Privacy Policy

1. To improve service quality, the Company collects personal data for the following purposes.

- Identification, personal identification, complaint handling, and notice delivery regarding ethical management violations

1. In general, once the purpose of storing the collected personal data has been met, the data is immediately destroyed. Personal data for which the purpose of collection and use has been met is transferred to a separate database, stored securely in accordance with internal regulations and applicable laws, and destroyed without delay when the specified time period expires. At this time, the personal data transferred to a separate database will not be used for any other purpose unless the user agrees otherwise or the law requires it.

2. If separate consent is obtained from the user regarding the storage period, the data is retained until the end of the agreed-upon period and then immediately destroyed. If specified by a superior court, however, a separate retention period is observed.

3. However, if it is necessary to retain personal data in accordance with applicable laws, such as the Commercial Act and the Act on Consumer Protection in Electronic Commerce, Etc., the personal data will be retained for a certain period of time. In this instance, the company stores data solely for storage purposes, and the retention period is as follows.

1. The Company uses the user's personal data within the scope outlined in Article 2 (Collection of Personal Data) and Article 3 (Purpose of Collection and Use), and does not use it beyond its intended scope or provide it to third parties or companies without the user's consent.
The following, however, are exceptions.

(1) When the user consents beforehand;

Before disclosing a user's personal data to a third party, the Company informs the user of the following and obtains their consent.

• - Recipients of personal data
• - Purpose of use of personal data by the recipient
• - Items of personal data provided
• - Period of retention and use of personal data by the recipient

(2) In the case of an investigative agency fulfilling its obligations under the relevant laws or requesting the disclosure of personal data in accordance with the procedures and methods specified by those laws for the purposes of an investigation;

(3) Acquisition of business, etc.

If there is a reason for business transfer, etc., and it is necessary to transfer the user's personal data, the Company notifies in advance the facts regarding the transfer of personal data in accordance with the procedures and methods specified in related laws, such as the Act on Promotion of Information and Communications Network Utilization and Information Protection, and allows users to withdraw their consent to the transfer of personal data.

2. In the following instances, personal data may be disclosed without the user's consent in accordance with applicable laws and regulations.

• - In accordance with the provisions of the law or in accordance with the procedures and methods established by the law for the purpose of investigation, if a request is made by an investigative agency.
• - If required for statistical writing, academic research, or market research, processing and providing an individual's data in an unidentifiable format.

1. The Company consigns a portion of its tasks in order to improve and implement services, and stipulates that personal data can be managed securely in accordance with applicable laws and regulations during consignment contracts.

2. The Company's current personal data processors and their responsibilities are outlined below.

3. To ensure the safety of personal data protection when entering into a consignment contract, strict compliance with privacy-related regulations and responsibilities in the event of an accident are clearly specified, and the contract's terms are stored physically and electronically. If the company is changed, the name of the new company will be reflected on the privacy policy screen.

4. The Company conducts appropriate oversight within the scope of the entrusted tasks to ensure that the trustee faithfully fulfills the entrusted personal data so that the entrusted personal data can be managed securely.

1. Users can view, edit, and delete their registered data.

Personal data may be viewed or corrected only after identity verification has been performed by visiting a branch office or calling the Lotte Duty Free Customer Service Center (+82-2-1688-3000).

- In the case of programs operated by promotional sites, however, when the retention and use period agreed upon at the time of registration expires, the registered data is immediately deleted and cannot be accessed or modified.

2. If a user requests that an error in his or her personal data be corrected, the data will not be used or disclosed until the correction has been made.

1. Cookies are temporary files that are automatically created when you visit a website. It is a small amount of data that the server used to run the website sends to the user's browser and is also stored on the user's PC's hard drive.

2. The Company uses "cookies" to store and retrieve usage data in order to provide users with quick and useful services when they visit its website.

3. You have a choice regarding cookies, and you can configure your web browser to allow all cookies, to prompt you before saving a cookie, or to block all cookies. However, if the user refuses to accept cookies, there may be restrictions on use, such as the need to re-enter login data when using certain login-required services.

- The following describes how to specify whether or not to allow cookie installation in Internet Explorer.

• Internet Explorer browser

Modify settings via [Tools] > [Internet Options] > [Privacy] > [Advanced]

• Google Chrome browser

Modify settings via [Settings] > [Privacy and security] > [Cookies and other site data]

4. The Company is able to read the cookie's contents from the customer's browser, locate additional data on the customer's computer, and provide the service without additional input such as the connection name.

1. The Company uses Google Analytics, a Google-provided web log analysis tool, to improve user services.
Through cookies, Google Analytics collects data about the behavior of our website visitors; in this case, only non-identifying data that cannot be used to identify the user is collected. However, users may opt out of using Google Analytics by installing the Google Analytics opt-out browser add-on (https://tools.google.com/dlpage/gaoptout) or by refusing cookie settings in the web browser.

The following describes the method for blocking or allowing tailored advertisements via a web browser.

(1) Internet Explorer (Internet Explorer 11 for Windows 10)

• - Open Internet Explorer and click [Tools]
• - Allow or block cookies via [Internet Options] > [Privacy] > [Advanced]

(2) Microsoft Edge

• - Open Microsoft Edge and click […]
• - Go to [Tracking prevention] via [Settings] > [Privacy, search, and services]
• - Toggle “Always use Strict Tracking Prevention when browsing InPrivate”
• - Under Privacy and services, turn the Send Do Not Track requests setting on or off

(3) Google Chrome

• - Open Google Chrome and click [⋮]
• - Go to [Content Settings] via [Settings] > [Show advanced settings] > [Privacy and security]
• - Set to "Block third-party cookies and site data” in the Cookies section

1. The Company has implemented the following technical safeguards to prevent the loss, theft, unauthorized disclosure, alteration, or destruction of the user's personal data during processing.

• - User's personal data is password-protected, and important data is protected through a separate security function by encrypting files and transmission data or by using a file lock function.
• - The Company utilizes an antivirus program to prevent computer virus-related damage. The antivirus program is routinely updated, and in the event of a sudden virus infection, vaccines are distributed as soon as they become available to prevent the disclosure of personal data.
• - The Company adopts a security device (SSL or SET) that uses a cryptographic algorithm to transmit personal data over the network securely.
• - Each server uses an intrusion prevention system and vulnerability analysis system to protect against external intrusions such as hacking.

2. The Company restricts access to personal data of users to a minimum number of employees.
Those who fall under the minimum number of employees are as follows.

• - Persons who perform service work directly for users
• - Persons in charge of managing personal data, such as the person in charge of privacy and the person in charge of personal data management
• - Persons who are required to handle personal data for other business purposes

3. Regular in-house and outsourced training on new security technology acquisition and privacy obligations is provided to employees who handle personal data, and there are internal guidelines in place to monitor employee compliance with the privacy policy.

4. Computer rooms and data storage rooms are designated as protected areas with restricted access.

5. The Company is not responsible for events that result from user error or inherent risks of using the Internet. Individual users are responsible for properly managing their ID and password to safeguard their personal data.

6. Moreover, if personal data is lost, leaked, falsified, or damaged due to an internal manager's error or a technical management accident, the Company will immediately notify the user and devise appropriate compensation measures.

1. According to the website's terms and conditions, children under the age of 14 are prohibited from using the Company's services.

2. If the Company must collect personal data from children under 14 years of age, it will comply with applicable laws and notices.

3. If a user requests that an error in his or her personal data be corrected, the data will not be used or disclosed until the correction has been made. In addition, if incorrect personal data has already been provided to a third party, the correction will be immediately communicated to the third party so that the correction can be implemented.

The Company may provide links to the websites of other businesses and affiliates, as well as collect data via these sites. Due to the Company's lack of control over external sites and materials, it cannot be held liable for or guarantee their usefulness. If you navigate to a page on an external website or link site, please review the site's privacy policy, as it is irrelevant to the Company’s privacy policy.

1. The Company makes every effort to ensure that users can access high-quality data securely. In the event of an accident involving the violation of protecting personal data, the Company assumes full responsibility. However, despite taking additional technical precautions, the Company cannot be held liable for data loss due to unforeseen incidents caused by basic network risks such as hacking and various disputes caused by user-generated content. The persons in charge of protecting and processing the user's personal data are listed below, and these persons respond promptly and truthfully to inquiries pertaining to personal data.

2. The Company operates a customer service center to facilitate communication with users. The following are the contact details for the customer service center.

Lotte Duty Free Customer Service Center: +82-2-1688-3000
※ Over-the-phone consultations are available on weekdays from 9 AM to 6 PM.

3. In the case of an email or website inquiry, we will respond as quickly as possible in good faith.

- Website: https://www.lottedfs.com (Home > Customer Service > Contact)
※ 1:1 consultations are exclusive to online members and offline purchasers.

The following organizations can be contacted by users inquiring about damage relief and consultation for privacy violations.
The organizations listed below are separate from the company. If you are not satisfied with the results of the Company's complaint handling and damage relief, or if you require additional assistance, please contact these organizations.

Duty of Notice

This privacy policy takes effect as of May 12, 2023. If there are any additions, deletions, or changes to the content, a notice will be posted on the website at least seven days prior to the amendment. In addition, the Company assigns revision dates to the privacy policy, making it easy to determine whether it has been updated.

Privacy Policy Ver. 1.1

• - Effective date: May 12, 2023
• - Last updated: May 12, 2023