Privacy Policy
F&F (hereinafter referred to as the “Company”) complies with the Personal Information Protection Act and relevant laws to protect the rights and freedoms of data subjects. The Company lawfully processes personal information and manages it securely. In accordance with Article 30 of the Personal Information Protection Act, this Privacy Policy is established and disclosed to inform data subjects of the procedures and standards for processing personal information, and to facilitate the prompt and smooth handling of related complaints.
[Table of Contents]
- Purpose of Processing, Types of Personal Information Collected, and Retention Period
- Procedures and Methods for the Destruction of Personal Information
- Provision of Personal Information to Third Parties
- Additional Use and Provision
- Outsourcing of Personal Information Processing
- Measures to Ensure the Security of Personal Information
- Installation, Operation, and Refusal of Automatic Personal Information Collection Devices
- Collection, Use, Provision, and Refusal of Behavioral Information
- Rights and Obligations of Data Subjects and Their Legal Representatives and How to Exercise Them
- Personal Information Protection Officer and Request for Access to Personal Information
- Changes to the Privacy Policy
1. Purpose of Processing, Types of Personal Information Collected, and Retention Period
The Company collects and uses personal information to the minimum extent necessary for the following purposes and processes the following categories of personal information with the consent of the data subject. The personal information being processed will not be used for any purposes other than those stated below. If the purpose of use changes, the Company will take the necessary steps, such as obtaining separate consent, in accordance with Article 18 of the Personal Information Protection Act.
Purpose of Processing |
Items Collected |
Retention Period |
Membership Registration & Management |
○ General website registration |
Until membership withdrawal |
Order Fulfillment or Service Provision |
[Required]: Order details (Gender, Name, Mobile Number, Email), |
5 years |
Customer Service |
[Required]: Email, Mobile Number |
Up to 3 years after consultation |
2. Procedures and Methods for the Destruction of Personal Information
- The Company shall promptly destroy personal information without delay when the retention period has expired, the purpose of processing has been achieved, or when the information is no longer necessary.
- The procedures and methods for the destruction of personal information are as follows:
① Destruction Procedure
- The Company selects personal information that requires destruction and destroys it with the approval of the Personal Information Protection Officer.
② Destruction Method
- Personal information stored in electronic file format is permanently deleted in a way that prevents recovery or reconstruction.
- Personal information recorded and stored on paper is destroyed by shredding or incineration.
- In cases where personal information must be retained even after the retention period agreed to by the data subject has expired or the purpose of processing has been achieved, in accordance with other laws and regulations, such information will be stored separately in a different database (DB) or stored in a separate location.
Retention Period |
Legal Basis |
|
Records on payment and supply of goods/services |
5 years |
Act on Consumer Protection in Electronic Commerce |
Records on contract or withdrawal of subscription |
5 years |
|
Records on consumer complaints or dispute resolution |
3 years |
|
Records on advertisements and labeling |
6 months |
|
Records on electronic financial transactions |
5 years |
Electronic Financial Transactions Act |
Website and app visit logs |
3 months |
Protection of Communications Secrets Act |
Information for payment of taxes and dues |
5 years |
Income Tax Act
|
3. Provision of Personal Information to Third Parties
The Company processes personal information only within the scope specified for the purpose of processing, and provides personal information to third parties only in cases that fall under Articles 17 and 18 of the Personal Information Protection Act, such as when the data subject has given consent or when permitted by special provisions of the law.
Other than these exceptions, the Company does not provide personal information to third parties.
4. Additional Use and Provision
In accordance with Article 15(3) or Article 17(4) of the Personal Information Protection Act and Article 14-2 of its Enforcement Decree, the Company may use or provide personal information without the data subject’s consent, considering the following criteria:
- Whether the additional use/provision is related to the original purpose of collection
- Whether it is reasonably foreseeable based on the circumstances under which the information was collected or customary processing practices
- Whether it unfairly infringes on the interests of the data subject
- Whether necessary safety measures such as pseudonymization or encryption have been implemented
If additional use or provision of personal information occurs on an ongoing basis, the Company will disclose the criteria used to assess the legitimacy of such use and verify compliance with these standards.
5. Outsourcing of Personal Information Processing
- To ensure smooth handling of personal information-related tasks, the Company outsources certain operations as follows:
Service Provider |
Outsourced Task |
Shopify |
Online shopping platform setup |
Logen |
Delivery of ordered products and gifts |
MXN COMMERCE USA, INC |
Order payment processing and settlement |
MetaM |
Customer inquiries and CS handling |
AWS |
System operation and data storage via cloud services |
FASTBOX |
Overseas delivery and shipping service |
Channel Corporation |
Online chat support and marketing message delivery |
5. Outsourcing of Personal Information Processing (continued)
- When entering into outsourcing contracts, the Company specifies in writing (such as in a contract) matters related to the prohibition of personal information processing for purposes other than the commissioned tasks, technical and administrative protection measures, restrictions on subcontracting, supervision and management of the service provider, and liability for damages, in accordance with Article 26 of the Personal Information Protection Act.
The Company also supervises and manages the service providers to ensure that they handle personal information securely. - If there are any changes to the outsourced tasks or service providers, the Company will disclose the details promptly through this Privacy Policy.
6. Measures to Ensure the Security of Personal Information
To ensure the security of personal information, the Company takes the following measures:
① Administrative Measures : Establishment and implementation of an internal management plan, operation of a dedicated department, regular employee training
② Technical Measures : Management of access rights to personal information processing systems, installation of access control systems, encryption of personal information, installation and updating of security programs
③ Physical Measures : Access control for computer rooms and document storage facilities
7. Use of Cookies and the Right to Refuse
- The Company uses cookies to provide users with personalized services by storing and retrieving usage information.
- Cookies are small pieces of data sent from the server (HTTP) used to operate the website and may be stored on the user's computer hard drive via the web browser.
① Purpose of Using Cookies : To analyze the user’s visit and usage patterns across services and websites, popular search terms, and secure login status in order to provide optimized information.
② Cookie Installation, Operation, and Refusal :
▶ To allow/block cookies on web browsers
- Chrome: Settings > Privacy and Security > Clear browsing data
- Edge: Settings > Cookies and site permissions > Manage and delete cookies and site data
▶ To allow/block cookies on mobile browsers
- Chrome: Mobile Settings > Privacy and Security > Clear browsing data
- Safari: Device Settings > Safari > Advanced > Block All Cookies
- Samsung Internet: Mobile Browser Settings > Internet History > Delete browsing history
③ Please note that refusing to store cookies may limit your access to personalized services.
8. Collection, Use, and Provision of Behavioral Information
1) To provide optimized services, personalized benefits, and online tailored advertisements, the Company collects and uses behavioral information during users’ service interactions.
Behavioral Information Items |
Behavioral Information Collection Method |
Purpose of Collection |
Retention & Usage Period / Data Processing After Use |
User’s website/app visit history, search history, purchase history |
Automatically collected when the user visits or launches the website and app |
To provide personalized product recommendation services based on the user's interests and preferences |
1 year from the date of collection |
2) The Company permits the collection and processing of behavioral information by online personalized advertising service providers as follows.
Advertising service providers that collect and process behavioral information |
Method of Behavioral Information Collection |
Items of Behavioral Information Collected and Processed |
Retention and Usage Period |
|
Automatically collected and transmitted when the user visits our website or launches the app |
User’s basic information (age, gender, location, device information), visit history (referral source, visited pages, duration of stay), search history, and purchase history |
1 year from the date of collection |
3) Blocking or Allowing Personalized Ads via Browser Settings
The data subject may block or allow personalized online advertisements by adjusting cookie settings in their web browser. However, please note that changing cookie settings may affect the use of certain services, such as automatic login to the website.
‣ How to Block/Allow Personalized Ads in Web Browsers
(1) Internet Explorer 11 (Windows 10)
- Click the Tools button in Internet Explorer and select "Internet Options"
- Go to the "Privacy" tab, click "Advanced," then choose to block or allow cookies
(2) Microsoft Edge
- Click the “...” in the top-right corner of Edge and select "Settings"
- In the left panel, click "Privacy, search, and services"
- Under the "Tracking prevention" section, choose whether to enable tracking prevention and select the level
- Choose whether to always use “Strict” tracking prevention in InPrivate mode
- Under "Privacy," choose whether to send a “Do Not Track” request
(3) Chrome Browser
- Click the “Customize and control Chrome” icon in the top-right corner, then select “Settings”
- Scroll to “Privacy and security” and click “Ad privacy”
- In the “Ad topics” section, block any unwanted sites
9. Rights and Obligations of Data Subjects and Legal Representatives
- The data subject may exercise the right to request access, correction, deletion, suspension of processing, or withdrawal of consent regarding their personal information at any time.
- These rights can be exercised by submitting the prescribed form via writing or email in accordance with Article 41(1) of the Enforcement Decree of the Personal Information Protection Act. The Company will take immediate action upon request.
[Download Form No. 8 of the “Guidelines for Personal Information Processing Methods (No. 2023-12)”]
- Data subjects may also directly view, modify, or delete their personal information at any time through ‘MY PAGE > My Info’ on the website.
- The data subject may also exercise these rights through a legal representative or a delegated agent. In such cases, a power of attorney form (Form No. 11 of the same guidelines) must be submitted.
- Requests for access or suspension of processing may be restricted under Articles 35(4) and 37(2) of the Personal Information Protection Act.
- Requests for correction or deletion may not be accepted if the personal information is required to be retained by other laws.
- The Company verifies whether the person making the request is the data subject or a legitimate representative when handling requests for access, correction, deletion, or suspension of processing.
10. Personal Information Protection Officer and Access Request
- The Company appoints the following Personal Information Protection Officer to take overall responsibility for personal information processing and to handle related complaints and damage relief requests.
[Personal Information Protection Officer]
Name: Ryu Young-seok
Title: Chief Privacy Officer (CPO)
- The data subject may request access to personal information under Article 35 of the Personal Information Protection Act from the department below. The Company will endeavor to process such requests promptly.
[Department in Charge of Access Requests]
Department: Information Security Team
Contact Person: Kim Hwa-rang
Address: F&F Building, 541 Eonju-ro, Gangnam-gu, Seoul, 06138
Email: privacy@fnfcorp.com
Phone: 02-6411-1500
Discovery Expedition: 080-820-8802
11. Changes to the Privacy Policy
This Privacy Policy is effective as of March 7, 2025 .