+82-2-711-6880
Phone : Mon–Sat, Holidays 10–16 (UTC+9)
Chat : Mon–Fri 08–18 / Sat–Sun, Holidays 10–16 (UTC+9)
Tripbtoz Co., Ltd. (hereinafter referred to as the 'Company' or 'Tripbtoz') is a global online travel platform providing accommodation reservation services to customers worldwide, prioritizing the protection of customer personal information above all else.
The Company complies with the personal information protection laws and regulations of the following countries:
● Republic of Korea
- 「Personal Information Protection Act」
- "Act on Promotion of Information and Communications Network Utilization and Information Protection, etc."
- "Act on Consumer Protection in Electronic Commerce, etc."
● Japan
- 「Act on the Protection of Personal Information」
- 「Act on Specified Commercial Transactions」
● Indonesia
- 「Personal Data Protection Act」(PDP Act No. 27/2022)
- Government Regulation on the Implementation of Electronic Systems
This Privacy Policy explains the personal information collected, used, stored, and shared when you use Tripbites' website, mobile application, and related services (hereinafter the 'Platform').
The Company's Privacy Policy may be amended in accordance with changes in relevant laws and policies. In the event of significant changes, prior notice will be provided via platform announcements and email at least 7 days prior to implementation (or 30 days prior for critical matters).
The Company processes personal information for the following purposes. Personal information being processed will not be used for any purpose other than those listed below. Should the purpose of use change, the Company will take necessary measures, such as obtaining separate consent in accordance with the Personal Information Protection Act.
1) Member registration and management
- Confirming membership registration intent, identifying and authenticating users for membership-based services, maintaining and managing membership status, preventing fraudulent service use, verifying age eligibility for service use, and providing various notices and communications
2) Collection of Personal Information for Service Provision, Including Accommodation Booking Agency Services
- Providing accommodation reservation agency services and related activities (notifying details regarding accommodation usage contracts and their fulfillment, identity verification, payment processing and settlement, debt collection, improving accommodation reservation agency services, etc.)
- Provision of other services (content, rankings, chat, etc.) and related activities (providing customized services, service improvements, etc.)
- Verifying the identity of complainants, confirming complaint details, contacting for fact verification, and notifying of processing results
3) - Development of new services and marketing. Use for advertising purposes (provision of advertising information is optional)
- Service provision based on usage frequency and marketing characteristics, and for CRM purposes
- Development of new services and provision of customized services, service provision based on statistical characteristics, and placement of advertisements
- Verifying service validity, providing event and promotional information, offering participation opportunities for events, etc., analyzing access frequency, and compiling statistics on member service usage
4) Processing event winners (processing limited to winners)
- Prize distribution to event winners and handling inquiries
- Handling taxes and duties for prizes exceeding 50,000 won
5) Personal information processing required by law
6) Other processing activities conducted with separate consent from the data subject
7) Global Service Provision
- Providing accommodation reservation services in Japan and Indonesia
- Customer support in various languages (Korean, English, Japanese, Indonesian)
- Fulfilling reservation contracts with local accommodation facilities in each country
- Protection of personal information and provision of information in accordance with the laws and regulations of each country
1) The company collects only the minimum personal information necessary for service provision, uses collected personal information solely within the disclosed scope, and does not use it beyond this scope or disclose it externally without prior consent.
2) Should the company need to collect additional personal information beyond the items listed below, it will notify the data subject in advance and collect such information only from data subjects who have given their consent.
3) Collection Methods
- Direct input during membership registration, accommodation reservations, or customer center inquiries
- Automatically collected during service use (cookies, logs, etc.)
- Received from affiliated accommodation facilities and payment service providers
Classification | Collection Timing | Purpose of Collection | Items Collected | Country-Specific Notes | Retention Period |
Required | Membership Registration | Member identification, service provision, identity verification | -Email (ID): Password, Date of Birth, Email [When signing up via SNS] -Apple: Account ID, Email -Google: Account ID, Email, Profile Photo, Name -Kakao: Account ID, Email, Phone Number, Nickname, Name, Profile Photo -Facebook: Account ID, Name, Email, Profile Photo - Naver: Account ID, name, email, profile photo
- Verification status, verification timestamp, verification method |
| Immediately destroyed upon account deletion However, email addresses (hashed values) are retained for 30 days to prevent duplicate sign-ups
|
Required | Accommodation reservation | Reservation processing, accommodation information delivery, payment processing | [Reservation Information] - Full Name (Korean/English), Email Address, Mobile Phone Number, Nationality, Identity Verification Information (ID) [Guest Information] - Name (English), Number of Guests, Special Requests (optional) |
| [Member] - Destroyed upon membership withdrawal [Non-Member] - 30 days after checkout [Common] -May be retained for up to 5 years in accordance with relevant laws and regulations
|
Required | At the time of payment | Fee payment processing | [Credit/Debit Card] -Card number, expiration date, first 2 digits of PIN, date of birth or business registration number [Convenient Payment] - Payment method identifier, transaction authorization number
| [Japan] - Billing address for payment receipt issuance (if required) [Indonesia] - Bank account number (for refunds)
| Card information is not stored by Tripbites (sent directly to the payment processor) Transaction records: Retained for 5 years per the Electronic Commerce Act
|
Required | When using the service | Preventing fraudulent use, security, service improvement | [Automatically Collected] - Access logs (IP address, access time), device information (OS, browser, app version), cookie ID, advertising identifier (ADID/IDFA)
| [Japan] Cookie Usage Consent
| Immediately destroyed upon account deletion or consent withdrawal |
Required | Customer inquiries | Handling inquiries and complaints | [Chat] - Name, contact information, reservation number or email [Email] - Sender's email address, inquiry details
|
| Retained for 3 years per the Electronic Commerce Act |
Optional | Membership registration | To provide service convenience | [When signing up with Naver] - Name, Nickname, Profile Photo, Gender, Age Group
|
| Destroyed upon account deletion |
Optional | Payment Card Storage | For re-payment convenience | [When paying by credit card] - Card number, expiration date, first 2 digits of PIN, date of birth
|
| Payment information is collected for transmission to the card issuer but is not stored separately by Tripbites |
Optional | Marketing Consent | Promotional notifications, personalized ads | - Email address, mobile phone number, push token |
| Immediately destroyed upon withdrawal of consent or account deletion |
Opt-in | Event Participation | Prize distribution, winner verification | - Name, address, mobile phone number, email, resident registration number (for tax and public charge processing) |
| 1 month after event conclusion (Tax reporting: 5 years) |
【 Notice Regarding Personal Information Collection 】
1) Impact of Not Providing Required Information
a) Unable to register as a member
b) Unable to proceed with accommodation reservations
c) Payment and reservation confirmation not possible
2) Consequences of Not Providing Optional Information
a) Basic services available
b) Customized recommendation services are limited
c) Unable to receive promotional information
d) Limited access to certain convenience features
3) Children under 14 years of age
a) Tripbites does not accept membership registrations from children under 14 years of age
b) If information about children under 14 is collected, it will be immediately destroyed
c) When booking accommodations, child information must be provided by a legal guardian
4) Restrictions on Collection of Sensitive Information
a) The following information is not collected as a rule:
i) Race, ethnicity, ideology, beliefs, political orientation
ii) Health or medical information (except when voluntarily provided in accommodation requests)
1) Retention pursuant to relevant laws and regulations
Retained Information | Retention Basis | Retention Period |
Contract or subscription withdrawal, payment settlement, supply records of goods, etc. | Article 6 of the Act on Consumer Protection in Electronic Commerce, etc. | 5 years |
Records concerning payment settlement and supply of goods, etc. | Article 6 of the Act on Consumer Protection in Electronic Commerce, etc. | 5 years |
Records concerning payment of taxes, public dues, etc. | National Tax Basic Act | 5 years |
Records concerning consumer complaints or dispute resolution | Article 6 of the Act on Consumer Protection in Electronic Commerce, etc. | 3 years |
Records concerning labeling/advertising | Article 6 of the Act on Consumer Protection in Electronic Commerce, etc. | 6 months |
Records concerning site visits | Article 15-2 of the Communications Secrecy Protection Act | 3 months |
2) When retained in accordance with internal policies
Reason for retention | Retention Period |
When the retention period prescribed by law has expired during a dispute process, such as a civil complaint or lawsuit, between the company and the data subject | Until the conclusion of the investigation or inquiry |
When creditor-debtor relationships arising from service use remain outstanding | Until settlement of the creditor-debtor relationship |
When fraudulent transaction records exist Upon member withdrawal | Retained for one year to prevent fraudulent use, then destroyed |
3) Statutory retention period by country
a) Japan
Retention Information | Legal Basis | Retention Period |
Guest Register (宿帳) | Article 5 of the Enforcement Rules of the Inn Business Act | 3 years |
Transaction-Related Ledgers | Company Law, Tax Law | 7 to 10 years |
Payment Records | Funds Settlement Act | 5 years |
b) Indonesia
Archival Information | Legal Basis | Retention Period |
Electronic Transaction Records | UU ITE No. 19/2016 | 5 years |
Personal Data Processing Records | UU PDP No. 27/2022 | 5 years |
Accounting and Tax Records | Tax Law | 10 years |
1) Automatic Collection of Cookies
The Company installs and operates 'cookies' to store and retrieve information about data subjects from time to time. Cookies are small text files sent by the server used to operate the Company's website to the data subject's browser and stored on the data subject's computer hard disk.
a) Purpose of Using Cookies, etc.
To analyze the frequency and duration of visits to the website, identify the data subject's preferences and areas of interest, track their activity, and determine participation in various events and visit frequency, thereby enabling targeted marketing and personalized services.
b) How to Refuse Cookie Settings
Data subjects have the right to choose whether to accept cookies. To refuse cookies, data subjects can select options in their web browser to allow all cookies, confirm each time a cookie is stored, or refuse to store all cookies.
※ How to set
- Internet Explorer: Tools > Internet Options > Privacy
- Chrome: Browser top right icon > Settings > Show advanced settings > Content settings button in the Privacy section > Set directly in the Cookies section
- Safari: Menu bar > Preferences > Privacy > Cookies and Website Data > Manage Settings
- Firefox: Web browser top right icon > Settings > Privacy & Security > Cookies and Site Data > Set directly
c) However, if a customer refuses to install cookies, there may be restrictions on using the company website.
2) Purpose of Operating Google Analytics
The company operates Google Analytics, a web log analysis tool provided by Google Inc. (hereinafter referred to as 'Google'), for the purpose of providing optimized services to data subjects. Web log analysis refers to analyzing the patterns of service usage by data subjects on the website. Google processes information on behalf of the company to analyze data subjects' website usage. No personally identifiable information is processed during this process.
a) Opt-Out Method
If you do not wish Google to process your information, you can download and install an add-on for your web browser at tools.google.com/dlpage/gaoptout to opt out of Google's information processing.
※ Example setup method (for Internet Explorer): Download and run the Google Analytics Opt-out Browser Add-on > Restart the browser
b) However, if you opt out of web log analysis, there may be difficulties in providing the service.
3) Country-Specific Differences in Cookie Policies
a) South Korea
i) Prior Notice and Consent for Cookie Use
ii) Basic service use possible even when cookie settings are refused
b) Japan
i) Explicit consent required via cookie banner
ii) Compliance with Article 21 (Obligation to Specify Purpose of Use) of the Personal Information Protection Act
iii) Prior notice of partial functionality restrictions when cookies are refused
c) Indonesia
i) Requires explicit consent under the Personal Data Protection Law (UU PDP)
ii) Detailed explanation of cookie usage purposes
iii) Provide a mechanism to withdraw consent at any time
The company shall, in principle, promptly destroy personal information once it is no longer necessary, such as upon expiration of the retention period or achievement of the purpose of use. However, it may be retained for a certain period and then destroyed as stipulated in the Terms of Service or other relevant laws and regulations.
The procedures and methods for destroying or retaining personal information under this clause are as follows.
1) Personal Information Destruction Procedure
Personal information for which a reason for destruction or retention has occurred is selected, and the personal information is destroyed or retained upon approval by the personal information protection officer.
2) Methods of Personal Information Destruction
The Company destroys personal information recorded and stored in electronic file format in a manner that prevents its reproduction. Personal information recorded and stored on paper documents is destroyed by shredding or incineration.
3) Separate Storage Method for Personal Information
Separate information subject to segregation is stored in a separate database. Access rights to this database are restricted to a minimum number of personnel and managed accordingly.
The company shall not provide personal information to third parties except when consent is obtained from the data subject or when required by special provisions of law, as stipulated in Article 17 of the Personal Information Protection Act.
The company provides the personal information of data subjects as follows for service provision.
Recipient | Purpose of Provision | Items Provided | Retention and Use Period |
Accommodation Service Providers | Providing reserved/purchased products/services and fulfilling contracts (verifying data subjects and usage information), resolving consumer disputes including handling complaints | Reservation Information (Reservation Name, Email, Mobile Phone Number) or Guest Information (Guest Name, Email, Mobile Phone Number) | Until the purpose of using personal information is achieved. However, if retention is necessary under relevant laws and regulations, it will be retained until that point and then destroyed without delay |
NAVER Corporation | Service partnerships, cost settlement, and providing convenience to data subjects | Reservation information (reservation number, encrypted Naver ID, reservation status), product information (reservation date/time, check-in/check-out date/time, hotel name), payment information (payment amount, payment status, payment date/time) | Until the purpose of using personal information is achieved. However, if retention is required by relevant laws and regulations, it will be retained until that point and destroyed without delay. |
Korea Tourism Organization, SK M&Service (Integrated Management and Operation Agency for this Project) | Delivery of COVID-19 related notifications and crisis response (prevention of infectious disease transmission), issuance of Accommodation Sale Festa discount coupons | Residence (Province/City, City/County/District level), Year of Birth, Gender, CI (Linked Information), Reservation Information (Payment Amount, Facility Name, Check-in Date, Number of Nights Stayed) | Within 4 months after event conclusion |
National Tax Service | Processing of taxes and public dues for event winners | Resident registration number | Subject to Article 3, Paragraph 1 of this Policy |
The data subject may refuse to consent to the provision of personal information to third parties and may withdraw such consent at any time. Even if consent is refused, some services may still be available; however, the use/provision of services based on third-party provision may be restricted.
The company provides the personal information of data subjects as follows for the purpose of providing services.
Data subjects may refuse to consent to the outsourcing of personal information processing and may withdraw their consent at any time. Consent may be withdrawn by submitting a request through the "11. Data Protection Officer." Even if consent is refused, some services may still be used; however, the use/provision of services based on the outsourced processing may be restricted.
● Unified Data Center Information
Location | Facility | Region | Migration Method |
Seoul, South Korea | Amazon Web Services (AWS) | ap-northeast-2 (Seoul Region) | Encrypted Transmission Over the Network (TLS 1.3) |
All users' personal information is stored in Amazon Web Services (AWS) data centers located in Seoul, South Korea.
Data for all users in Korea, Japan, Indonesia, etc., is stored in Seoul, South Korea.
Personal information of overseas users is transferred to the Republic of Korea as contractually necessary for service fulfillment, with appropriate safeguards applied.
Tripbites securely transfers personal information for all international transfers by applying Standard Contractual Clauses (SCC) or equivalent legal safeguards approved by the supervisory authorities of each country.
Recipient (Contact) | Country of Transfer | Purpose of Transfer | Information Transferred | Transfer Date and Method | Retention and Use Period |
EAN (Expedia Affiliate Network, 407 St John Street, London, EC1V 4EX) (expediaaffiliates. support@ partnerize.com) | United Kingdom | Accommodation Booking Service Agreement Execution and Related Customer Support | Reservation information (email), guest information (guest's English name, mobile phone number), and information provided by the guest with consent for customer support | Transmission via network at the time of service use | Until the purpose is achieved. However, if retention is required by applicable laws and regulations, it will be retained until that point and then destroyed without delay |
HotelsCombined Pty Ltd (boskim@ kcllaw.com) | Australia | Service Partnership, Cost Settlement, Providing Convenience to Data Subjects | Reservation Information (Reservation Number, Encrypted HotelsCombined ID (for customers who purchased after logging into HotelsCombined), Reservation Status), Product Information (Reservation Date/Time, Check-in/Check-out Date/Time, Hotel Name), Payment Information (Payment Amount, Payment Status, Payment Date/Time) | Transmission via network at the time of service use | Until the purpose of transfer is achieved. However, if retention is required by relevant laws and regulations, data will be retained until such time and then destroyed without delay |
Agoda Company Pte. Ltd (36 Robinson Road, #20-01 City House, Singapore 068877) | Singapore | To fulfill the accommodation reservation service agreement and provide related customer support | Reservation information (email), guest information (guest's English name, mobile phone number), and information provided by the guest with consent for customer support | Transmission via network at the time of service use | Until the purpose is achieved. However, if retention is required by relevant laws and regulations, it will be retained until that point and destroyed without delay thereafter |
HONG KONG HAIGUAN TRAVEL TECHNOLOGY CO., LIMITED (FLAT/RM 11, 13/F, Lippo Sun Plaza, No.28 Canton Road, Tsim Sha Tsui, KL, Hong Kong) | China | Accommodation reservation service contract fulfillment and related customer support | Reservation information (email), guest information (guest's English name, mobile phone number), and information provided by the guest with consent for customer support | Transmission via network at the time of service use | Until the purpose is achieved. However, if retention is required by relevant laws and regulations, it will be retained until that point and destroyed without delay thereafter |
HPG R&D LTD (HyperGuest) | Germany |
Performance of the accommodation reservation service agreement and related customer support
|
Reservation information (email), guest information (guest's English name, mobile phone number), and information provided by the guest with consent for customer support
|
Transmission via network at the time of service use
| Until the purpose is achieved. However, if retention is required by relevant laws and regulations, it will be retained until that point |
Emerging Travel Inc. 032 Limassol, Republic of Cyprus) | United States / Cyprus |
Accommodation Reservation Service Agreement Execution and Related Customer Support
|
Reservation information (email), guest information (guest's English name, mobile phone number), and information provided by the guest with consent for customer support
|
Transmission via network at the time of service use
| Until the purpose is achieved. However, if retention is required by relevant laws and regulations, it will be retained until that point |
Ohmyhotel & Co., Ltd. | Korea / Vietnam |
Performance of the Accommodation Reservation Service Agreement and related customer support
|
Reservation information (email), guest information (guest's English name, mobile phone number), and information provided and consented to by the guest for customer support
|
Transmission via network at the time of service use
| Until the purpose is achieved. However, if retention is required by relevant laws and regulations, it will be retained until that point |
HOTELBEDS PTE. LTD. (101 Thomson Road, #16-01 United Square, Singapore) (northasia.english@hotelbeds.com) | Singapore |
Performance of the Accommodation Reservation Service Agreement and related customer support
|
Reservation information (email), guest information (guest's English name, mobile phone number), and information provided by the guest with consent for customer support
|
Transmission via network at the time of service use
| Until the purpose of the transfer is achieved. However, if there is a necessity to preserve the data under relevant laws and regulations, it shall be preserved until that point. |
1) In addition to the preceding paragraph, personal information may be provided overseas or entrusted to overseas entities based on the data subject's consent or special provisions of law.
2) If the content of the overseas provision or entrusted tasks, or the recipient or entrusted party changes, this will be disclosed through this Privacy Policy.
3) When concluding an outsourcing contract, the company specifies in the contract or other documents matters related to responsibility, such as the prohibition of processing personal information beyond the purpose of performing the task, technical and administrative protective measures, restrictions on re-outsourcing, management and supervision of the contractor, and compensation for damages, in accordance with the Personal Information Protection Act. The company supervises whether the contractor processes personal information safely.
The Company entrusts the processing of data subjects' personal information as follows for service provision. Data subjects may refuse to consent to the entrustment of personal information processing and may withdraw their consent at any time. Even if consent is refused, some services may still be used; however, the use/provision of related services based on the entrusted processing may be restricted.
Recipient | Location | Entrusted Tasks |
South Korea | - Storage of reservation and membership data for all users in Korea, Japan, and Indonesia -Cloud server and database management - Backup and disaster recovery services - Security | |
Nice Payments, KCP, Naver Financial, Kakao Pay, Toss Payments, Toss (Viva Republica) | Republic of Korea | Processing payments for accommodation reservations via credit cards, mobile payments, etc. |
South Korea | Mobile phone identity verification to confirm age of 14 or older for accommodation reservations | |
Republic of Korea | Providing chat services | |
South Korea | Marketing Notification Messages | |
South Korea | Service usage information, marketing information, newsletters (promotions, events, new services, etc.) Email delivery | |
Republic of Korea | Kakao Talk notification transmission | |
11st Co., Ltd., KT Alpha Co., Ltd. | Republic of Korea | Mobile Gift Certificate Dispatch |
South Korea | CS Platform (Using Nexus Cube) | |
South Korea | CS Chat Platform |
1) In addition to the preceding paragraph, personal information processing may be outsourced when the data subject consents or when required by special legal provisions.
2) If the content of the entrusted tasks or the entrusted party changes, we will disclose this through this Personal Information Processing Policy.
3) When concluding an outsourcing contract, the company specifies in the contract or other documents matters related to responsibility, such as the prohibition of processing personal information for purposes other than performing the outsourced tasks, technical and administrative protective measures, restrictions on re-outsourcing, management and supervision of the contractor, and compensation for damages, in accordance with the Personal Information Protection Act. The company supervises whether the contractor processes personal information safely.
1) For children under the age of 14, the legal representative has the right to access, correct, delete, suspend processing, and withdraw consent for the collection and use of the child's personal information. However, this service does not allow membership registration for children under the age of 14.
2) Data subjects may exercise their rights to access, correct, delete, suspend processing, and withdraw consent at any time.
3) To view or correct personal information, click 'Change Personal Information' (or 'My Page - Edit Profile'). To cancel membership (withdraw consent), click 'Withdraw Membership'. Alternatively, contact the Personal Information Manager in writing, by phone, or email, and we will take action without delay.
4) Data subjects may request the suspension of personal information processing at any time. However, we may refuse such a request if there are special provisions under the law or other applicable regulations. If we refuse a suspension request, we will promptly notify the data subject of the reason.
5) If a data subject requests correction of errors in their personal information, we will not use or provide that personal information until the correction is completed. Furthermore, if incorrect personal information has already been provided to a third party, we will promptly notify the third party of the correction results to ensure the correction is implemented.
6) Personal information terminated or deleted at the user's request is processed in accordance with the "Retention and Use Period of Personal Information Collected by the Company" and is not accessible or usable for any other purpose.
7) Country-Specific Data Subject Rights
a) Users in the Republic of Korea
i) Rights under the Personal Information Protection Act
(1) Right to Request Access to Personal Information
(2) Right to Request Correction or Deletion of Personal Information
(3) Right to Request Suspension of Personal Information Processing
(4) Right to Withdraw Consent for Collection, Use, or Provision of Personal Information
ii) How to Exercise Your Rights
(1) Website: My Page → Personal Information Management
(2) Email: cs@tripbtoz.com
(3) Phone: +82-2-711-6880
(4) Mail: L7 Bldg., 415, Teheran-ro, Gangnam-gu, Seoul
iii) Reasons for Limiting Processing Suspension Requests
(1) Requests to suspend processing may be denied in the following cases.
(a) Where special provisions exist under laws and regulations
(b) When there is a risk of harm to another person's life or body
(c) When fulfilling the contract becomes significantly difficult
b) Japan Residents
i) Rights under the Act on the Protection of Personal Information (APPI)
(1) Right to Request Notification of Purpose of Use
(2) Right to Request Access to Personal Information
(3) Right to Request Correction, Addition, or Deletion
(4) Right to Request Suspension of Use, Deletion, or Suspension of Provision to Third Parties
(5) Right to File a Complaint
ii) How to Exercise Rights
(1) Email: cs@tripbtoz.com
(2) Website: My Page → Personal Information Management
(3) Mail: L7 Bldg., 415, Teheran-ro, Gangnam-gu, Seoul
iii) Processing Time and Fees
(1) Standard: Within 2 weeks after receiving the request
(2) Complex Cases: Within 1 month
(3) Fee: Free (However, actual costs may be charged for bulk copying)
iv) Consultation Agencies in Japan
(1) Personal Information Protection Commission
(2) 03-6457-9680 | ppc.go.jp
c) Indonesia Residents
i) Rights under UU PDP No. 27/2022
(1) Right of Access
(2) Right to Rectification
(3) Right to Erasure
(4) Right to Restriction
(5) Right to Data Portability
(6) Right to Object
(7) Right to Withdraw Consent
(8) Right to Lodge a Complaint
ii) How to Exercise Your Rights
(1) Email: cs@tripbtoz.com
(2) Website: My Page → Personal Data Management
(3) Mail: [Kantor Tripbtoz, Korea]
iii) Supervisory Authority
(1) Ministry of Communication and Information Technology (Kominfo)
(2) kominfo.go.id | halo@kominfo.go.id
iv) Processing Time and Fees
(1) Standard: Within 14 days
(2) Complex Cases: Up to 30 days (Reason for delay and estimated schedule provided via email)
(3) Fee: Free (Reasonable administrative fees may apply for excessive requests)
d) Common Notice (Applies to All Users)
i) Language for Exercising Rights
(1) Users may exercise their rights in Korean, English, Japanese, or Indonesian.
ii) Exercising Rights Through a Representative
(1) Data subjects may exercise their rights through an agent by submitting a power of attorney.
iii) Processing Procedure and Deadline
(1) The company will process requests within 2 weeks (up to 30 days for complex cases) from the date of receipt.
iv) and will notify the data subject via email of the reason and expected schedule if a delay is anticipated.
(1) Record Retention
v) Requests to exercise rights and the results of processing will be retained for three years for dispute resolution purposes.
(1) Reasons for Restricting Rights
vi) Some requests may be restricted in the following cases:
(1) When necessary to fulfill legal obligations
vii) When it is necessary to protect the rights or interests of third parties
(1) When significant disruption to the normal performance of a contract occurs
The Company takes the following measures to ensure the security of personal information.
The company may perform automated decision-making based on users' personal information (e.g., personalized recommendations, risk detection, etc.). However, users have the right to request an explanation of automated decisions, raise objections, and request human intervention.
1) The personal information of data subjects is protected through measures such as passwords and masking. Critical data is further safeguarded using separate security methods (based on encrypted communication with AWS through international certification).
2) The company adopts and operates security measures (SSL) that enable the secure transmission of personal information over networks through encryption.
3) The company operates its services by limiting access rights to personal information by relevant personnel to the minimum necessary.
4) The company provides ongoing training on personal information protection to all employees, prevents information leaks through security pledges, and establishes and enforces internal guidelines for personal information protection.
5) The company has established relevant policies to enable quick and appropriate responses to personal information incidents, preparing for any contingencies.
6) The company is not responsible for individual data subjects' errors or the inherent risks of the internet.
7) Compliance with Country-Specific Security Standards
a) Republic of Korea
i) Compliance with the "Standards for Ensuring the Security of Personal Information" (Personal Information Protection Commission Notice)
ii) Establishment and implementation of internal management plans
iii) Access Authorization Management
iv) Installation of Access Control Systems
v) Encryption of Personal Information
vi) Retention of Access Logs and Prevention of Tampering
vii) Installation and Periodic Inspection of Security Programs
b) Japan / 日本
i) Compliance with the "Guidelines Concerning the Act on the Protection of Personal Information"
ii) Organizational Security Management Measures
(1) Establishment of Personal Information Protection Regulations
(2) Clarification of Responsible Personnel
(3) Establishment of Incident Response System
iii) Human Resource Security Measures
(1) Employee Training
(2) Confidentiality Pledge
iv) Physical Security Measures
(1) Entry and Exit Management
(2) Theft Prevention
v) Technical Security Measures
(1) Access Control
(2) Preventing Unauthorized Access from Outside
c) Indonesia
i) Compliance with UU PDP and Related Implementing Regulations
ii) Personal Data Security Standards
iii) Information Security Management System (ISMS)
iv) Data encryption during transit and at rest
v) Periodic Security Audits
The company has designated a Personal Information Protection Officer as follows to oversee all matters related to personal information processing and to handle complaints and provide remedies for damages related to personal information processing.
Personal Information Protection Officer | Personal Information Protection Department |
Name: Kim Joon-sik Position: CPO Contact: 02-711-6880 Email: privacy@tripbtoz.com | Department Name: Information Security Office Contact: 02-711-6880 Email: privacy@tripbtoz.com |
※ Data subjects may report any privacy-related complaints arising from the use of the company's services to the Chief Privacy Officer or the responsible department. The company will provide prompt and adequate responses to all reported matters.
Users may contact the relevant national authorities listed below to seek redress for damages resulting from personal information infringement.
1) Users in the Republic of Korea
a) Personal Information Infringement Reporting Center (KISA)
i) Contact: 118 | privacy.kisa.or.kr
b) Personal Information Dispute Mediation Committee
i) Contact: 1833-6972 | www.kopico.go.kr
c) Supreme Prosecutors' Office Cyber Investigation Division
i) Contact: 1301 | www.spo.go.kr
d) National Police Agency Cyber Safety Bureau
i) Contact: 182 | cyberbureau.police.go.kr
2) Japanese Users
a) Personal Information Protection Commission
i) Contact: 03-6457-9680 | ppc.go.jp
b) National Consumer Affairs Center of Japan
i) Contact: 03-3446-1623 | kokusen.go.jp
3) Indonesia Users
a) Ministry of Communication and Information Technology (Kominfo)
i) Contact: kominfo.go.id | halo@kominfo.go.id
b) Personal Data Protection Agency (BPDP)
c) Consumer Protection Agency (YLKI)
1) Personal Data Infringement Reporting Center (http://privacy.kisa.or.kr / Dial 118 without area code)
2) Supreme Prosecutor's Office (http://spo.go.kr / 182 without area code)
3) National Police Agency (http://ecrm.cyber.go.kr / 182 without area code)
4) Personal Data Dispute Mediation Committee (http://www.kopico.go.kr / 1833-6972)
This Privacy Policy is based on the laws of the Republic of Korea and provides the same level of protection to users in Japan and Indonesia. However, the following additional information is provided in accordance with the relevant laws and regulations of each country.
1) Users in the Republic of Korea
a) Legal Basis
i) Personal Information Protection Act
ii) Act on Promotion of Information and Communications Network
Utilization and Information Protection, etc.
iii)「Act on Consumer Protection in Electronic Commerce, etc.」
b) Protection of Children Under 14
i) Membership registration is restricted for individuals under the age of 14.
ii) If children's information is collected, it will be deleted without delay.
2) Japan Residents
a) Applicable Law
i) 「Act on the Protection of Personal Information (APPI)」
b) Notice on Overseas Transfer of Personal Information
i) Personal information of Japanese users is transferred to and stored in
the Republic of Korea (AWS Seoul Region).
ii) The Republic of Korea is a country with a personal information
protection system meeting OECD and APEC standards.
c) User Rights
i) Users may request access, correction, deletion, or suspension of use of
their personal information.
ii)Explanation or objection to automated decision-making (e.g.,
recommendations)
d) Contact
i) Email: cs@tripbtoz.com (Japanese support available)
3) Indonesia Residents
a) Applicable Law
i)「Law No. 27 of 2022 on Personal Data Protection (PDP Law)」
b) Data Transfer and Protection Measures
i)All personal information is securely stored within the Republic of Korea.
ii)Encryption (SSL/TLS) and access control measures are applied
during data transmission.
c) User Rights
i)Users may access, correct, delete, suspend processing, transfer, or
withdraw consent for their personal information.
ii) Right to be notified in case of personal information infringement
d) Contact
i)Email: privacy@tripbtoz.com (Indonesian language support available)
4) Common Notice
a) The company protects the personal information of users in Japan and Indonesia within the Republic of Korea at the same security level and diligently supports requests for rights in accordance with the laws and regulations of each country.
b) All inquiries can be submitted to cs@tripbtoz.com or privacy@tripbtoz.com으로.
If the company changes its Privacy Policy, it will post the changes on the company's website at least 7 days prior to the effective date and explain them to data subjects through notices and other means.
Effective Date: February 2, 2026