items of Collected Behavioral Information

We collect user activity information, including web service visit records, search/click history, device information, IP addresses, and more. App behavioral information is not collected.

Collection Method

Log information generated and stored automatically through log analysis tools when users use the service.

Purpose of Collection

We process this information for purposes including product and service development, statistics and customer analysis, improving service speed and quality, and providing other services based on user behavioral information.

Retention and Use Period

It is retained for up to 2 years (depending on the type of cookie) from the date of collection, and is deleted without delay when the retention period elapses.

Methods to Exercise User Control

Customers can refuse to use certain types of cookies by adjusting their browser settings, such as refusing to store cookies. For more controls and information please use the Cookie Preferences section at the bottom of our website.

Web Browser: Cookie level settings are available at the bottom of the homepage. Smartphone (example / may vary depending on OS version):

Android: Settings > Privacy > Advertising > Select or deselect personalized ads.
iPhone: Settings > Privacy > Tracking > Allow or disallow apps to request tracking.
Instruction for blocking Google Analytics: https://tools.google.com/dlpage/gaoptout

User Complaint Handling Method

Phone: 1588-9520 (Customer Center)
Email: [email protected]

Article 12 (Personal Information Protection Officer and Responsible Department)

1. The Company designates the following departments and personal information protection manager to protect user personal information and handle complaints related to personal information

Personal Information Protection Officer

Name: Kang Shin
Position: Chief Privacy Officer
Phone number: 1588-9520 (Customer Center)
Email: [email protected]
Department in charge: DPO, CS

2. Users can contact the personal information protection manager and the responsible department for any complaints related to personal information protection that may arise while using the Company's services. The Company will respond to and address user inquiries promptly.

Article 13 (Request for Access to Personal Information)

Department for Receiving and Processing Requests for Access to Personal Information

Responsible Department: DPO, CS
Phone: 1588-9520 (Customer Center)
Email: [email protected]

Article 14 (Remedies for Infringement Rights)

If you require remedies for damages or consultation related to personal information infringement, you may contact the following organizations:

Korea Internet & Security Agency (KISA) Personal Information Infringement Report Center Website:privacy.kisa.or.kr
Phone: 118 (no area code needed)

Personal Information Dispute Mediation Committee
Website: www.kopico.go.kr
Phone: 1833-6972 (no area code needed)

Supreme Prosecutors' Office
Website: www.spo.go.kr
Phone: 1301 (no area code needed)

Cyber Investigation Bureau, National Police Agency
Website: ecrm.police.go.kr
Phone: 182 (no area code needed)

Article 15 (Responsibility for Linked Sites)

The Company may provide links to external websites for users. In such cases, the Company does not have control over external websites, and therefore, cannot be held responsible or guarantee the usefulness, truthfulness, or legality of the services or information users receive from external websites. The personal information processing policies of linked external sites are unrelated to the Company, so please review the policies of those external sites.

Article 16 (Change of Privacy Policy)

In the event that the Company makes changes to the privacy policy, the Company will disclose the timing of the changes and the content of the changes in an ongoing manner. The revised content will also be published in a way that allows users to easily compare the before and after versions.

Article 17 (Operation and Management of Fixed Video Information Processing Device)

We hereby disclose how video information processed by the company is being used and managed through the operation and management of fixed video information processing devices.

1. The basis and purpose for the installation of the fixed video information processing device

The company installs and operates fixed video information processing devices for managing entry of personnel, ensuring safety and fire prevention of our facilities as well as for preventing crimes.

Number of installations: 7 units
Installation location: 8th floor office
Range of coverage: Identifying individuals at the entrance
Recording time: 24 hours
Retention period: 90 days
Storage location: Server room
Subcontractor: S1

If the company receives a request to view or confirm the existence/delete personal video information, necessary measures are taken, including permanent deletion in such a way that restoration is not possible.

The video information is securely managed through measures such as encryption. As a managerial measure for the protection of personal video information, the company has differentially granted access rights to personal information. In addition, the company is storing records such as the date/time of creation of personal video information, viewing purpose, viewer, date/time of viewing, etc., for 90 days. The company has also installed a locking device to securely store the personal video information physically.

2. Methods to how and where the operator of the video information processing device can check the video information

Method of checking: Request the company in advance and confirm by visiting the head office
Place of confirmation: Foris DAX Korea Ltd. headquarters

3. Measures for the subjects' requests for viewing, etc. of video information

The customers may request for viewing or confirming the existence of their personal video information that the Company processes. In these cases, it is limited to the video information where the customer himself/herself appears and the personal video information that is evidently necessary for the urgent life, body, and property interests of the customer. However, in the following cases, the Company may deny the request to view personal video information of the subject:

When the personal video information has been disposed of after the retention period has expired;
When there are other reasonable grounds for refusing the user’s viewing request.

4. Technical, administrative, and physical measures for protecting video information

The video information processed by the company is protected via administrative, technical, and physical protective measures. Our protective measures are complied with according to this personal information processing policy. The video information of the video information processing device is stored and managed separately within a designated control zone.

This Privacy Policy Version 1.02 will be effective from August 1st, 2024.

Previous privacy policy can be viewed below: