1. Introduction
Toyoko Inn Co., Ltd. and Toyoko Inn Korea Co., Ltd. (hereinafter collectively referred to as the “Company”) hereby establish and disclose the following Privacy Policy (hereinafter referred to as “this Policy”) pursuant to Article 30 of the Personal Information Protection Act of Korea in order to protect and appropriately manage customers’ personal information and to promptly and smoothly respond to related complaints or inquiries.
2. Purpose, Items, and Retention Period of Use of Personal Information
The Company collects and uses customers’ personal information only for the following purposes. If the purpose or items of use are changed, the Company shall take necessary measures, such as obtaining separate consent from customers pursuant to Article 18 of the Personal Information Protection Act.The Company collects the following personal information on its online Web/application services when managing customers’ reservations or web accounts, operating Toyoko Inn Club Card member services, when customers make reservations for accommodations and ancillary services, when registering for membership, and when using the Company’s facilities.
| Category | Purpose of Collection/Use | Items | Retention Period |
|---|---|---|---|
| Reservation and provision of accommodations and ancillary services | o Receiving and managing reservations o Providing food and beverages, and parking o Selling goods |
Address, name, gender, date of birth, nationality, email address, phone number, fax number, mailing address, passport number and visa, and other government-issued identification information Credit card number, bank account, vehicle number | From the start of the reservation until the provision of services is completed. |
| Web member account | o Creating and managing accounts o Verifying identity |
Address, name, gender, date of birth, nationality, email address, phone number, mailing address Accommodation history, facility usage status, usage history of various plans, product purchase status | From the time of account creation until deletion. |
| Individual membership service subscription/use, complaint handling, satisfaction survey | o Providing Toyoko Inn Club Card member services o Responding to requests from information subjects for access to, correction, deletion, and processing suspension of personal information o Conducting customer satisfaction surveys and quality assurance surveys |
Common items
Address, name, gender, date of birth, nationality, passport number, email address, phone number, fax number, mailing address Facial photo Legal representative information If the member is under 14 years of age, the legal representative’s name, date of birth, nationality, email address, phone number Toyoko Inn Club Card member account Passport number and visa, and other government-issued identification information Corporate business member account Occupation, workplace information (company name, address, phone number, department, position) |
From the time of account creation until deletion. |
| Service improvement | o Providing information on new services, new products, and events; conducting campaigns; sending email newsletters; sending targeted advertisements
o Using customer-specific usage data o Conducting market research |
Address, name, gender, date of birth, nationality, passport number, email address, phone number | From the creation of any one account until deletion. |
| Use for marketing/advertising | o Providing information on new services, new products, and events; conducting campaigns; sending email newsletters; sending targeted advertisements o Using customer-specific usage data o Conducting market research |
Address, name, gender, date of birth, nationality, passport number, email address, phone number | From the creation of any one account until deletion. |
| Website management | o Website development, improvement, optimization o Providing personalized services |
Service usage status, access logs, access IP information | 3 years |
| Facility safety management | o Identifying suspicious objects or persons | Appearance and behavioral information obtained through CCTV | 1 month |
Notwithstanding the above retention period, the Company will retain customers’ personal information in accordance with the relevant laws and regulations such as the Commercial Act, as follows. The Company will use such personal information only for the purpose of retention.
(1) Information on the Company’s commercial register and important documents/vouchers related to business: Important documents for 10 years, vouchers for 5 years (Commercial Act)
(2) Information on books and related documents on all transactions: 5 years (National Tax Basic Act, Corporate Tax Act)
(3) Records on contracts or withdrawal of subscriptions, records on payments and supply of goods, etc.: 5 years (Act on Consumer Protection in Electronic Commerce, etc.)
(4) Records on consumer complaints or dispute resolution: 3 years (Act on Consumer Protection in Electronic Commerce, etc.)
(5) Books and tax invoices or receipts: 5 years (Value-Added Tax Act)
3. Procedure and Method for Destruction of Personal Information
Except when the Company is obligated to retain personal information by other laws and regulations, when the retention period of personal information expires or when personal information is no longer needed due to the achievement of the processing purpose, etc., the Company will destroy such personal information without delay or anonymize it so that individuals cannot be identified in a way that cannot be restored. Personal information recorded and stored in electronic file format will be destroyed so that the records cannot be recovered, and personal information recorded and stored on paper documents will be destroyed by shredding or incineration
4. Consignment of Personal Information Processing
The Company consigns the processing of customers’ personal information to external service providers as follows. In consigning, the Company shall specify in the business consignment contract provisions on prohibiting the handling of personal information other than for the purpose of performing the consigned work, implementing technical and managerial protection measures, restricting re-consignment by the consignee and managing and supervising the re-consignee, and liability for damages, etc., pursuant to Article 26 of the Personal Information Protection Act, and supervise the consignee to ensure that personal information is processed safely.
| Consignee Name | Content of Consigned Works | Name of re-consignee and description of works, if any |
|---|---|---|
| Amazon Web Services, Inc. | Storage of data using AWS | - |
| Google Inc. | Collection and analysis of website browsing history | - |
| Toyoko Inn IT Solution Co., LTD. | Support for the reservation system of the entire Toyoko Inn Group, maintenance of IT infrastructure | - |
| Microsoft Corporation | Conducting campaigns | - |
| Sanha Information Technology Co., LTD. | Sanha Information Technology Co., LTD. Operation and management of information systems, website development, operation, and maintenance |
- |
| Webforum Co., LTD. | Sending Kakao notifications and SMS messages regarding reservation information | - |
5. Provision of Personal Information to Third Parties
The Company provides and jointly uses customers’ personal information to third parties as follows. The Company and its affiliates will appropriately manage and protect customers’ personal information in accordance with the laws and regulations.
| Provider | Purpose of Use | Items of Personal Information Provided | Retention and Usage Period of the Provider |
|---|---|---|---|
| Toyoko Inn Development Co., Ltd. | Same as the purpose of use stated in this Policy | Same as the personal information stated in this Policy | Same as the period stated in this Policy |
| Toyoko Inn International Limited (Japan Branch) | Same as the purpose of use stated in this Policy | Same as the personal information stated in this Policy | Same as the period stated in this Policy |
| Hotel Syoutoku Co., Ltd. | Same as the purpose of use stated in this Policy | Same as the personal information stated in this Policy | Same as the period stated in this Policy |
| Toyoko Inn Jr. Co., Ltd. | Same as the purpose of use stated in this Policy | Same as the personal information stated in this Policy | Same as the period stated in this Policy |
| Hospital Inn Dokkyo Medical University Co., Ltd. | Same as the purpose of use stated in this Policy | Same as the personal information stated in this Policy | Same as the period stated in this Policy |
| Hospital Inn Planning & Development Co., Ltd. | Same as the purpose of use stated in this Policy | Same as the personal information stated in this Policy | Same as the period stated in this Policy |
| Shotoku Building Planning Co., Ltd. | Same as the purpose of use stated in this Policy | Same as the personal information stated in this Policy | Same as the period stated in this Policy |
| PHILIPPINE TOYOKO INN INC. | Same as the purpose of use stated in this Policy | Same as the personal information stated in this Policy | Same as the period stated in this Policy |
| Mongolia Toyoko Inn LLC | Same as the purpose of use stated in this Policy | Same as the personal information stated in this Policy | Same as the period stated in this Policy |
Customers may refuse to provide personal information to third parties through the Company’s personal information protection manager and department in charge.
6. Measures to Secure the Safety of Personal Information
The Company takes the following technical and managerial measures to ensure the safety of customers’ personal information to prevent loss, theft, leakage, alteration, or damage of customers’ personal information.
- (1) Technical Measures
- ① Personal information that is legally required to be encrypted, such as customers’ unique identification information and credit card numbers, is encrypted and stored in the database so that it cannot be used even if it is leaked by an external intrusion.
- ② For sections where customer information is entered and transmitted, such as member registration and login through the website, encryption measures are taken to securely transmit customer information through encrypted communication such as SSL.
- ③ The Company has introduced security solutions to safely manage customers’ information by installing virus protection programs, regularly updating and inspecting personal information processing systems, and applying database access restriction solutions and screen capture prevention solutions as necessary. In addition, an intrusion prevention/detection system has been introduced to prepare for external intrusions such as hacking.
- (2) Managerial Measures
- ① The Company has established internal information management regulations and established and operates a personal information management system to securely store personal information.
- ② The Company regularly conducts personal information protection training for personal information handlers who handle customers’ personal information to ensure that they understand the importance of customer information and thoroughly manage safety. In addition, the Company minimizes suspicious access to or leakage of customers’ personal information through authority setting and management.
7. Matters concerning the installation, operation, and refusal of automatic collection of personal information
- (1) The Company may use “cookies” for the purpose of storing and acquiring usage information from time to time in order to provide personalized services to customers who are users
Cookies refer to a mechanism that temporarily stores data such as usage history and input content created when a website is viewed in a browser on the hard disk of the customer’s PC.- ① Purpose of using cookies
- Cookies are used to provide customers with optimized information by identifying the type of visit and usage status of each service or website visited by the customer and whether the connection is secure. Customers have the right to choose whether to install cookies. Therefore, by setting options on the website, customers can allow all cookies, confirm each time a cookie is saved, or refuse to save all cookies.
- ② How to refuse cookie settings
- Customers can allow all cookies, confirm each time a cookie is saved, or refuse to save all cookies by selecting the option in the web browser they use.
- ※How to set
- Microsoft Edge: Settings > Cookies and site permissions > Select how to set at the top of the web browser.
- Google Chrome: Settings > Privacy and security > Select how to set cookies or other site data at the top of the web browser.
- (2) The Company uses Google Analytics provided by Google to understand service usage and improve the convenience of services.
- ① Purpose of using Google Analytics
Google Analytics collects and analyzes browsing history in a form that does not include information that identifies specific individuals using cookies, etc., and the Company obtains the results. The Company can use this information to understand customer usage and use it for service development, improvement, etc. - ② How to refuse information processing by Google Analytics
You can refuse information processing by Google Analytics by changing the add-on settings of your browser from the following Google Analytics Opt-out Browser Add-on. Also, the information collected by Google Analytics is managed based on Google's privacy policy.
Google Analytics Terms of Service
https://www.google.com/analytics/terms/kr.html
Google Privacy Policy
https://www.google.com/intl/ko/policies/privacy/
Google Analytics Opt-out Browser Add-on
https://tools.google.com/dlpage/gaoptout?hl=ko
How Google uses information from sites or apps that use Google's services
https://policies.google.com/technologies/partner-sites?hi=ko
In addition, customers can block the advertising features of Google Analytics by setting options on their web browser or mobile device. - ※How to set
Google Chrome: Settings > Manage your Google Account > Data and privacy > Personalized advertising > Turn off Show personalized ads.
Android: Settings > Security and privacy > More privacy settings > Ads > Ads personalization > Disable.
iOS: Settings > Privacy > Apple Advertising > Personalized Ads.
Microsoft Edge: “…” displayed in the upper right corner of the browser > Extensions > Manage extensions > Turn on “Google Analytics Opt-out Add-on (provided by Google)”.
- ① Purpose of using Google Analytics
8. Matters concerning the collection, use, provision, and refusal of behavioral information
- (1) Regarding the processing of behavioral information
- The Company collects and uses behavioral information in the process of customers using the Company's services in order to provide customized services and benefits optimized for the information subject and customized online advertising. In collecting behavioral information, only the minimum amount of behavioral information necessary for customized online advertising is collected, and sensitive behavioral information that is likely to clearly infringe on personal rights, interests, or privacy, such as thoughts, beliefs, family, education, medical history, and other social activity history, is not collected.
- (2) Method of refusal (standard methods are described. “Setting method” may differ depending on the version of the application or browser.)
-
① Mobile application
Mobile applications collect and use advertising identifiers for personalized online advertising. Customers can block personalized ads within the app by changing the settings on their mobile device.
※Setting method (menus and methods may differ slightly depending on the version of the mobile OS)
Android: Settings > Security and privacy > More privacy settings > Ads > Reset advertising ID Delete advertising ID Disable.
iPhone: Settings > Privacy > Tracking > Turn off Allow apps to request to track.
② Web browser
Customers can block customized online advertising by changing the cookie settings of their web browser. Also, changing cookie settings may affect the use of some services, such as automatic login to websites.
※Setting method
Microsoft Edge; Click 「…」 in the upper right corner and select Settings > Privacy, search, and services > In the Tracking prevention section, turn off 「Always use 'Strict' tracking prevention when browsing InPrivate」
Google Chrome; Click 「⁝」 in the upper right corner and select Settings > Privacy and security > Select 「Block third-party cookies」.
Safari: 「Settings」 → 「Privacy」 tab → Turn off 「Website Tracking」.
9. Rights, Obligations, and Methods of Exercising Rights of Clients and Legal Representatives
Customers and legal representatives (if the customer is a child under the age of 14) may exercise their rights at any time by contacting the Company to withdraw consent to the collection and use of personal information, or to request access to, correction, deletion, or suspension of the processing of personal information.
- (1) How to make a request or exercise rights
- You can do this by accessing our website online or by contacting our personal information protection officer in writing, by phone, or by email.
- (2) The Company’s response
- ① The Company will confirm that the person requesting access, correction, deletion, or suspension of processing under the customer's rights is the person themselves or their legal representative.
- ② Requests for access to and suspension of processing of personal information may be restricted pursuant to Article 35, Paragraph 4 and Article 37, Paragraph 2 of the Personal Information Protection Act.
- ③ Requests for correction or deletion of personal information that is subject to collection under other laws and regulations are not possible.
- ④ If the Company receives a request from a customer to correct an error in personal information, the Company will use the relevant personal information until the correction of the error is completed. If the Company has already provided the relevant personal information to a third party at the time of correction, the Company will notify the third party without delay to correct the error.
- ⑤ If a customer or their legal representative withdraws consent to the processing of personal information, the Company will destroy the relevant personal information without delay, but if there is an obligation to retain it under relevant laws and regulations, it will be handled in accordance with “2. Purpose, Items, and Retention Period of Use of Personal Information” of this Policy, and measures will be taken to allow access and use only to the extent necessary.
10. Remedies for infringement of customer rights and interests
Customers can contact the following organizations for relief or consultation regarding damage caused by infringement of personal information.
- ‣ Personal Information Infringement Reporting Center (operated by the Korea Internet & Security Agency)
- ・Scope of work: Reporting and consulting on personal information infringement
- ・Website: privacy.kisa.or.kr
- ・Phone number: 118 (without area code)
- ‣ Personal Information Dispute Mediation Committee
- ・Duties: Application for mediation of personal information disputes, mediation of group disputes (civil resolution)
- ・Website: www.kopico.go.kr
- ・Phone number: 1833-6972 (without area code)
- ‣ Supreme Prosecutors' Office: 1301 (www.spo.go.kr)
- ‣ National Police Agency: 182 (ecrm.cyber.go.kr)
- ‣ Personal Information Protection Commission of Japan
- ・Scope of work: Reporting and consulting on personal information infringement
- ・Website: https://www.ppc.go.jp
- ・Phone number: +81 3-6457-9849
11. Personal Information Protection Manager (Inquiries)
The Company has appointed a personal information protection manager and personnel who are responsible for ensuring that the Company's handling of personal information is appropriate
Personal Information Protection Manager: Masatoshi Abe
Customers can contact the personal information management manager regarding questions, complaints, infringement remedies, and the exercise of rights as an information subject regarding their personal information handled by the Company. The Company will respond to inquiries from customers without delay.
Personal Information Protection Officer: Eunjo Na
Contact: privacy@toyoko-inn.com
12. International Transfer of Personal Information
The Company transfers customers' personal information outside of Korea as follows.
If there are any changes to the matters stated here, the Company will notify customers and obtain their consent.
| Recipient of transfer and contact information | Country of transfer | Purpose and method of transfer | Items transferred | Purpose of use | Processing period |
|---|---|---|---|---|---|
| Amazon Web Services, Inc. https://d1.awsstatic.com/legal/privacypolicy/AWS_Privacy_Notice_Korean_2023-09-22.pdf |
EU | Transfer of data through information networks as needed | Personal information as stated in this Policy | Provision and performance of AWS services | Same as stated in this Policy |
| Google Inc. https://policies.google.com/privacy?hl=ko |
Japan | Transfer of data through information networks as needed | Information obtained from cookies, including browsing history | Understanding the usage status of the Company's services | Until the browsing history is analyzed and the results are sent to the Company |
| Toyoko Inn Co., Ltd. Contact information is as stated in this Policy |
United States | Transfer through information networks upon acquisition of information as stated in this Policy | Personal information as stated in this Policy | Improving the convenience of the Company's services | Same as stated in this Policy |
| Toyoko Inn Development Co., Ltd. Contact information is the same as Toyoko Inn Co., Ltd. |
Japan | Sharing data when acquired by Toyoko Inn Co., Ltd. | Same as the personal information stated in this Policy | Purpose of use as stated in this Policy | Same as the period stated in this Policy |
| Toyoko Inn International Limited (Japan Branch) Contact information is the same as Toyoko Inn Co., Ltd. |
Japan | Sharing data when acquired by Toyoko Inn Co., Ltd. | Same as the personal information stated in this Policy | Same as the purpose of use stated in this Policy | Same as the period stated in this Policy |
| Hotel Syoutoku Co., Ltd. Contact information is the same as Toyoko Inn Co., Ltd. |
Japan | Sharing data when acquired by Toyoko Inn Co., Ltd. | Same as the personal information stated in this Policy | Same as the purpose of use stated in this Policy | Same as the period stated in this Policy |
| Toyoko Inn Jr. Co., Ltd. Contact information is the same as Toyoko Inn Co., Ltd. |
Japan | Sharing data when acquired by Toyoko Inn Co., Ltd. | Same as the personal information stated in this Policy | Same as the purpose of use stated in this Policy | Same as the period stated in this Policy |
| Hospital Inn Dokkyo Medical University Co., Ltd. Contact information is the same as Toyoko Inn Co., Ltd. |
Japan | Sharing data when acquired by Toyoko Inn Co., Ltd. | Same as the personal information stated in this Policy | Same as the purpose of use stated in this Policy | Same as the period stated in this Policy |
| Hospital Inn Planning & Development Co., Ltd. Contact information is the same as Toyoko Inn Co., Ltd. |
Japan | Sharing data when acquired by Toyoko Inn Co., Ltd. | Same as the personal information stated in this Policy | Same as the purpose of use stated in this Policy | Same as the period stated in this Policy |
| Shotoku Building Planning Co., Ltd. Contact information is the same as Toyoko Inn Co., Ltd. | Japan | Sharing data when acquired by Toyoko Inn Co., Ltd. | Same as the personal information stated in this Policy | Same as the purpose of use stated in this Policy | Same as the period stated in this Policy |
| PHILIPPINE TOYOKO INN INC. Contact information is the same as Toyoko Inn Co., Ltd. | Philippines | Sharing data when acquired by Toyoko Inn Co., Ltd. | Same as the personal information stated in this Policy | Same as the purpose of use stated in this Policy | Same as the period stated in this Policy |
| Mongolia Toyoko Inn LLC Contact information is the same as Toyoko Inn Co., Ltd. | Mongolia | Sharing data when acquired by Toyoko Inn Co., Ltd. | Same as the personal information stated in this Policy | Same as the purpose of use stated in this Policy | Same as the period stated in this Policy |
| Microsoft Corporation https://privacy.microsoft.com/ja-jp/privacystatement#mainhowtocontactusmodule |
United States | United States Transfer of data through information networks as needed |
Address, name, gender, email address, phone number | Implementation of campaigns | From the start of the campaign until its end |
Customers may refuse the transfer of personal information overseas through the Company's personal information protection manager and department in charge. However, if the customer refuses the transfer of personal information overseas, they will not be able to use the services provided by the Toyoko Inn app.
13. Changes to the Privacy Policy
If the Company changes this Policy, it will do so after announcing the details of the change, the reason for the change, and the effective date and time of the changed Policy on the website in advance.