Privacy Policy — Semore
Effective Date: April 26, 2026 · Legal Basis: Personal Information Protection Act (PIPA) §15 · §21 · §28-8 · §29 · §30 · §35 · §37 · EU GDPR · California CCPA
§1. General Provisions
Semore (세모레, hereinafter the "Company" or "Semore") establishes and discloses this Privacy Policy in accordance with Article 30 of the Personal Information Protection Act (PIPA) in order to protect the personal information and rights of data subjects and to handle related grievances efficiently. This Policy applies to all services provided by the Company through https://semore.net and its subdomains (shop.semore.net, visit.semore.net, api.semore.net).
Personal Information Controller and Business Information
- Representative: KyoungBum Kim
- Trade name: Semore (세모레)
- Business Registration Number: 714-18-02742
- Business Address: Unit 204, Bldg. 102, 53 Jungang-gongwon-ro, Bundang-gu, Seongnam-si, Gyeonggi-do, Republic of Korea
- Representative Phone: +82-10-4837-2689
- Customer Support and Grievance Handling: [email protected]
- General Email: [email protected]
§2. Items Collected and Purposes of Processing [PIPA §15]
| Category | Items | Time of Collection | Purpose of Processing | Legal Basis |
|---|---|---|---|---|
| Anonymous session | anonymous_session_id (server-issued opaque, 24 hours) | Upon entering chat | Conversation continuity, bot-block mapping | PIPA Article 15 ① (6) — legitimate interest |
| Bot mitigation | Turnstile token, IP SHA-256 hash (32 hex) | Once upon entering chat | Bot and abuse mitigation | PIPA Article 15 ① (6) |
| Order information | Name, shipping address, phone number, email | Checkout | Performance of contract, delivery, customer support | PIPA Article 15 ① (4) — performance of contract |
| Payment information | Payment-method token, authorization number (PAN/CVV not collected) | Checkout | Payment authorization, refunds | PIPA Article 15 ① (4) |
| Shipment tracking | Tracking number, carrier code, status | Upon dispatch | Delivery status notifications | PIPA Article 15 ① (4) |
| Inquiries and complaints | Email body, attached photos/receipts | At the time of inquiry | Handling of complaints, dispute resolution | PIPA Article 15 ① (6) — legitimate interest |
Sign-ups and orders by persons under the age of 14 are blocked; any information of persons under 14 that is incidentally collected shall be destroyed without delay. PAN, CVV, and resident registration numbers are neither stored in nor passed through the Company's systems, and payments are processed solely under tokenization arrangements with PCI-DSS-certified PSPs.
§3. Retention and Destruction [PIPA §21 · ECCPA §6]
| Data | Retention Period | Legal Basis |
|---|---|---|
| Anonymous session | 24 hours (KV TTL) | Principle of data minimization |
| Email-body content sent | NULL after 180 days | PIPA §21 — minimum retention |
| Shipment-tracking source data | NULL after 90 days | Complaint window following delivery |
| Transaction and contract records | 5 years | ECCPA Article 6 ① (1) |
| Consumer complaints and disputes | 3 years | ECCPA Article 6 ① (3) |
| Display and advertising records | 6 months | ECCPA Article 6 ① (2) |
Destruction methods: electronic files are permanently deleted by irrecoverable means or NULL-UPDATED at the column level; printed materials are shredded or incinerated.
§4. Cross-Border Transfer of Personal Information [PIPA §28-8]
The Company transfers the items specified in this Policy to the following four overseas recipients.
| Category | Recipient | Country | Items | Retention | Basis |
|---|---|---|---|---|---|
| Chat | Anthropic PBC | United States | Scrubbed natural-language queries (after PII regex masking) | 30 days or zero-retention | PIPA Article 28-8 ③ (1) |
| Shipment | 17TRACK | China | Tracking number, carrier (recipient information not transmitted) | 90 days after delivery | PIPA Article 28-8 ③ (1) |
| Resend, Inc. | United States | Recipient email address, message body | Body NULL after 180 days · Resend delivery logs 30 days | PIPA Article 28-8 ③ (1) | |
| Infrastructure | Cloudflare, Inc. | United States | IP, User-Agent, cookies, Turnstile token | Edge logs 7 days, KV TTL 24h | PIPA Article 28-8 ③ (2) |
Special notice regarding China (no adequacy determination): The Republic of Korea has not issued an adequacy decision in respect of the People's Republic of China for personal information protection. In accordance with PIPC 2023-09 amended interpretive guidance §6, the Company applies dual protection consisting of technical minimization (allowlist blocking) and a Data Processing Agreement (DPA).
§5. Rights of the Data Subject [PIPA §35 · §37]
Data subjects may exercise the following rights at any time. Requests submitted to [email protected] will be processed within 30 days.
- Right of access (PIPA §35)
- Right to rectification or erasure (PIPA §36)
- Right to suspension of processing (PIPA §37)
- Right to withdraw consent
- For EU residents (GDPR): right to data portability (Art. 20), right to object (Art. 21), right to lodge a complaint with a supervisory authority
- For California residents (CCPA): equivalent processing of "Do Not Sell or Share My Personal Information" requests
§6. Safeguards for Information Security [PIPA §29]
- TLS 1.3 in transit · column-level NULL lifecycle management of sensitive data in D1 at rest
- Raw IP addresses are not stored (only SHA-256 + pepper hashes are retained)
- Cloudflare Turnstile bot mitigation · PAN/CVV are blocked from passing through the Company's systems (PCI SAQ A-EP)
- Audit logging on every request · external advisory review (monthly during Phase 0–1)
- Fully cloud-native on Cloudflare with no physical office premises and no local DB or file servers
§7. Data Protection Officer (DPO) and Grievance Handling
- Data Protection Officer: KyoungBum Kim (concurrently serving as Representative)
- Contact: [email protected]
- Customer support and complaints: [email protected]
- Dispute resolution: Personal Information Dispute Mediation Committee (kopico.go.kr · 1833-6972) · Personal Information Infringement Report Center (privacy.kisa.or.kr · 118) · Supreme Prosecutors' Office (1301) · National Police Agency Cyber Investigation Bureau (ecrm.police.go.kr · 182)
§8. Cookies and Local Storage
| Key | Storage | Purpose | Expiry |
|---|---|---|---|
semore.locale | localStorage | Persists language preference | Browser policy (can be manually deleted) |
semore.attribution_session | localStorage | Order attribution session (opaque UUID) | 30 days |
__cf_bm, cf_clearance | Cookies (Cloudflare) | Bot mitigation · edge security | 30 minutes to 30 days |
anonymous_session_id | httpOnly server token | Chat-session continuity | 24 hours |
Users may delete or block cookies and localStorage via their browser settings. If blocked, chat-language persistence and attribution analytics will not function.
§9. Changes to This Policy
This Policy will be updated and disclosed under the change log in §10 when applicable laws are revised or the Service is modified, pursuant to PIPA Article 30 ② (obligation to disclose changes). As an additional self-imposed safeguard, the Company will also post a notice on the Service's main page at least 7 days before any change takes effect (or 30 days before for material changes).
§10. Change History
| Version | Date | Changes |
|---|---|---|
| v1.0 | 2026-04-26 | Initial public version — PIPA Article 30 Privacy Policy established; disclosure of four cross-border transfer recipients; business registration information published (Business Registration Number 714-18-02742, Representative KyoungBum Kim, Business Address) |