Article 1 (Purpose)
Portlogics Co., Ltd. (hereinafter "the Company") complies with the Personal Information Protection Act ("PIPA") and other related laws to protect the personal information of individuals using the services provided by the Company (hereinafter "Company Services") (such individuals being hereinafter referred to as "User" or "Data Subject"), and establishes and discloses the following Privacy Policy (hereinafter "this Policy") to promptly and smoothly handle data subjects' complaints regarding personal information protection.
Article 2 (Principles of Personal Information Processing)
The Company collects users' personal information in accordance with PIPA and this Policy. Collected personal information may be provided to third parties only with the data subject's consent. However, in cases falling under each subparagraph of Articles 17 and 18 of PIPA — such as where there are special provisions in laws, or where it is unavoidable to comply with statutory obligations — personal information may be provided to third parties without the data subject's consent.
Article 3 (Disclosure of this Policy)
1. The Company discloses this Policy on the first page of the Company website or on a page linked from the first page, so that users can easily check this Policy at any time.
2. When disclosing this Policy under paragraph 1, the Company makes this Policy easily identifiable to users by utilizing font size, color, and similar means.
Article 4 (Changes to this Policy)
1. This Policy may be revised in accordance with changes in relevant laws, guidelines, public notices, or the Company's service policies or content.
2. When revising this Policy, the Company shall provide notice through one or more of the following methods:
a. Notice through the announcement section of the Company's website or through a separate window;
b. Notice to users in writing, by facsimile, by email, or by similar methods.
3. Notice under paragraph 2 shall be given at least 7 days prior to the effective date of the revision. However, where there are significant changes to users' rights or obligations, notice shall be given at least 30 days in advance.
Article 5 (Information Collected for Membership Registration)
The Company collects the following information for membership registration to use the Company Services.
1. Required information: name, mobile phone number, email address, password.
2. Passwords are stored using one-way encryption so that they cannot be confirmed by anyone other than the user.
Article 6 (Information Collected for Service Provision)
The Company collects the following information to provide its services to users.
1. Required information: user ID, email address, name, contact details.
2. Information for settlement with shippers/counterparties and tax invoice issuance: copy of business registration certificate, business registration number, company name, representative's name, business address (in the case of a sole proprietor, the representative's resident registration number is included — see Article 16-2).
Article 7 (Information Collected for Service Usage and Misuse Verification)
The Company collects the following information for statistics and analysis of users' service use and for the verification and analysis of misuse. ("Misuse" means unlawful acts such as illegal misappropriation of others' information or information theft through unauthorized access by former employees.)
1. Required information: access information (IP) and device information, access date and time, service usage records.
Article 8 (Methods of Personal Information Collection)
The Company collects users' personal information through the following methods:
1. The user directly enters personal information on the website where the Company Services are provided;
2. The Company receives information through a separate communication channel for the user's convenience and inputs it on the user's behalf;
3. The user enters personal information through a link sent by the Company;
4. Information is automatically generated/collected through automated tools (cookies, pixels, SDKs, log analysis, etc.).
Article 9 (Use of Personal Information)
The Company uses personal information for the following purposes:
1. Where necessary for Company operations, such as delivery of announcements;
2. Responses to user inquiries and improvement of services for users;
3. Provision of Company Services (forwarding operations, BL/customs clearance support, TOMS/PMS, etc.);
4. Restriction of use against members who violate laws or the Company's terms of service, and prevention/sanction of acts that impede the smooth operation of services;
5. Performance of incidental accounting/settlement tasks such as transaction settlement and tax invoice issuance.
Article 10 (Retention and Use Period of Personal Information)
1. The Company retains and uses users' personal information until the purpose of collection and use has been achieved.
2. Notwithstanding paragraph 1, the Company retains service-misuse records for up to 3 years from the time of membership withdrawal, in accordance with its internal policy, to prevent fraudulent registration and use.
Article 11 (Retention and Use Period of Personal Information under Laws)
The Company retains and uses personal information in accordance with relevant laws as follows:
1. Retention pursuant to the Protection of Communications Secrets Act:
a. Website log records: 3 months.
2. All books and supporting documents relating to transactions pursuant to the Framework Act on National Taxes: 5 years.
Article 12 (Principles of Personal Information Destruction)
As a general rule, the Company destroys personal information without delay when it is no longer needed — for example, upon achievement of the processing purpose or upon expiration of the retention/use period.
Article 13 (Procedures for Personal Information Destruction)
1. Information entered by users for membership registration and similar purposes is moved to a separate database after the processing purpose has been achieved, stored for a certain period in accordance with internal policy and relevant laws, and then destroyed.
2. The Company destroys personal information for which grounds for destruction have arisen, after going through the approval procedure of the Personal Information Protection Officer.
Article 14 (Methods of Personal Information Destruction)
The Company permanently deletes personal information stored in electronic file format using technical methods that prevent records from being reproduced; personal information recorded or stored in paper form is destroyed by shredding or incineration.
Article 15 (Rights of Data Subjects and Methods of Exercise)
1. Data subjects may exercise the following rights against the Company at any time:
a. Request to access personal information;
b. Request to correct errors;
c. Request to delete;
d. Request to suspend processing;
e. Withdrawal of consent to collection, use, or provision of personal information.
2. Rights under paragraph 1 may be exercised by contacting the Personal Information Protection Officer designated in Article 30 in writing, by phone, or by email, and the Company will respond without delay.
3. Where a data subject requests correction or deletion of errors in personal information, the Company will not use or provide the relevant personal information until such correction or deletion has been completed.
4. Rights under paragraph 1 may also be exercised through a legal representative or an agent duly authorized by the data subject. In such case, a power of attorney in the form prescribed by Annex Form No. 11 of the Enforcement Rule of PIPA must be submitted.
Article 16 (User Obligations)
1. Users must keep their personal information up to date. The user is responsible for problems arising from inaccurate information entered by the user.
2. In the case of membership registration using another person's personal information, the user may lose user status or be subject to punishment under applicable laws.
3. Users are responsible for maintaining the security of their email address, password, etc., and may not transfer or lend such credentials to third parties.
Article 16-2 (Processing of Sensitive and Unique Identifying Information)
1. The Company processes the following unique identifying information in order to issue tax invoices and perform settlement work for users or shippers who are sole proprietors.
| Processing Items | Processing Purpose | Legal Basis | Retention Period |
|---|---|---|---|
| Copy of business registration certificate (including representative's resident registration number for sole proprietors) | Tax invoice issuance, settlement work, verification of business information | Value-Added Tax Act, Art. 32 / Income Tax Act, Art. 145 / Framework Act on National Taxes, Art. 85-3 | 5 years under the Framework Act on National Taxes |
2. The Company processes the above unique identifying information only with separate consent under Articles 24 and 24-2 of PIPA, or where there is an explicit legal basis.
3. When processing the above information, the Company applies technical and managerial measures to ensure security — such as encryption and access controls — and destroys the information without delay once the processing purpose is achieved or the retention period has expired.
Article 17 (Outsourcing of Personal Information Processing)
1. The Company may outsource part of its personal information processing to external specialized service providers in order to provide its services smoothly.
2. When entering into outsourcing agreements, the Company specifies in the contract, pursuant to Article 26 of PIPA, matters such as the prohibition of processing personal information for purposes other than performance of the outsourced work, technical and managerial protection measures, restrictions on sub-outsourcing, management/supervision of the trustee, and liability for damages, and supervises whether the trustee processes personal information safely.
3. The Company's current outsourcing of personal information processing is as follows:
| Trustee | Scope of Outsourced Work |
|---|---|
| Amazon Web Services, Inc. (AWS) | Cloud infrastructure operation; email delivery (Amazon SES) |
| Vercel Inc. | Frontend hosting and deployment |
| Linkhub Inc. (Popbill) | KakaoTalk Alimtalk/SMS delivery, tax invoice issuance, business number verification |
| Twilio Inc. | International SMS delivery |
| Sendbird Inc. | Chat and messaging functionality |
| Mixpanel, Inc. | Service usage behavior analytics |
| Functional Software, Inc. (Sentry) | Error and exception monitoring |
| Google LLC (Google Analytics 4) | Web traffic analytics |
| Slack Technologies, LLC | Internal collaboration and messaging |
| Notion Labs, Inc. | Operation of work collaboration tool |
4. Any change to the scope of outsourced work or to the trustees will be disclosed through this Policy.
Article 18 (Overseas Transfer of Personal Information)
1. The Company may transfer personal information overseas as follows, for purposes such as service provision:
| Recipient | Country | Date / Method of Transfer | Items Transferred | Purpose of Transfer | Retention / Use Period | Recipient's Privacy Officer Contact |
|---|---|---|---|---|---|---|
| Amazon Web Services, Inc. | United States | At the time of service use, via network transmission | All information entered or generated by users | Cloud infrastructure and email service provision | Until termination of the outsourcing agreement | aws-korea-privacy@amazon.com |
| Vercel Inc. | United States | At the time of service use, via network transmission | Access information (IP), device information, access logs | Frontend hosting and deployment | Until termination of the outsourcing agreement | privacy@vercel.com |
| Twilio Inc. | United States | At the time of international SMS delivery, via network transmission | Recipient mobile phone number, message content | International SMS delivery service | Until termination of the outsourcing agreement | privacy@twilio.com |
| Sendbird Inc. | United States | At the time of service use, via network transmission | All information entered by users in messages | Chat and messaging functionality | Until termination of the outsourcing agreement | privacy@sendbird.com |
| Mixpanel, Inc. | United States | At the time of service use, via network transmission | Access information (IP), device information, service usage records | Service usage behavior analytics | Until termination of the outsourcing agreement | privacy@mixpanel.com |
| Functional Software, Inc. (Sentry) | United States | At the time an error occurs, via network transmission | Device/access information and related logs at the time of error | Error and exception monitoring | Until termination of the outsourcing agreement | privacy@sentry.io |
| Google LLC (Google Analytics 4) | United States | At the time of service use, via network transmission | Cookies, access information (IP), device information, website usage records | Web traffic analytics | Until termination of the outsourcing agreement | https://support.google.com/policies |
| Slack Technologies, LLC | United States | At the time of service use, via network transmission | All information entered by users in messages | Internal collaboration and messaging | Until termination of the outsourcing agreement | privacy@salesforce.com |
| Notion Labs, Inc. | United States | At the time of service use, via network transmission | Information recorded in the course of work collaboration | Operation of work collaboration tool | Until termination of the outsourcing agreement | privacy@makenotion.com |
2. Pursuant to Article 28-8 of PIPA, data subjects have the right to refuse the overseas transfer of their personal information. If a data subject refuses, the use of certain services may be restricted. Refusal may be made by contacting the Personal Information Protection Officer designated in Article 30.
Article 19 (Processing of Pseudonymized Information)
1. The Company may process pseudonymized information without the data subject's consent for purposes such as statistics, scientific research, and public-interest record preservation.
2. When processing pseudonymized information, the Company complies with Articles 28-2 through 28-7 of PIPA, and any combination or release of pseudonymized information that may identify a specific individual is carried out only through a specialized agency designated by law.
Article 20 (Personal Information of Children Under 14)
The Company does not collect personal information of children under 14. The Company Services are provided to businesses and to the officers, employees, and representatives belonging to such businesses; membership registration by children under 14 is not permitted.
Article 21 (Rights Regarding Automated Decisions)
1. The Company does not currently operate automated decisions under Article 37-2 of PIPA (decisions made by fully automated systems processing personal information that have a significant impact on the rights or obligations of data subjects).
2. If the Company operates automated decisions in the future, it will amend this Policy to disclose in advance the standards and procedures, the main categories of personal information used, and the methods for requesting refusal or explanation.
Article 22 (Security Measures for Personal Information)
The Company implements the following technical, managerial, and physical measures to ensure that personal information is not lost, stolen, leaked, forged, altered, or damaged when processed:
1. Minimization and training of staff handling personal information;
2. Differentiated access rights and access control over personal information;
3. Encryption of personal information (encryption applied in transit and at rest; one-way encryption for passwords);
4. Technical measures against hacking, etc. (anti-virus, firewalls, intrusion detection systems, etc.);
5. Storage of access logs and prevention of forgery/alteration (minimum 1 year; 2 years or more when processing personal information of 50,000+ data subjects or sensitive/unique identifying information);
6. Backup and recovery procedures for personal information;
7. Access controls against unauthorized persons.
Article 23 (Password Encryption)
Users' passwords are stored and managed using one-way encryption. Confirmation and modification of personal information is possible only by the user who knows the password.
Article 24 (Measures Against Hacking, etc.)
1. The Company endeavors to prevent the leakage or damage of users' personal information due to intrusion into the information and communications network, including by hacking and computer viruses.
2. The Company uses up-to-date anti-virus programs and cloud firewalls to prevent leakage or damage of users' personal information and data.
3. The Company uses intrusion-blocking systems provided by its cloud service to maintain security in the event of an incident.
4. The Company transmits personal information securely over the network through encrypted communications and similar measures.
Article 25 (Minimization of Personnel Handling Personal Information)
The Company limits the number of personnel involved in personal information processing to the minimum necessary.
Article 26 (Measures for Personal Information Breaches)
1. When the Company becomes aware of the loss, theft, or leakage of personal information (collectively, a "Breach"), it will notify affected data subjects of all of the following within 72 hours:
a. The items of personal information involved in the Breach;
b. The time and circumstances of the Breach;
c. Information on what data subjects can do to minimize potential harm from the Breach;
d. The Company's response measures and damage-relief procedures;
e. The department and contact through which data subjects may file reports if harm occurs.
2. The Company will report to the Personal Information Protection Commission ("PIPC") or the Korea Internet & Security Agency ("KISA") within 72 hours in any of the following cases:
a. Where 1,000 or more data subjects' information has been leaked;
b. Where sensitive information or unique identifying information has been leaked;
c. Where the leakage results from unlawful external access, such as hacking.
3. Where the Company gives notice after 72 hours of becoming aware of the Breach without just cause, it will also disclose the reasons for the delay.
Article 27 (Exceptions to Breach Notification Measures)
Notwithstanding Article 26, where there is just cause such as the inability to identify a data subject's contact information, the Company may, in lieu of the notice in Article 26, post the relevant information on the Company website for at least 30 days.
Article 28 (Installation, Operation, and Refusal of Automatic Personal Information Collection Devices)
1. The Company uses automatic personal-information collection devices (collectively, "Cookies and Similar Technologies") that store and retrieve usage information to provide tailored services. These include cookies, pixels, beacons, mobile SDKs, and log analysis tools — small pieces of information sent by the website server (http) to the user's web browser (PC or mobile) or automatically generated during app/service use.
2. Users have the right to choose with respect to cookie installation. Users may, by configuring their web browser, accept all cookies, be prompted whenever a cookie is to be stored, or refuse the storage of all cookies.
3. However, refusing cookie storage may impair the use of some services.
Article 29 (How to Set Cookie Permissions)
Cookie permission/blocking settings can be configured through the options of major web browsers:
1. Microsoft Edge: Settings > Cookies and site permissions > Manage and delete cookies and site data
2. Google Chrome: Settings > Privacy and security > Cookies and other site data
3. Apple Safari: Preferences > Privacy > Cookies and website data
4. Mozilla Firefox: Settings > Privacy & Security > Cookies and Site Data
5. Naver Whale: Settings > Privacy > Cookies and other site data
Article 30 (Personal Information Protection Officer and Department in Charge)
1. The Company designates a Personal Information Protection Officer ("PIPO") and a department in charge as follows, in order to protect users' personal information and handle related complaints:
Personal Information Protection Officer
- Name: Hyungchul Choi
- Position: Chief Executive Officer (CEO)
- Contact: +82-1533-1230
- Email: toms@portlogics.com
Personal Information Protection Department
- Department: Development Division
- Contact: +82-1533-1230
- Email: toms@portlogics.com
2. The Company operates a dedicated department for personal information protection and reviews the implementation of this Policy and personnel compliance, in order to promptly resolve and remedy any issues identified.
3. Data subjects may submit requests under Article 35 of PIPA to access their personal information to the department in charge above. The Company will endeavor to process such requests promptly.
Article 31 (Remedies for Infringement of Rights)
To seek remedies for infringement of personal information rights, data subjects may apply for dispute resolution or consultation to the following organizations. These organizations are independent from the Company. If you are not satisfied with the Company's own complaint handling or damage relief outcome, or if you require more detailed assistance, please contact them:
1. Personal Information Dispute Mediation Committee: 1833-6972 / www.kopico.go.kr
2. Personal Information Infringement Report Center: 118 / privacy.kisa.or.kr
3. Supreme Prosecutors' Office Cyber Investigation Division: 1301 / www.spo.go.kr
4. National Police Agency Cyber Investigation Bureau: 182 / ecrm.police.go.kr
In addition, any person whose rights or interests have been infringed by a disposition or omission of the head of a public agency in response to a request under Articles 35 (access), 36 (correction/deletion), or 37 (suspension of processing) of PIPA may file an administrative appeal pursuant to the Administrative Appeals Act.
Addendum
This Policy takes effect on June 1, 2026.
Previous versions of the Privacy Policy can be found below.
(The applicable period and link for previous versions will be announced on the Company website upon implementation.)