Privacy Policy
Korea Digital Asset Co., Ltd. (the "Company") places the utmost importance on the protection of users' personal information and makes every effort to safeguard the personal information provided by users in order to use the Company's services (digital asset custody services). The Company complies with the "Personal Information Protection Act" and other applicable laws and regulations relating to personal information.
The Company discloses this Privacy Policy on its website so that users may easily review it at any time.
- Purpose of Processing Personal Information
- Retention and Use Period of Personal Information
- Provision of Personal Information to Third Parties
- Outsourcing of Personal Information Processing and Cross-border Transfer
- Rights, Obligations, and Exercise Methods of Users and Their Legal Representatives
- Items of Personal Information Processed
- Destruction of Personal Information
- Measures to Ensure Security of Personal Information
- Installation, Operation, and Rejection of Automatic Collection Devices of Personal Information
- Personal Information Protection Officer
- Requests for Access to Personal Information
- Remedies for Rights Infringement
- Changes to the Privacy Policy
1. Purpose of Processing Personal Information
The Company processes personal information for the following purposes. The personal information processed will not be used for purposes other than those specified below. In the event of a change in purpose, the Company will take necessary measures such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act.
Service inquiries
- Provision of service information and customized services
Provision of Custody Services
- User identification and management of user information
- Establishment, maintenance, and termination of digital asset custody transaction relationships, and other matters related to overall service provision
2. Retention and Use Period of Personal Information
① The Company processes and retains personal information within the retention and use period consented to by users at the time of collection, or within the period prescribed by law.
② The specific retention and use periods for personal information are as follows:
Service inquiries
- Destroyed without delay once the purpose of the inquiry has been achieved
Custody services
- User Management : Until user withdrawal
- Service Provision : Until completion of service supply and related settlement of fees
③ Notwithstanding Paragraph ②, the Company may process and retain personal information until the end of the following periods:
| Category | Relevant Law | Period |
|---|---|---|
| Records of customer due diligence and transaction information | Act on Reporting and Using Specified Financial Transaction Information, Article 5-4 | 5 years |
| Records relating to contracts | Act on Consumer Protection in Electronic Commerce, Article 6 | 5 years |
| Records of payments and supply of goods | ||
| Records of consumer complaints, and dispute resolution | ||
| Records of login | Protection of Communications Secrets Act, Article 15-2 | At least 3 months |
| Records of digital asset transaction | Act on the Protection of Users of Virtual Assets, Article 9 | 15 years |
3. Provision of Personal Information to Third Parties
The Company does not use users' personal information beyond the scope notified to users or stated in the Terms of Service, nor does it provide such information to third parties. However, exceptions are made where the user consents or in the following cases:
① Travel Rule: To comply with the Act on Reporting and Using Specified Financial Transaction Information and to protect users' assets, the Company may provide certain personal information to domestic and foreign Virtual Asset Service Providers (VASPs) when processing virtual asset withdrawals.
| Purpose | Recipients | Information Provided | Legal Basis for Provision |
|---|---|---|---|
| Provision of Transaction Information Records | Upbit | Encrypted Name, Virtual Asset Address | Act on Reporting and Use of Specific Financial Transaction Information |
| Provision of Transaction Information Records | Bithumb | Encrypted Name, Virtual Asset Address | Act on Reporting and Use of Specific Financial Transaction Information |
| Provision of Transaction Information Records | Coinone | Encrypted Name, Virtual Asset Address | Act on Reporting and Use of Specific Financial Transaction Information |
| Provision of Transaction Information Records | Korbit | Encrypted Name, Virtual Asset Address | Act on Reporting and Use of Specific Financial Transaction Information |
| Provision of Transaction Information Records | Hexlant | Encrypted Name, Virtual Asset Address | Act on Reporting and Use of Specific Financial Transaction Information |
| Provision of Transaction Information Records | KDAC | Encrypted Name, Virtual Asset Address | Act on Reporting and Use of Specific Financial Transaction Information |
| Provision of Transaction Information Records | Flybit | Encrypted Name, Virtual Asset Address | Act on Reporting and Use of Specific Financial Transaction Information |
| Provision of Transaction Information Records | Gopax | Encrypted Name, Virtual Asset Address | Act on Reporting and Use of Specific Financial Transaction Information |
| Provision of Transaction Information Records | Beeblock | Encrypted Name, Virtual Asset Address | Act on Reporting and Use of Specific Financial Transaction Information |
| Provision of Transaction Information Records | Pravang | Encrypted Name, Virtual Asset Address | Act on Reporting and Use of Specific Financial Transaction Information |
| Provision of Transaction Information Records | FlataExchange | Encrypted Name, Virtual Asset Address | Act on Reporting and Use of Specific Financial Transaction Information |
| Provision of Transaction Information Records | FOBLGATE | Encrypted Name, Virtual Asset Address | Act on Reporting and Use of Specific Financial Transaction Information |
| Provision of Transaction Information Records | Borabit | Encrypted Name, Virtual Asset Address | Act on Reporting and Use of Specific Financial Transaction Information |
| Provision of Transaction Information Records | COREDAX | Encrypted Name, Virtual Asset Address | Act on Reporting and Use of Specific Financial Transaction Information |
| Provision of Transaction Information Records | PayCoin | Encrypted Name, Virtual Asset Address | Act on Reporting and Use of Specific Financial Transaction Information |
| Provision of Transaction Information Records | OASIS | Encrypted Name, Virtual Asset Address | Act on Reporting and Use of Specific Financial Transaction Information |
| Provision of Transaction Information Records | InfiniteBlock | Encrypted Name, Virtual Asset Address | Act on Reporting and Use of Specific Financial Transaction Information |
② Provision under Law
The Company may provide documents including users' personal information to courts, investigative agencies, the National Tax Service, and other authorities pursuant to orders of document submission or warrants issued under applicable laws and procedures.
4. Outsourcing of Personal Information Processing and Cross-border Transfer
To provide more convenient and improved services, the Company outsources part of its business to professional external service providers and supervises them to prevent violations of applicable laws. In the event of any changes in the details of outsourced tasks or service providers, such changes will be disclosed without delay through this Privacy Policy.
To ensure smooth service delivery, some personal information is also entrusted to foreign service providers for processing. Users may refuse cross-border transfers of their personal information by submitting a written or email request (support@kodax.com) to the Company's Personal Information Protection Officer. However, such refusal may restrict the user's ability to use the related services.
| Provider | Purpose | Items | Country | Method | Period |
|---|---|---|---|---|---|
| Google LLC | Japan Region Cloud Service for Service Operation | Name, Address, Email, Service Usage Records, Access Logs, Access IP | Japan, Korea(asia-northeast3) region, Contact : googlekrsupport@google.com | Transmitted via network upon service use | Until user withdrawal or termination of outsourcing contract |
| TypeForm | For conducting website surveys | Email, Mobile Phone Number, Name, Company Name, Position | Spain, Contact : support@typeform.com | Until survey completion or termination of outsourcing contract | |
| VerifyVASP | For virtual asset Travel Rule | Sender/Recipient Name, Virtual Asset Wallet Address | Republic of Korea, Contact : support@codevasp.com | Until termination of outsourcing contract |
5. Rights and Obligations of Users and Legal Representatives
① Users may at any time exercise rights such as requesting access, correction, deletion, or suspension of processing of personal information. However, these rights may be restricted under Articles 35(4), 36(1), and 37(2) of the Personal Information Protection Act.
② Requests may be made in writing, by email, or fax as prescribed by Article 41(1) of the Enforcement Decree of the Act, and the Company will promptly take action.
③ The exercise of rights under Paragraph 1 may be carried out through the user's legal representative or an authorized agent. In such cases, a power of attorney in the form prescribed in Annex Form No. 11 of the "Notice on the Methods of Processing Personal Information (No. 2020-7)" must be submitted.
④ A request for the correction or deletion of personal information may not be made if the personal information is expressly specified as a subject of collection under other applicable laws or regulations.
⑤ When a user exercises the right to request access, correction or deletion, or suspension of processing, the Company shall verify whether the person making the request is the data subject themselves or a duly authorized representative.
6. Items of Personal Information Processed
The Company collects the following personal information items to provide digital asset custody services.
Service Inquiries
- Required items: Email, mobile phone number, name, company name, title
Provision of Digital Asset Custody Services
- Required items: Corporate transaction application form and customer transaction confirmation form (name in Korean/English, date of birth, residence address, nationality, email address, mobile phone number), Power of attorney for representative/agent (name, resident registration number, residence address, mobile phone number), Corporate seal certificate (representative's name, representative's resident registration number), Shareholder register (representative's name, residence address, resident registration number), Representative/agent identification card
- Collected items for asset transfers: Name of sender/beneficiary, address of sender/beneficiary, mobile phone number of sender
7. Destruction of Personal Information
① The Company destroys personal information without delay when the retention period has expired, the processing purpose has been achieved, or the personal information otherwise becomes unnecessary.
② If the retention period of personal information agreed upon by the user has expired, or the processing purpose has been achieved, but preservation is required under other laws, the relevant personal information will be stored in a separate database (DB) or preserved in a different storage location.
- Legal basis: Act on Reporting and Using Specified Financial Transaction Information
- Scope: Personal information of withdrawn members with transaction records
- Items collected: Email, name, company name
③ The procedures and methods for destroying personal information are as follows:
- Destruction procedures: The Company selects personal information for which destruction reasons have arisen and destroys it with the approval of the Company's Personal Information Protection Officer.
- Destruction methods: Information in electronic file form is destroyed using technical methods that make record reproduction impossible. Printed personal information is shredded with a shredder or incinerated.
8. Measures to Ensure the Security of Personal Information
In accordance with Article 29 of the Personal Information Protection Act, the Company takes the following measures to ensure the security of personal information:
① Regular internal audits
The Company conducts quarterly internal audits to ensure the stability of personal information handling.
② Minimization and training of staff handling personal information
The Company designates specific staff to handle personal information and restricts access to such staff, implementing measures to minimize the number of personnel with access.
③ Establishment and implementation of an internal control plan
The Company has established and implemented an internal control plan to ensure safe processing of personal information.
④ Technical measures against hacking, etc.
To prevent leakage and damage of personal information caused by hacking or computer viruses, the Company installs security programs, performs regular updates and inspections, installs systems in areas with restricted external access, and employs technical and physical monitoring and blocking measures.
⑤ Encryption of personal information
Users' personal information and passwords are stored and managed in encrypted form, accessible only by the user. Important data is protected using additional security measures such as file and transmission encryption or file locking functions.
⑥ Retention and prevention of falsification of access records
The Company retains and manages records of access to the personal information processing system for at least one year and uses security functions to prevent alteration, theft, or loss of such records.
⑦ Access restriction to personal information
The Company takes necessary measures to control access to personal information by granting, changing, or revoking access rights to the database system processing personal information and controls unauthorized external access using intrusion prevention systems.
⑧ Use of locking devices for document security
Documents and auxiliary storage media containing personal information are stored in secure locations with locking devices.
⑨ Access control for unauthorized persons
The Company has designated physical storage locations for personal information and has established and operates access control procedures.
9. Matters Concerning the Installation, Operation, and Refusal of Automatic Collection Devices of Personal Information
① The Company uses "cookies" that store and retrieve user information to provide personalized services. In addition, the Company uses Typeform to analyze users' website usage behavior for service improvement.
② A cookie is a small piece of information sent from the server(http) operating the website to the user's web browser and is sometimes stored on the hard disk of the user's PC.
A. Purpose and types of cookies:
- General cookies: Used to understand the user's visit and usage patterns of services and websites, popular search terms, secure connection status, etc., in order to provide optimized information to the user.
- Typeform cookies: Used to analyze user service usage patterns and preferences to provide personalized services and improve user experience.
B. Installation, operation, and refusal of cookies: Users can refuse cookie storage by adjusting the options in the Privacy menu under Tools > Internet Options in the web browser.
C. If cookie storage is refused, difficulties may arise in using personalized services.
10. Chief Privacy Officer
① The Company designates the following Chief Privacy Officer who is responsible for the overall management of personal information processing and handles user complaints and remedies related to personal information processing.
Chief Privacy Officer
- Name : Jinseok Cho
- Position : CEO
- Email : support@kodax.com
② Users may contact the Chief Privacy Officer and the relevant department for all inquiries, complaints, and remedies related to personal information protection that arise while using the Company's services. The Company will respond to and handle user inquiries without delay.
11. Request for Access to Personal Information
Pursuant to Article 35 of the Personal Information Protection Act, users may request access to their personal information from the department listed below. The Company will make every effort to ensure that users' requests for access are processed promptly.
Department for Receiving and Processing Requests for Access to Personal Information
- Department Name : Compliance
- Contact Number: +82-2-561-4762
- Email: support@kodax.com
12. Remedies for Rights Infringement
For assistance with remedies and consultation regarding personal information infringement, please contact the following organizations:
- Personal Information Dispute Mediation Committee : 1833-6972 (www.kopico.go.kr)
- Personal Information Infringement Report Center : 118 (privacy.kisa.or.kr)
- Supreme Prosecutors' Office Cyber Investigation Department : 1301 (www.spo.go.kr)
- National Police Agency Cyber Bureau : 182 (ecrm.police.go.kr/minwon/main)
13. Changes to the Privacy Policy
When the Company changes its Privacy Policy, it will continuously disclose the timing of the changes and implementation, as well as the revised content. The Company will also make it easy for users to confirm the changes by comparing the content before and after revision.
<Supplementary Provisions>
(Effective Date) This Privacy Policy shall apply from September 30, 2025.
Change Details: Change of Department Handling Requests for Access to Personal Information and Support for English