Privacy policy

Tiger Quantum Co., Ltd. Privacy Policy

Tiger Quantum Co., Ltd. (hereinafter the "Company") complies with the Personal Information Protection Act ("PIPA") and relevant laws and regulations to protect the freedom and rights of data subjects in operating the HARU HUGA official online mall (hereinafter the "Mall").

The Company processes personal information lawfully and manages it securely. In accordance with Article 30 of PIPA, the Company hereby establishes and discloses the following Privacy Policy in order to inform data subjects of the procedures and standards for the processing and protection of personal information, and to handle related grievances promptly and smoothly.


Table of Contents

  1. Purposes of Processing Personal Information, Items Processed, and Retention/Use Periods
  2. Processing of Personal Information of Children Under the Age of 14
  3. Procedures and Methods for the Destruction of Personal Information
  4. Provision of Personal Information to Third Parties
  5. Outsourcing of Personal Information Processing
  6. Overseas Transfer of Personal Information
  7. Measures to Ensure the Security of Personal Information
  8. Installation, Operation, and Refusal of Automatic Personal Information Collection Devices
  9. Collection, Use, and Refusal of Behavioral Information
  10. Rights and Obligations of Data Subjects and Legal Representatives, and How to Exercise Them
  11. Personal Information Protection Officer and Department Handling Personal Information Complaints
  12. Remedies for Infringement of Data Subjects' Rights
  13. Changes to the Privacy Policy

1. Purposes of Processing Personal Information, Items Processed, and Retention/Use Periods

The Company processes personal information to the minimum extent necessary to provide its services. The personal information being processed will not be used for any purpose other than those stated below. If the purpose of use changes, the Company will take necessary measures, such as obtaining separate consent, in accordance with relevant laws.

1-1. Personal Information Processed Without the Data Subject's Consent

Pursuant to relevant laws, such as for the conclusion and performance of a contract and compliance with legal obligations, the Company may process the following personal information without the data subject's consent.

Legal Basis Category Purpose of Processing Items Processed Retention and Use Period
PIPA Art. 15(1)4 — Conclusion/Performance of Contract Membership registration and management Confirming intent to register, providing membership-based services, identity verification, maintaining and managing membership, preventing fraudulent use, delivering notices Name, email address, mobile phone number, password, member ID, registration date/time, member status Until membership withdrawal. However, where retention is required under relevant laws, until the end of such period.
PIPA Art. 15(1)4 — Conclusion/Performance of Contract Order and payment processing Product orders, payment approval, payment cancellation, refunds, transaction history verification Orderer's name, orderer's email address, orderer's mobile phone number, order details, payment amount, payment method, payment approval number, refund account information (if necessary) Until completion of goods supply and payment/settlement. However, where retention is required under relevant laws, until the end of such period.
PIPA Art. 15(1)4 — Conclusion/Performance of Contract Product delivery Product delivery, delivery address verification, delivery status notification, return/exchange pickup Recipient's name, recipient's mobile phone number, delivery address, delivery requests, tracking (invoice) number Until completion of delivery and return/exchange processing. However, where retention is required under relevant laws, until the end of such period.
PIPA Art. 15(1)4 — Conclusion/Performance of Contract Non-member orders Processing non-member orders, order history inquiry, payment/delivery/exchange/return processing Orderer's name, orderer's email address, orderer's mobile phone number, non-member order inquiry password, recipient's name, recipient's mobile phone number, delivery address, order details, payment information Until completion of goods supply and payment/settlement. However, where retention is required under relevant laws, until the end of such period.
PIPA Art. 15(1)4 — Conclusion/Performance of Contract Customer service and complaint handling Responding to inquiries, handling complaints, guiding exchanges/returns/refunds, responding to disputes Name, email address, mobile phone number, order number, inquiry details, inquiry date/time, attachments, processing results 3 years after completion of the consultation, or until the retention period prescribed by relevant laws.
PIPA Art. 15(1)4 — Conclusion/Performance of Contract Review and posting management Writing product reviews, managing posts, preventing fraudulent reviews, managing service quality Member ID, name or nickname, order details, review content, photo/video attachments, date/time of creation Until deletion of the post or membership withdrawal. However, where retention is required under relevant laws, until the end of such period.
PIPA Art. 15(1)2 — Compliance with Legal Obligations Retention of e-commerce records Retaining records on contracts or withdrawal of subscription, payment, supply of goods, and consumer complaint/dispute handling Records on contracts/withdrawal of subscription, payment and delivery records, consumer complaint or dispute handling records Until the period prescribed by relevant laws.
PIPA Art. 15(1)2 — Compliance with Legal Obligations Retention of access logs Compliance with legal obligations such as retention of communication confirmation data Access date/time, IP address, access logs Until the period prescribed by relevant laws.

1-2. Personal Information Processed With the Data Subject's Consent

The Company processes the following personal information with the data subject's consent. Data subjects have the right to refuse consent, and even if they refuse, basic product purchases and use of services remain available. However, services or benefits provided on the premise of such consent may be restricted.

Legal Basis Category Purpose of Processing Items Processed Retention and Use Period
PIPA Art. 15(1)1 — Consent Receipt of marketing information Notification of new products, events, promotions, discount coupons, brand content, and customized benefits Name, email address, mobile phone number, date of birth, gender, products of interest, purchase history, marketing consent status Until withdrawal of consent or membership withdrawal.
PIPA Art. 15(1)1 — Consent Provision of customized services Recommending products of interest, providing benefits based on purchase history, providing guidance based on shopping cart/wishlist Member ID, purchase history, shopping cart information, wishlist, products of interest, access and usage records Until withdrawal of consent or membership withdrawal.
PIPA Art. 15(1)1 — Consent Event participation and prize delivery Confirming event participation, selecting winners, sending prizes, processing taxes and public charges (if necessary) Name, mobile phone number, email address, delivery address, SNS account name, event participation details, copy of ID or resident registration number (only where processing of taxes and public charges is necessary) [OO months] after the event ends and prizes are delivered. However, where retention is required by law, such as for processing taxes and public charges, until the end of such period.
PIPA Art. 15(1)1 — Consent Use of reviews/content Using reviews, photos, and videos on the Company's own mall, SNS, advertisements, and product detail pages Name or nickname, review content, photos, videos, SNS account name Until withdrawal of consent or achievement of the purpose of use.

1-3. Information That May Be Automatically Generated/Collected During Service Use

The following information may be automatically generated or collected during the course of using the service.

Category Items Collected Purpose of Processing Retention and Use Period
Service usage records Access date/time, IP address, browser information, device information, OS information, cookies, visited pages, click history, purchase conversion history Ensuring service stability, preventing fraudulent use, statistical analysis, providing customized services, analyzing advertising performance Until the purpose is achieved or until the period prescribed by relevant laws.
Payment/security-related records Payment authentication results, payment approval number, fraudulent transaction detection information Payment processing, prevention of fraudulent payment, ensuring transaction stability Until the purpose is achieved or until the period prescribed by relevant laws.

1-4. Retention Periods of Personal Information Under Relevant Laws

In principle, the Company destroys personal information without delay once the purpose of processing has been achieved. However, in the following cases, the Company retains personal information for the period prescribed by relevant laws.

Basis for Retention Item Retained Retention Period
Act on the Consumer Protection in Electronic Commerce, etc. Records on contracts or withdrawal of subscription, etc. 5 years
Act on the Consumer Protection in Electronic Commerce, etc. Records on payment and supply of goods, etc. 5 years
Act on the Consumer Protection in Electronic Commerce, etc. Records on consumer complaints or dispute handling 3 years
Act on the Consumer Protection in Electronic Commerce, etc. Records on labeling/advertising 6 months
Protection of Communications Secrets Act Communication confirmation data such as website visit records 3 months
Framework Act on National Taxes, Corporate Tax Act, and other tax laws Tax invoices, receipts, and transaction-related supporting documents Period prescribed by law

2. Processing of Personal Information of Children Under the Age of 14

In principle, the Company does not intend to allow membership registration or the provision of personal information by children under the age of 14. However, where consent is required to process the personal information of a child under the age of 14, the Company obtains the consent of the legal representative.

To verify the legal representative's consent, the Company may request minimal information from the child, such as the legal representative's name, mobile phone number, and email address, and processes the child's personal information only after confirming the legal representative's consent.

The legal representative may request access to, correction of, deletion of, suspension of the processing of, and withdrawal of consent for the child's personal information, and the Company will take necessary measures without delay in accordance with relevant laws.


3. Procedures and Methods for the Destruction of Personal Information

When personal information becomes unnecessary—due to the expiration of the retention period, achievement of the processing purpose, etc.—the Company destroys it without delay.

Destruction procedure The Company selects the personal information for which grounds for destruction have arisen and destroys it after confirmation by the Company's Personal Information Protection Officer or the person in charge.

Method of destroying electronic files Electronic files are permanently deleted using a secure method so that they cannot be recovered or reproduced.

Method of destroying paper documents Paper documents are destroyed by shredding with a shredder or by incineration.

Separate storage Where personal information must continue to be retained pursuant to other laws, such personal information is moved to a separate database or stored in a different storage location.


4. Provision of Personal Information to Third Parties

The Company processes data subjects' personal information only within the scope of the processing purposes specified in Article 1, and does not provide personal information to third parties except where permitted by relevant laws—such as where there is the data subject's prior consent or special provisions in the law.

Where the Company needs to provide personal information to third parties in the future, such as partner companies, advertising platforms, or co-hosts of events, it will inform the data subject of the following matters and obtain separate consent.

  • The recipient of the personal information
  • The recipient's purpose of using the personal information
  • The items of personal information provided
  • The recipient's retention and use period
  • The right to refuse consent and the disadvantages of such refusal

The cases in which the Company currently provides personal information to third parties on a regular basis are as follows.

Recipient Purpose of Provision Items Provided Retention and Use Period
[Enter if applicable] [e.g., joint event operation, prize delivery, provision of partnership benefits] [Name, mobile phone number, email, etc.] [Until the purpose is achieved or the period notified at the time of consent]

※ Where there is no regular third-party provision, the table above may be deleted and replaced with the statement: "The Company does not currently provide data subjects' personal information to third parties."


5. Outsourcing of Personal Information Processing

To provide its services smoothly, the Company may outsource personal information processing tasks to external parties as follows. When entering into outsourcing agreements, the Company reflects necessary matters in the contract, etc., in accordance with relevant laws so that personal information is managed securely, and supervises whether the trustee processes personal information securely.

Trustee Outsourced Task Outsourced Personal Information Items Retention and Use Period
Shopify Inc. / Shopify International Ltd. / Shopify affiliates Building and operating the online mall, order management, customer data storage and management, payment/delivery integration, system operation Member information, order information, delivery information, payment-related information, access and usage records Until membership withdrawal or termination of the outsourcing agreement. However, where retention is required under relevant laws, until the end of such period.
Eximbay Credit card payment, simple payment, account transfer, virtual account, payment cancellation and refund processing Order information, payment amount, payment method, payment approval number, refund account information (if necessary) Until termination of the outsourcing agreement, or until the retention period under relevant laws.
CJ Logistics Product delivery, return/exchange pickup Recipient's name, recipient's mobile phone number, delivery address, tracking (invoice) number Until completion of delivery or termination of the outsourcing agreement.
Taeeun Logistics Product inbound/outbound, packaging, shipping, inspection of returns/exchanges Order information, delivery information, return/exchange information Until termination of the outsourcing agreement.
[Customer service solution name] Customer service, responding to inquiries, managing consultation history Name, email address, mobile phone number, order number, inquiry details [OO months] after completion of the consultation, or until termination of the outsourcing agreement.
CREMA Review Writing, displaying, and managing product reviews Member ID, nickname, order information, review content, photos/videos Until membership withdrawal, deletion of the post, or termination of the outsourcing agreement.
Google LLC Website usage analysis, advertising performance analysis Cookies, device information, access and usage records, event logs In accordance with Google's policy and the period set by the Company.
Meta Platforms, Inc. Advertising performance analysis, provision of customized advertising Cookies, device information, access and usage records, event logs In accordance with Meta's policy and the period set by the Company.

※ Where additional Shopify apps or external solutions are used, the trustee, outsourced task, items processed, and retention period must be added.


6. Overseas Transfer of Personal Information

For purposes such as operating the Shopify-based online mall, cloud storage, sending emails, and using advertising/analytics tools, the Company may outsource part of its personal information processing tasks to overseas operators, or store and process personal information on servers located overseas.

Where an overseas transfer of personal information occurs, the Company will, in accordance with relevant laws, notify data subjects of the legal basis for the overseas transfer, the items of personal information transferred, the country of transfer, the date/time and method of transfer, the recipient, the purpose of use, the retention and use period, the method of refusing the transfer, and the disadvantages of such refusal.

Recipient Country of Transfer Items Transferred Date/Time and Method of Transfer Purpose of Use Retention and Use Period Method of Refusal and Disadvantages of Refusal
Shopify Inc. / Shopify International Ltd. / Shopify affiliates [To be finally confirmed based on the Shopify contract and admin console, e.g., Canada, USA, Ireland, Singapore] Member information, order information, delivery information, payment-related information, access and usage records Transmitted over the network during service use Online mall operation, order management, customer data storage and management, service provision and security management Until membership withdrawal or termination of the outsourcing agreement. However, where retention is required under relevant laws, until the end of such period. You may refuse the overseas transfer by requesting the Personal Information Protection Officer. However, if you refuse, use of mall services such as membership registration, ordering, payment, and delivery may be restricted.
Google LLC [Confirm actual processing country, e.g., USA] Cookies, device information, access and usage records, event logs Transmitted over the network during service use Website usage analysis, advertising performance measurement In accordance with Google's policy and the period set by the Company. You may refuse through browser settings, ad settings, or by requesting the Company. However, customized services or advertising performance measurement may be restricted.
Meta Platforms, Inc. [Confirm actual processing country, e.g., USA] Cookies, device information, access and usage records, event logs Transmitted over the network during service use Advertising performance measurement, provision of customized advertising In accordance with Meta's policy and the period set by the Company. You may refuse through browser settings, ad settings, or by requesting the Company. However, the provision of customized advertising may be restricted.

※ The above content may vary depending on the actual contractual structure, data processing countries, DPA, and admin settings of Shopify and external solutions, and therefore must be confirmed before final publication.


7. Measures to Ensure the Security of Personal Information

The Company takes the following measures to ensure the security of personal information.

Administrative measures Establishment and implementation of an internal management plan for personal information, minimization of personnel handling personal information, employee training, and management/supervision of trustees.

Technical measures Management of access rights to the personal information processing system, password encryption, installation and updating of security programs, retention of access logs, access control, and application of encrypted communication.

Physical measures Secure storage of documents and storage media containing personal information, access control, and document destruction management.


8. Installation, Operation, and Refusal of Automatic Personal Information Collection Devices

The Company may use automatic personal information collection devices such as cookies, pixels, and SDKs to provide individually customized services to users and to analyze service usage patterns.

Meaning of cookies A cookie is a small piece of information that the server operating a website sends to the user's browser, and it may be stored on the user's device or browser.

Purposes of using cookies

  • Maintaining login status
  • Providing shopping cart and recently viewed products features
  • Analyzing users' visits and usage patterns
  • Service improvement and error checking
  • Customized product recommendations and advertising performance measurement

How to refuse cookie settings Users can refuse to store cookies or delete them through their browser settings. However, if you refuse to store cookies, some services such as login, shopping cart, and ordering may be restricted.

  • Chrome: Settings > Privacy and security > Third-party cookies
  • Safari: Settings > Privacy > Block cookies
  • Edge: Settings > Cookies and site permissions > Manage cookies and site data

9. Collection, Use, and Refusal of Behavioral Information

The Company may collect and use online behavioral information that can identify and analyze users' interests, preferences, and tendencies, such as website visit history, product viewing history, shopping cart history, and purchase conversion history.

Collection Tool Behavioral Information Collected Collection Purpose Retention and Use Period
Google Analytics / Google Ads Visited pages, dwell time, click history, inflow path, purchase conversion history, device information Service usage analysis, advertising performance measurement, site improvement In accordance with Google's policy and the period set by the Company.
Meta Pixel Visited pages, product views, shopping cart, purchase conversion, event logs Advertising performance measurement, provision of customized advertising In accordance with Meta's policy and the period set by the Company.

Users may refuse the collection and use of behavioral information through browser settings, the ad settings of advertising platforms, blocking cookies, or by requesting the Company. However, if you refuse, functions such as customized product recommendations, advertising performance measurement, and certain service quality improvements may be restricted.


10. Rights and Obligations of Data Subjects and Legal Representatives, and How to Exercise Them

Data subjects may exercise the following rights related to personal information protection against the Company at any time.

  • Request to access personal information
  • Request to correct errors, if any
  • Request to delete
  • Request to suspend processing
  • Request to withdraw consent

These rights may be exercised against the Company in writing, by email, through the customer center, or through the member information editing function within the Mall, and the Company will take action without delay in accordance with relevant laws.

Where a data subject requests the correction or deletion of errors in personal information, the Company will not use or provide the relevant personal information until the correction or deletion is completed.

These rights may be exercised through the data subject's legal representative or an authorized agent. In such cases, the Company may request a power of attorney in accordance with relevant laws.

When a data subject makes a request to access, correct, delete, or suspend the processing of personal information, the Company may verify whether the requester is the data subject themselves or a legitimate agent.


11. Personal Information Protection Officer and Department Handling Personal Information Complaints

The Company designates the following Personal Information Protection Officer to oversee tasks related to the processing of personal information and to handle data subjects' complaints and provide remedies in connection with the processing of personal information.

Category Details
Personal Information Protection Officer Lee Jo-eun
Position Director
Contact 070-8064-7020
Email cs@haruhuga.com

Inquiries, complaints, and requests for remedies related to personal information may be directed to the following department.

Category Details
Department Handling Personal Information Complaints Lee Jo-eun
Person in Charge Director
Contact 070-8064-7020
Email cs@haruhuga.com

12. Remedies for Infringement of Data Subjects' Rights

Data subjects may contact the following organizations for remedies, consultation, etc., regarding personal information infringement. The following organizations are separate from the Company.

  • Personal Information Infringement Report Center: 118 (no area code)
  • Personal Information Dispute Mediation Committee: 1833-6972
  • Supreme Prosecutors' Office: 1301 (no area code)
  • National Police Agency: 182 (no area code)

Where a data subject's rights or interests are infringed by a disposition or omission made by the head of a public institution in relation to a request for access, correction/deletion, or suspension of processing of personal information under the Personal Information Protection Act, the data subject may file an administrative appeal.


13. Changes to the Privacy Policy

This Privacy Policy is effective as of [May 27, 2026].

Where the Company changes the Privacy Policy, it will disclose the changes and the effective date through the notice section of the Mall or the Privacy Policy page. Where there is a change that materially affects the rights or obligations of data subjects, the Company may provide notice sufficiently in advance of the effective date or notify data subjects individually.

Version Effective Date Key Changes
v1.0 [2026.05.27] Initial enactment