esimoaesimoa

Privacy Policy

NBase Korea Co., Ltd. (hereinafter the "Company") establishes and discloses the following Privacy Policy pursuant to Article 30 of the Personal Information Protection Act, in order to protect the personal information of data subjects and to promptly and smoothly handle related grievances.

Article 1 (Purpose of Processing Personal Information)

The Company processes personal information for the following purposes. The personal information being processed shall not be used for purposes other than the following, and if the purpose of use is changed, the Company will take necessary measures such as obtaining separate consent pursuant to Article 18 of the Personal Information Protection Act.

  1. Website Membership Registration and Management
    • For purposes of confirming intent to register as a member, identification and authentication for the provision of member services, maintenance and management of membership, prevention of unauthorized use of services, various notices and notifications, and grievance handling
  2. Provision of Goods or Services
    • For purposes of delivery of goods, provision of services, delivery of contracts and subscription forms, provision of content, provision of customized services, identity verification, age verification, payment and settlement of fees, and debt collection
  3. Use for Marketing and Advertising
    • For purposes of developing new services (products) and providing customized services, providing event and promotional information and opportunities for participation, providing services and posting advertisements based on demographic characteristics, verifying the effectiveness of services, identifying access frequency, or statistics on members' use of services
  4. Personal Video Information
    • For purposes of crime prevention and investigation

Article 2 (Period of Processing and Retention of Personal Information)

  1. The Company processes and retains personal information within the period of retention and use of personal information under laws or the period of retention and use of personal information consented to when collecting personal information from the data subject.
  2. The processing and retention periods for each item of personal information are as follows:
    • Website Membership Registration and Management: Until membership withdrawal (however, until the relevant reason ends in the following cases)
      • Where an investigation or inquiry is in progress due to violations of relevant laws, until such investigation or inquiry is completed
      • Where claims and obligations remain from the use of the website, until such claims and obligations are settled
    • Provision of Goods or Services: Until the completion of the supply of goods/services and payment/settlement of fees (however, until the relevant period ends in the following cases)
      • Records of transactions such as labeling, advertising, contract contents, and performance under the Act on the Consumer Protection in Electronic Commerce, Etc.
        • Records of labeling and advertising: 6 months
        • Records of contracts, subscription withdrawals, payments, and supply of goods, etc.: 5 years
        • Records of consumer complaints or dispute resolution: 3 years
        • Records of collection, processing, and use of credit information, etc.: 3 years
      • Retention of communication confirmation data under the Protection of Communications Secrets Act
        • Subscriber's telecommunication date and time, start/end time, counterpart subscriber number, frequency of use, originating base station location tracking data: 1 year
        • Computer communication, internet log records, access location tracking data: 3 months

Article 3 (Items of Personal Information Processed)

The Company processes the following items of personal information.

  1. Website Membership Registration and Management
    • Required items: Email address, password (stored encrypted), name
    • Optional items: Mobile phone number
    • Automatically collected items: IP address, cookies, MAC address, service use records, access logs, device information
  2. Provision of Goods or Services
    • Required items: Email address, name, payment information
    • Optional items: Mobile phone number, address
    • Automatically collected items: IP address, cookies, service use records
  3. The following items of personal information may be automatically generated and collected during the use of internet services.
    • IP address, cookies, MAC address, service use records, access logs, visit date and time, browser information, OS information, device information

Article 4 (Provision of Personal Information to Third Parties)

  1. The Company processes the personal information of data subjects only within the scope specified in Article 1 (Purpose of Processing Personal Information) and provides personal information to third parties only with the consent of the data subject or under special provisions of laws falling under Articles 17 and 18 of the Personal Information Protection Act.
  2. The Company shall, in principle, not provide the personal information of data subjects to third parties. However, the following cases shall be exceptions:
    • Where the data subject has consented in advance to provision to third parties
    • Where there is a request from an investigative agency pursuant to procedures and methods stipulated by laws for investigative purposes, based on the provisions of laws
    • Where the transmission of minimum necessary information to a partner telecommunications carrier is required for the provision of eSIM services (where the data subject has been informed in advance and has given consent)
  3. The Company shall, in principle, not provide the personal information of data subjects abroad. However, when providing such information abroad with the consent of the data subject, the Company shall notify the data subject of the following matters and obtain consent pursuant to Article 39-2 of the Personal Information Protection Act:
    • Items of personal information to be transferred
    • The country, date, and method of transfer of personal information
    • The name of the recipient of the personal information (in the case of a corporation, the name and contact information of the information management officer)
    • The purpose of use and the period of retention and use of personal information by the recipient

Article 5 (Entrustment of Personal Information Processing)

  1. The Company entrusts personal information processing tasks as follows for the smooth handling of personal information tasks:

    Entrusted Party Entrusted Tasks
    Payment Gateway Payment processing such as credit cards and account transfers
    Server Operation Management Provider Server operation and management, data storage

  2. When entering into entrustment contracts, the Company specifies matters concerning the prohibition of processing personal information for purposes other than the performance of entrusted tasks, technical and managerial protective measures, restrictions on re-entrustment, management and supervision of trustees, and liability such as damages, in accordance with Article 26 of the Personal Information Protection Act, and supervises whether the trustees safely process personal information.

  3. If the contents of the entrusted tasks or the trustee change, the Company will disclose such changes through this Privacy Policy without delay.

Article 6 (Procedure and Method of Destruction of Personal Information)

  1. The Company destroys personal information without delay when the personal information becomes unnecessary, such as upon expiration of the retention period or achievement of the processing purpose.
  2. If personal information must continue to be retained pursuant to other laws even though the retention period consented to by the data subject has expired or the processing purpose has been achieved, the relevant personal information (or personal information file) shall be moved to a separate database (DB) or stored in a different storage location.
    • Legal basis: Act on the Consumer Protection in Electronic Commerce, Etc., Protection of Communications Secrets Act, etc.
    • Items of personal information retained: Records of contracts or subscription withdrawals, etc., records of payments and supply of goods, etc., records of consumer complaints or dispute resolution, records of collection, processing, and use of credit information, etc., records of access
  3. The procedure and method of destruction of personal information are as follows:
    • Destruction procedure: The Company selects the personal information for which a reason for destruction has arisen and destroys the personal information with the approval of the Company's personal information protection officer.
    • Destruction method:
      • Information in the form of electronic files shall be deleted using technical methods that prevent the records from being reproduced.
      • Personal information printed on paper shall be destroyed by shredding or incineration.

Article 7 (Rights and Obligations of Data Subjects and Legal Representatives and Method of Exercise)

  1. Data subjects may exercise the following rights related to personal information protection against the Company at any time:
    • Right to request suspension of personal information processing
    • Right to request access to personal information
    • Right to request correction or deletion of personal information
    • Right to request suspension of personal information processing
  2. The exercise of rights under Paragraph 1 may be made in writing, by email, or by facsimile (FAX), etc., pursuant to Article 41, Paragraph 1 of the Enforcement Decree of the Personal Information Protection Act, and the Company shall take action thereon without delay.
  3. The exercise of rights under Paragraph 1 may be made through an agent such as the legal representative of the data subject or a person authorized to do so. In such case, a power of attorney in the form of Appendix No. 11 of the "Notice on the Method of Personal Information Processing (No. 2020-7)" must be submitted.
  4. The data subject's rights to request access to and suspension of personal information processing may be restricted pursuant to Article 35, Paragraph 4 and Article 37, Paragraph 2 of the Personal Information Protection Act.
  5. Requests for correction and deletion of personal information cannot be made if the personal information is specified as a subject of collection in other laws.
  6. When the data subject exercises the right to request access, correction or deletion, or suspension of processing, the Company verifies whether the person making such request is the data subject himself/herself or a legitimate agent.

Article 8 (Measures to Ensure the Safety of Personal Information)

The Company takes the following technical, managerial, and physical measures necessary to ensure safety pursuant to Article 29 of the Personal Information Protection Act:

  1. Encryption of Personal Information: Users' personal information, including passwords, is encrypted and stored, so that only the user can access it. Important data is protected by separate security functions such as encrypting files and transmission data or using file locking functions.
  2. Technical Measures Against Hacking, Etc.: To prevent the leakage and damage of personal information by hacking or computer viruses, the Company installs security programs, periodically updates and inspects them, installs systems in areas with controlled external access, and conducts technical and physical monitoring and blocking.
  3. Access Authority Management for Personal Information Processing Systems, Etc.: The Company takes necessary measures for access control over personal information through the granting, modification, and revocation of access authority to the personal information processing system, and controls unauthorized access from outside using an intrusion prevention system.
  4. Minimization and Training of Personal Information Processing Employees: The Company designates employees who handle personal information and limits them to the persons in charge, implementing measures to manage personal information by minimization.
  5. Restriction on Access to Personal Information: The Company takes necessary measures for access control over personal information through the granting, modification, and revocation of access authority to the database system that processes personal information, and controls unauthorized access from outside using an intrusion prevention system.
  6. Retention of Access Records and Prevention of Forgery and Alteration: The Company retains and manages records of access to the personal information processing system for at least one year, and uses security functions to prevent access records from being forged, altered, stolen, or lost.

Article 9 (Personal Information Protection Officer)

  1. The Company designates the personal information protection officer as follows to oversee the work related to personal information processing and to handle complaints and damage relief from data subjects related to personal information processing:

    ▶ Personal Information Protection Officer

  2. Data subjects may direct all inquiries, complaint handling, damage relief, and other matters related to personal information protection arising from the use of the Company's services (or business) to the personal information protection officer and the responsible department. The Company will respond and process inquiries from data subjects without delay.

Article 10 (Request for Access to Personal Information)

Data subjects may request access to personal information pursuant to Article 35 of the Personal Information Protection Act to the department below. The Company will make efforts to ensure that data subjects' requests for access to personal information are processed promptly.

▶ Department for Receiving and Processing Requests for Access to Personal Information

  • Department Name: Personal Information Protection Officer
  • Person in Charge: Kim Kyung-ju
  • Contact: [email protected]

Article 11 (Remedy Methods for Infringement of Rights and Interests)

Data subjects may report or consult about personal information infringement with the following agencies:

  1. Personal Information Infringement Report Center (operated by the Korea Internet & Security Agency)
    • Jurisdiction: Reporting of personal information infringement, consultation requests
    • Website: privacy.kisa.or.kr
    • Phone: 118 (without area code)
    • Address: (58324) Personal Information Infringement Report Center, Korea Internet & Security Agency, 9 Jinheung-gil, Naju-si, Jeollanam-do (Bitgaram-dong 301-2)
  2. Personal Information Dispute Mediation Committee
    • Jurisdiction: Application for personal information dispute mediation, collective dispute mediation (civil resolution)
    • Website: www.kopico.go.kr
    • Phone: 1833-6972
    • Address: (03171) 4th Floor, Government Seoul Building, 209 Sejong-daero, Jongno-gu, Seoul
  3. Supreme Prosecutors' Office Cyber Crime Investigation Unit
  4. National Police Agency Cyber Safety Bureau
    • Phone: 182 (without area code)
    • Website: ecrm.cyber.go.kr

Article 12 (Changes to the Privacy Policy)

This Privacy Policy shall apply from January 1, 2025.

Article 13 (Information Processed When Using the VPN Service)

When a User activates the VPN feature of the esimoa app, the Company processes the following information to establish a secure tunnel and provide the service. Users go through a separate consent procedure when first using the VPN feature, and if they do not consent, they cannot use the VPN feature.

  1. Items Collected and Processed
    • Anonymous user identifier (internal account ID)
    • WireGuard public key generated on the User's device (the private key does not leave the device)
    • Session information: connection start/end time, server location selected by the User, assigned VPN IP, cumulative bytes transmitted
  2. Purpose of Use
    • Establishment of WireGuard tunnel and peer authentication
    • Calculation of usage-based credit deduction
    • Session lifecycle management (expiration/release processing)
  3. Information Not Collected
    • Visit records, URLs, DNS queries, packet contents (due to WireGuard end-to-end encryption, the Company cannot view the contents of traffic)
    • Data for advertising, behavioral analysis, or profiling purposes
  4. Provision to Third Parties and Overseas Processing
    • The VPN infrastructure is operated by a third-party infrastructure provider. For peer registration, the anonymous user identifier and WireGuard public key are transmitted to the provider's API.
    • Session data is stored on servers in the region selected by the User.
    • No data is shared with advertising or analytics services.

NBase Korea Co., Ltd.
Business Reg. No.: 401-87-00956
Mail-Order Sales Registration: 2025-Yongin Suji-2082
Address: 902, Bldg A, 767 Sinsu-ro, Suji-gu, Yongin-si, Gyeonggi-do
CEO: Shinbae Kong