Privacy Policy

Data controller (operator): AtoC Korea, LLC ("we," "us," "our"), a Wyoming limited liability company. For purposes of the Republic of Korea's Personal Information Protection Act (PIPA), we are the personal information controller responsible for the processing described in this policy.

• Registered address: 30 N Gould St, STE R, Sheridan, WY 82801, USA
• Operating/contact address: #221-8, 284 Gilju-ro, Wonmi-gu, Bucheon-si, Gyeonggi-do, Republic of Korea
• Contact: support@atockorea.com
• Korea operations: AtoC Korea, Korea — local tour operations and partner management (General Travel Business; Business Registration No. 277-01-03977)

This Privacy Policy applies to personal information we collect through our website atockorea.com, our booking platform, contact forms, email (including support@atockorea.com), and any linked services we operate. It applies to users and visitors in the Republic of Korea, the United States (including residents of California and other states with comprehensive privacy laws), and other jurisdictions where we offer services.

We collect only the personal information necessary to provide our services, fulfill contracts, and comply with law. Below we describe the categories of personal information we may have collected in the preceding 12 months (for U.S. disclosure purposes) and the types of data we process (for clarity under Korean and other laws).

• Identifiers: Name, email address, telephone number, IP address, device identifiers, account ID.
• Commercial information: Booking history, payment-related information (when we offer card or online payment, we do not store full card numbers; payment processing is handled by the third-party processor we engage for that purpose).
• Internet or network activity: Browsing and usage data on our site (e.g., pages visited, referring URL), logs related to access and errors.
• Geolocation data: Approximate location from IP or device settings when you use our site or app, only where necessary for the service.
• Inferences: We do not create profiles for targeted advertising; any preferences (e.g., language) are used only to operate the service.
• Communications: Contents of messages you send us (contact form, support email, inquiry) and metadata (e.g., time, channel).
• Sensitive personal information (where defined by law): We do not knowingly collect sensitive categories (e.g., precise geolocation for tracking, health, financial account credentials for our own storage) beyond what is strictly necessary for booking and support. When we offer card payment, card data is processed by the payment processor we use; we do not retain full card numbers.

Sources of information: We collect information (1) directly from you (account registration, booking, contact forms, emails, preferences), (2) automatically when you use our website (cookies, logs, device data), and (3) from third parties only as needed (e.g., when we use a payment processor, status from that processor; tour provider for fulfillment).

We process personal information for the following purposes:

• To create and manage your account and authenticate you.
• To process, confirm, and manage bookings and reservations and to facilitate payments when we offer that option.
• To communicate with you about your bookings, updates, cancellations, and essential service messages.
• To respond to inquiries, complaints, and support requests (including emails to support@atockorea.com).
• To comply with legal, regulatory, tax, and accounting obligations (e.g., retention of transaction records).
• To operate, secure, and improve our website and platform (e.g., analytics, error monitoring, fraud prevention).
• To enforce our Terms of Service and protect our rights and the rights of others.
• To send marketing or promotional communications only where you have given consent or where permitted by law, with an easy opt-out.

We do not use your personal information for purposes materially different from those described here without notifying you and, where required by law, obtaining your consent.

We retain personal information only for as long as necessary to fulfill the purposes above or as required by law. Unless a specific law requires a longer period:

• Account data: For the duration of your account plus a reasonable period after closure for dispute resolution and legal compliance (e.g., up to the applicable statute of limitations or as required by tax/accounting law).
• Booking and transaction data: As required for contract performance, refunds, and legal/accounting obligations (typically several years as per applicable law).
• Contact and inquiry data: Until the inquiry is resolved and for a limited period thereafter for quality and legal purposes.
• Marketing consent and preferences: Until you withdraw consent or opt out, then we cease use and delete or anonymize as per our retention schedule.
• Logs and technical data: For a limited period necessary for security and troubleshooting (e.g., up to 12–24 months unless a longer period is required by law).

When retention is no longer necessary, we delete or anonymize the information in accordance with our destruction procedures (Section 5).

When personal information is no longer needed for the purposes for which it was collected or when the retention period has expired (and no legal exception requires further retention), we destroy it as follows:

• Electronic data: Deletion using technical means that prevent recovery, or secure overwriting; where the data is held by a processor, we require the same standards by contract.
• Paper or physical records: Shredding, incineration, or other secure destruction so that the information cannot be reconstructed.
• Timing: Destruction is carried out within a reasonable period (e.g., within 30 days) after the purpose has been achieved or the retention period has ended, unless we are required to retain the data by law.

We do not sell your personal information. We share personal information only as described below. Under Korean law, a distinction is made between (a) provision to third parties (제3자 제공) and (b) entrustment/outsourcing (위탁); we describe both.

6.1 Provision to third parties (제3자 제공)

We may provide personal information to the following categories of third parties for the stated purposes:

• Tour / experience providers: To fulfill your booking (e.g., name, contact, booking details). They are independent operators; their use of your data is governed by their own policies and our agreements with them.
• Payment processors: When we offer online or card payment, we may provide information to the payment processor we use to process payments (e.g., billing information as required by the processor). We do not store full payment card numbers.
• Legal and regulatory authorities: When required by law, court order, or government request, or to protect our rights and safety.

6.2 Entrustment / outsourcing (위탁)

We entrust the following activities to service providers who process personal information on our behalf under contract. We select them with care and require appropriate safeguards and use limitations:

• Hosting and infrastructure: Cloud and hosting providers (e.g., Vercel, Supabase or similar) for website and database hosting.
• Email and communications: Email delivery and support tools (e.g., Resend) for transactional and support emails.
• Analytics and monitoring: Services that help us understand usage and fix errors (e.g., analytics, error tracking), where configured to minimize identification.

We do not allow our service providers to use your personal information for their own marketing or to sell it. We disclose only what is necessary for the contracted service.

We do not sell personal information as defined under the California Consumer Privacy Act (CCPA) and similar U.S. state laws. We do not "share" personal information for cross-context behavioral advertising. We do not have actual knowledge that we sell or share the personal information of consumers under 16 years of age.

We use cookies and similar technologies (e.g., local storage, pixels) to:

• Enable essential website and platform functionality (e.g., session, authentication, preferences).
• Improve performance and user experience (e.g., load balancing, language/locale).
• Analyze how our site is used (e.g., analytics) and to detect and prevent fraud or abuse, where permitted by law.

You can control cookies through your browser settings and, where we offer it, through a cookie preference or consent mechanism on our website (e.g., in the footer). Blocking certain cookies may affect some features of the site.

We implement technical and organizational measures to protect personal information against unauthorized access, alteration, disclosure, or destruction, including:

• Encryption in transit (e.g., TLS) and, where appropriate, at rest.
• Access controls and authentication (e.g., role-based access, strong passwords).
• Contractual and oversight requirements for processors that handle personal information.
• Regular review of our practices and, where appropriate, updates to security measures.

No method of transmission or storage is 100% secure. We encourage you to use a strong password and to avoid sharing account credentials.

We operate in the Republic of Korea and the United States. Personal information may be stored or processed in either jurisdiction or in other countries where our service providers operate. Where we transfer data from Korea, the EU, or other jurisdictions that restrict transfers, we implement appropriate safeguards (e.g., standard contractual clauses, adequacy decisions, or other mechanisms recognized by the relevant authority) to ensure your data receives an adequate level of protection.

Depending on your location, you may have the following rights. We will not discriminate against you for exercising these rights.

Rights under Korean law (PIPA)

• Access: Request access to the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete personal information.
• Deletion: Request deletion of your personal information, subject to exceptions required by law.
• Suspension of processing: Request that we suspend processing of your personal information in certain circumstances.
• Withdrawal of consent: Where processing is based on consent, you may withdraw consent at any time.

Rights under U.S. state laws (e.g., California CCPA/CPRA)

• Right to know: Request disclosure of the categories and specific pieces of personal information we have collected, the categories of sources, purposes, and categories of third parties we share with.
• Right to delete: Request deletion of your personal information, subject to applicable exceptions.
• Right to correct: Request correction of inaccurate personal information.
• Right to opt-out of sale/sharing: We do not sell or share for cross-context behavioral advertising; if that changes, we will provide an opt-out.
• Right to limit use of sensitive personal information: Where we use sensitive personal information beyond what is necessary to provide the service, you may have the right to limit such use (we use sensitive data only as necessary).
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

How to exercise your rights

To exercise any of the above rights, please contact us at:

• Email: support@atockorea.com (subject line: "Privacy Request")
• Phone: support@atockorea.com
• Mail: AtoC Korea, LLC, #221-8, 284 Gilju-ro, Wonmi-gu, Bucheon-si, Gyeonggi-do, Republic of Korea

We will verify your identity before processing your request and respond within the time required by applicable law (e.g., 30–45 days for CCPA requests, or as required under Korean law). If you are a California resident and are not satisfied with our response, you may contact the California Attorney General or lodge a complaint with the California Privacy Protection Agency. In Korea, you may contact the Personal Information Protection Commission (PIPC) or the relevant authority.

Our services are not directed to individuals under the age of 16 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us at support@atockorea.com and we will delete it promptly. We do not have actual knowledge that we sell or share the personal information of consumers under 16.

We may update this Privacy Policy from time to time. We will post the updated policy on this page and update the "Last updated" date. For material changes that affect how we use your personal information, we will provide additional notice (e.g., by email or a prominent notice on our site) and, where required by law, obtain your consent. We encourage you to review this policy periodically.

For questions about this Privacy Policy, to exercise your rights, or to report a concern, you may contact our privacy contact:

• Entity: AtoC Korea, LLC
• Korea operations: AtoC Korea, Korea — local tour operations and partner management (General Travel Business; Business Registration No. 277-01-03977)
• Contact: support@atockorea.com
• Phone: support@atockorea.com
• Address: #221-8, 284 Gilju-ro, Wonmi-gu, Bucheon-si, Gyeonggi-do, Republic of Korea

For purposes of the Republic of Korea's Personal Information Protection Act, the above contact serves as the point of contact for personal information-related inquiries. We will respond to legitimate requests in accordance with applicable law.

This section describes how our application accesses, uses, stores, and protects information received from Google APIs when you choose to sign in with Google. AtoC's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

15.1 Data Accessed

We request only the minimum scopes required to operate the sign-in feature:

• openid — to authenticate the user via Google's OpenID Connect.
• profile — to read your name, profile picture URL, and locale, used to personalize your account.
• email — to read your primary email address, used as the unique identifier of your account and for transactional booking communication.

We do NOT request access to Gmail content, Google Calendar, Google Drive, Google Contacts, Google Photos, YouTube, or any other restricted scope. We do not request offline access or refresh tokens beyond the active session.

15.2 How We Use Google User Data

Google user data is used solely to operate user-facing features you have requested:

• To create and authenticate your AtoC Korea account (a single AtoC account is keyed to the Google email address you sign in with).
• To pre-fill your name and profile photo on your account page so you can recognize the signed-in identity.
• To send transactional booking communications (booking confirmation, pickup time, cancellation receipt) to the email address provided by Google.
• To detect duplicate accounts and to support customer-service requests you initiate.

We do NOT use Google user data for advertising, do not sell or rent it, do not transfer it to third parties for advertising, and do not use it to train, evaluate, or improve generalized AI / ML models. Human review of Google user data is limited to (a) explicit user consent, (b) security investigations, (c) legal compliance, or (d) as needed to provide a user-facing feature you requested. These uses comply with the Google API Services User Data Policy, including the Limited Use requirements.

15.3 How We Share Google User Data

• Service providers (sub-processors). We share the minimum data needed with the following processors operating on our behalf under contractual data-protection obligations: Supabase, Inc. (managed PostgreSQL hosting and authentication), Vercel Inc. (web hosting), Stripe, Inc. (payments), Resend, Inc. or comparable transactional-email providers (delivery of booking emails). Each processor only receives the fields required for its function.
• No sale, no advertising sharing. We do not sell Google user data and do not share it with advertisers, ad networks, data brokers, or analytics providers that use it for cross-context behavioral advertising.
• Legal disclosure. We may disclose Google user data when required by law, valid legal process (subpoena, court order), or to protect the rights, safety, or property of AtoC, our users, or the public.
• Corporate transactions. If we are involved in a merger, acquisition, financing, or asset sale, Google user data may be transferred subject to the acquirer's commitment to honor this Privacy Policy.

15.4 Storage and Protection

• Account records (including the email and profile fields received from Google) are stored in encrypted PostgreSQL databases managed by Supabase, hosted in the Asia-Pacific region (Seoul / Singapore) with daily automated backups.
• Data in transit is protected with TLS 1.2 or higher. Data at rest is encrypted at the disk-volume level (AES-256). Access to production data is restricted to a small number of named engineers under role-based access control with audit logging.
• Authentication tokens issued by Google are kept only for the duration of your active session and are revoked when you sign out, change your password, or delete your account. We do not persist long-lived Google OAuth refresh tokens.
• Database row-level security policies prevent any user from reading another user's personal data. Application secrets and API keys are stored in encrypted environment variables, never in code or version control.
• We perform regular security reviews, dependency vulnerability scans, and incident-response drills. We will notify affected users and the relevant data-protection authority of any qualifying personal-data breach within 72 hours of becoming aware, as required by applicable law.

15.5 Retention and Deletion

• Active accounts. We retain your account data (including the Google email and profile fields) for as long as your account is active.
• Inactive accounts. Accounts with no sign-in activity for 24 consecutive months are automatically scheduled for deletion after a 30-day grace-period notice sent to the email on file.
• Booking records. Confirmed booking records are retained for 5 years from the tour date to comply with Korean commercial-law and tax recordkeeping obligations, after which they are permanently deleted or irreversibly anonymized.
• User-initiated deletion. You may delete your account and the associated Google user data at any time from My Page → Settings → Delete Account, or by emailing support@atockorea.com.
• Revoking Google access. You may also revoke our application's access to your Google account at any time at myaccount.google.com/permissions.