Privacy Policy
Effective date: 15 July 2026 · Last updated: 15 July 2026
TOSKY Inc. ("the Company") establishes and discloses the following Privacy Policy in accordance with the Personal Information Protection Act (PIPA) of the Republic of Korea and related laws, in order to protect the personal information of data subjects and to handle related grievances promptly. This policy applies to the corporate website operated by the Company (the "Website").
Article 1 (Categories of Personal Information Processed)
The Company collects and uses the minimum personal information necessary to provide its services within the scope of the purposes set out below. When obtaining consent, the Company distinguishes between mandatory and optional items so that data subjects can clearly recognise them, and does not refuse to accept an inquiry or a job application on the grounds that a data subject declined to provide optional items.
- When you submit a business inquiry (Contact form)
- a. Mandatory: company name, contact person's name, email address, product or solution of interest, inquiry message
- b. Optional: phone number, company size
- c. Automatically recorded: the date and time of your consent to the collection and use of personal information, and the language setting at the time of submission
- When you apply for a job (Quick apply)
- a. Mandatory: name, email address, phone number, résumé file and the information you enter in that file
- b. Optional: application message
- c. Automatically recorded: the date and time of your consent to the collection and use of personal information, and the job posting applied for
- d. You decide what information to include in your résumé file. The Company does not require résumés to contain resident registration numbers or other unique identifiers, nor any sensitive information as defined under PIPA.
- Information generated and collected automatically while you use the Website
- Access IP address, access date and time, and browser or device information may be automatically recorded as access logs in the course of operating the web server and the content delivery network (CDN).
- Information the Company does not collect
- The Website provides neither membership registration nor paid payment functions. Accordingly, the Company does not collect account credentials, passwords, payment method information, or transaction histories.
- The Company does not collect resident registration numbers or other unique identifiers, sensitive information, or location information through the Website.
Article 2 (Purposes of Processing Personal Information)
The Company processes personal information for the purposes set out below. Where a purpose is changed, the Company takes the measures required under Article 18 of PIPA.
- Receiving and verifying business inquiries, providing consultation and replies, and managing the history of inquiry handling
- Receiving and verifying job applications, identifying and contacting applicants, conducting the recruitment process, and notifying applicants of the outcome
- Sending notification emails to inform the Company's staff that an inquiry or application has been received
- Ensuring the security of Website operations, responding to incidents, and preventing misuse
Article 3 (Retention and Use Period, Destruction Procedure and Method)
- Where personal information becomes unnecessary — for example because the retention period has elapsed or the purpose of processing has been achieved — the Company destroys it without delay. However, where personal information must be retained under other statutes, the Company stores and manages it separately from other personal information.
- The retention period for each category is as follows.
| Category | Retention and use period |
|---|---|
| Business inquiry information (company name, contact person's name, email, phone number, company size, inquiry message) | Destroyed without delay once the purpose of handling the inquiry has been achieved |
| Job application information (name, email, phone number, application message) | Destroyed without delay once 180 days have elapsed after the end of the recruitment process |
| Résumé files | Destroyed without delay once 180 days have elapsed after the end of the recruitment process (destruction of recruitment documents under Article 11 of the Fair Hiring Procedure Act) |
| Website access logs | Until the purpose of ensuring security and responding to incidents has been achieved |
- Destruction procedure: the Company identifies the personal information for which grounds for destruction have arisen and destroys it with the approval of the Chief Privacy Officer.
- Destruction method
- a. Information in electronic file form: permanently deleted using a method that makes recovery impossible. Résumé files are deleted upon expiry of the retention period configured on the storage.
- b. Information in paper form: shredded or incinerated.
- A data subject may request deletion of their personal information under Article 6 even before the retention period has elapsed, and the Company destroys it without delay unless it is subject to a statutory retention obligation.
Article 4 (Provision of Personal Information to Third Parties)
The Company processes personal information only within the scope specified in Articles 1 and 2, and does not, in principle, provide it to third parties. Personal information may be provided to third parties only within the scope permitted under PIPA, such as where the data subject has consented or where a statute permits it. Where the Company provides personal information to a third party with the data subject's consent, it informs the data subject in advance of the recipient, the purpose of provision, the items provided, the retention and use period, the right to refuse consent, and any disadvantage of refusal, and obtains consent.
At present, the Company does not provide any personal information collected through the Website to third parties.
Article 5 (Consignment of Personal Information Processing)
- In order to provide its services smoothly, the Company consigns part of the processing of personal information as follows.
| Consignee | Consigned work | Retention and use period |
|---|---|---|
| Amazon Web Services | Hosting of the Website server and database, storage of résumé files in private storage, and operation of the content delivery network (CDN) | Until termination of the consignment agreement or expiry of the retention period under Article 3 |
- Where the Company consigns the processing of personal information, in accordance with Article 26 of PIPA it specifies in the contract the prohibition of processing personal information beyond the purpose of performing the consigned work, technical and administrative safeguards, restrictions on re-consignment, supervision of the consignee, and liability such as damages, and supervises whether the consignee processes personal information safely.
- Where the content of the consigned work or the consignee changes, the Company discloses the change without delay through this Privacy Policy.
- In connection with the above consignment, personal information collected through the Website is stored in a cloud region located within the Republic of Korea (AWS Seoul Region).
Article 6 (Rights and Obligations of Data Subjects and How to Exercise Them)
- Data subjects may exercise the following rights against the Company at any time.
- a. The right to request access to personal information
- b. The right to request correction or deletion of personal information
- c. The right to request suspension of processing of personal information
- d. The right to withdraw consent to the processing of personal information
- Rights may be exercised in writing, by email or by other means using the contact details of the Chief Privacy Officer in Article 7 (email dev@tosky.co.kr, telephone 02-453-4628), and the Company will act on such requests without delay.
- The Company notifies the data subject of the outcome (including refusal or partial restriction) within 10 days of receiving a request for access to, correction or deletion of, or suspension of the processing of personal information. Where consent is withdrawn, the Company takes the necessary measures without delay in accordance with the applicable laws.
- Where the Company refuses or restricts a data subject's request on grounds permitted by law, it also informs the data subject of the reason and of how to file an objection.
- Data subjects may exercise their rights through a representative, such as a legal representative or a duly authorised agent. In such cases a power of attorney in the form prescribed by the Notice on Methods of Processing Personal Information (Annexed Form No. 11) must be submitted.
- Data subjects must not infringe the personal information or privacy of others processed by the Company in violation of PIPA or other applicable laws.
Article 7 (Chief Privacy Officer and Department Handling Access Requests)
The Company has designated a Chief Privacy Officer as set out below, who takes overall responsibility for personal information processing and handles complaints and remedies for data subjects in relation to personal information processing. Data subjects may direct any inquiries, complaints or requests for remedy relating to personal information protection arising from their use of the Website to the contact details below, and the Company will respond and act without delay.
| Item | Details |
|---|---|
| Chief Privacy Officer | Byungkwon Yoo / CEO |
| Department | Privacy Protection Team |
| Telephone | 02-453-4628 |
| dev@tosky.co.kr | |
| Department handling access requests | Privacy Protection Team (same contact details as above) |
| Hours | Weekdays 10:00 – 17:00 (KST) |
Article 9 (Measures to Ensure the Safety of Personal Information)
In accordance with Article 29 of PIPA and its Enforcement Decree, the Company takes the following measures to ensure the safety of personal information.
- Administrative measures: establishing, implementing and periodically reviewing an internal management plan; minimising and training personnel who handle personal information; and operating criteria for granting, changing and revoking access rights
- Technical measures: restricting and controlling access to the personal information processing system; storing administrator authentication credentials using one-way encryption; encrypting data in transit via HTTPS; retaining access logs and preventing their forgery or alteration; and installing and operating anti-malware software
- Measures for résumé files: résumé files are stored in private storage that cannot be accessed directly from outside. They are made available only through a temporary access link that expires after 15 minutes, issued when an authorised member of staff views the file through the administration pages.
- Physical measures: physical safeguards and access control for the cloud data centre in which personal information is stored are implemented by the consignee referred to in Article 5, and the Company supervises such measures.
Article 10 (Notification and Reporting of Personal Information Breaches)
- Where the Company becomes aware of a loss, theft or leakage of personal information (a "breach"), it notifies the affected data subjects in writing or by other means within 72 hours in accordance with Article 34 of PIPA, of the categories of personal information affected, the time and circumstances of the breach, the steps data subjects can take to minimise harm, the Company's response measures and remedy procedures, and the department and contact details for reporting damage or receiving consultation.
- Where notification within 72 hours is difficult because urgent measures are required to prevent the spread of the breach or further leakage, or due to unavoidable circumstances such as a natural disaster, the Company notifies data subjects without delay once such grounds have been resolved.
- Where there is a justifiable reason such as the contact details of the data subject being unknown, the Company may substitute notification by posting the relevant information on the Website for at least 30 days.
- Where personal information of 1,000 or more data subjects has been affected, where sensitive information or unique identifiers have been affected, or where personal information has been affected by unlawful external access, the Company reports the breach to the Personal Information Protection Commission or the Korea Internet & Security Agency within 72 hours of becoming aware of it.
- Where a breach occurs, the Company establishes countermeasures to minimise harm and implements the necessary measures.
Article 11 (Remedies for Infringement of Data Subjects' Rights)
Data subjects may apply to the organisations below for dispute resolution or consultation in order to obtain relief from an infringement of their personal information. These organisations are separate from the Company; please contact them if you are not satisfied with the Company's own handling of your complaint or remedy, or if you require more detailed assistance.
- Personal Information Infringement Report Centre: 118 (privacy.kisa.or.kr)
- Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)
- Cybercrime Investigation Division, Supreme Prosecutors' Office: 1301 (www.spo.go.kr)
- National Office of Investigation, Korean National Police Agency: 182 (ecrm.police.go.kr)
In addition, where a data subject's rights or interests are infringed by a disposition or omission by the Company in relation to a request for access to, correction or deletion of, or suspension of the processing of personal information, the data subject may request an administrative appeal in accordance with the Administrative Appeals Act.
Article 12 (Changes to this Privacy Policy)
- Where the Company adds to, deletes from or amends this Privacy Policy, it will announce the reasons for and details of the change on the Website at least 7 days before the change takes effect (at least 30 days before, in the case of a change that is disadvantageous or material to data subjects).
- Where this Privacy Policy is amended, the Company takes measures to enable data subjects to readily compare the content before and after the change.
This Privacy Policy applies from 15 July 2026.