Privacy Policy
This English text is a reference translation. In the event of any conflict, the Korean version shall prevail.
Divult (the "Company") complies with applicable laws including the Personal Information Protection Act and the Act on Promotion of Information and Communications Network Utilization and Information Protection, and processes users' personal information securely as follows.
1. Personal Information Collected
- At signup (required): email, password (stored hashed), username, date of birth (to verify age 14+).
- For physical card intake/withdrawal: recipient name, mobile phone number, shipping address.
- At payment: payment method information (last 4 digits of card, payment token), payment history. Full card numbers are managed by PG providers such as PortOne and are not stored by the Company.
- For partner applications: business registration certificate, representative name, business address, settlement account.
- Automatically collected: access logs, IP address, cookies, device identifiers (UDID/ADID), OS/app version, push token (FCM).
2. Purposes of Collection and Use
- member identification, authentication, and identity verification;
- issuance of Digital Twins and management of transaction history;
- physical intake/withdrawal and shipping;
- payment, settlement, refunds, and tax invoice issuance;
- preventing service abuse (wash trading, price manipulation, money laundering) and handling disputes;
- responding to customer inquiries and sending notices/event notifications;
- improving the Service through statistical analysis (in non-identifiable form).
3. Retention and Use Period
| Item | Retention period | Basis |
|---|---|---|
| Membership registration info | Until withdrawal | Performance of use contract |
| Transaction/payment records | 5 years | E-commerce Act |
| Payment and goods-supply records | 5 years | E-commerce Act |
| Consumer complaint/dispute records | 3 years | E-commerce Act |
| Access logs / IP | 3 months | Protection of Communications Secrets Act |
| Abuse records | 1 year | Abuse prevention |
4. Provision to Third Parties
The Company does not provide personal information to third parties without the user's consent, except in the following cases:
- where the user has consented in advance (e.g., shipping information for a transaction with a partner seller);
- where an investigative or administrative agency requests it through lawful procedures under applicable law.
5. Outsourcing of Processing
| Processor | Outsourced task |
|---|---|
| Supabase (Supabase, Inc.) | Database and file storage operation |
| Cloudflare R2 / AWS S3 | Image/file storage |
| PortOne | Payment processing |
| Resend / Amazon SES | Email delivery |
| Firebase Cloud Messaging | Mobile push notifications |
| Delivery agents | Physical card intake/withdrawal and shipping |
6. Overseas Transfer
The servers of some processors (Supabase, Cloudflare, FCM, etc.) may be located overseas. The Company outsources only to operators verified to have appropriate protective measures under Article 28-8 of the Personal Information Protection Act, and detailed information on the transferred items and countries is provided upon request.
7. Users' Rights
- Requests to access, correct, delete, or suspend processing of personal information — via My Page or privacy@divult.com.
- Withdrawal — can be done directly from My Page.
- The Company does not collect personal information of children under 14; accounts confirmed to belong to those under 14 are deleted immediately.
8. Destruction of Personal Information
Personal information whose retention period has expired or whose purpose has been achieved is destroyed without delay. Electronic files are permanently deleted in a non-recoverable manner, and paper documents are shredded or incinerated.
9. Cookies and Automatic Collection Tools
- The Company uses cookies to keep users logged in, remember settings, and perform statistical analysis.
- Users may refuse cookie storage in browser settings, but some Service features may be restricted.
- In the mobile app, advertising identifiers (IDFA/ADID) can be reset or tracking refused in OS settings.
10. Protection Measures
- Passwords are stored as one-way hashes (e.g., bcrypt/argon2).
- Communication channels are encrypted with TLS.
- Administrator access is restricted under the principle of least privilege, and all admin actions are recorded in audit logs.
- The Company operates anomalous-transaction detection and automatic blocking systems.
11. Data Protection Officer and Business Information
| Company | Divult Inc. |
|---|---|
| Representative | Jaesung Ahn |
| Business Registration No. | 123-45-67890 |
| Business Address | 4F, 123 Teheran-ro, Gangnam-gu, Seoul, Republic of Korea |
| Data Protection Officer | Gildong Hong (CTO) |
| Privacy Email | privacy@divult.com |
| Customer Center | +82-2-1234-5678 |
| Support Email | support@divult.com |
For reporting a privacy infringement in Korea, you may contact the Korea Internet & Security Agency Privacy Infringement Report Center (118 without area code, privacy.kisa.or.kr).
12. Changes to This Policy
This Policy may be revised due to changes in law or the Service; changes are announced 7 days before the effective date (30 days for material changes).