AngkorPoint Privacy Policy

Article 1 (Objectives and Items of Personal (Credit) Information Processing)

1. The company collects the minimum necessary personal (credit) information required for service provision, which is categorized as follows:

   1. Required Information: Essential information required for performing the fundamental functions of the service.

   2. Optional Information: Additional information collected to provide more specialized services (No restriction on service usage if optional information is not provided).

      
      

2. The company does not collect personal (credit) information of children under the age of 12.

   
   

3. The objectives and items of personal (credit) information processing as per the company's service usage are as follows:

<Processing Objectives and Items of Personal (Credit) Information>

Common Objectives:

• Purpose: Customer identification, membership registration, self-verification and authentication, contract conclusion, maintenance, execution, management, improvement, compliance with legal obligations, accident investigation, consultation, and complaint/dispute handling, record preservation, and performing customer due diligence.

• Usage: Services used through the AngkorPay platform (points, transfers, payments, memberships, bills, My Documents, etc.), input convenience, billing settlement.

• Account and card registration, validity check, QR/barcode generation and usage, prize and product delivery, notification and benefit provision.

• Prevention of unfair usage for maintaining a healthy credit order, confirmation of domestic/international usage, service usage feasibility check.

• Statistics and analysis, pseudonymization and anonymization, personalized service provision, service research, and improvement.

  
  

  * Common objectives apply to individual services as well.

Personal (Credit) Information Items:

• [General Personal (Credit) Information]

  • (Required) Name, date of birth, gender, mobile number, CI (connection info), DI (duplicate registration info), Screen name, email address, address, AngkorChat account, profile information (screen name, profile picture), customer identification ID, password.

    
    

• [Financial Transaction Information]

  • (Required) Account information (bank name, account number, account holder's name, etc.)

  • (Required) Card information (card issuer, card number, expiration date, 2-digit password, CVC (4DBC), etc.)

  • (Required) Transaction information (transaction setting info, transaction counterparts and details, etc.)

  • (Required) Payment information (payment method, merchant/product name/amount/payment date/installments, QR/barcode scan and payment info, points, etc.)

    
    

• [Other Information]

  • (Required) Service usage content and records, consultation content, partner identification number, membership number, public electronic address, received documents.

  • (Required) Information collected/generated during service usage, connection time, cookies, IP address, device info (OS, screen size, unique device ID, advertising ID, device status and settings, MCC/MNC country info, LTE/WIFI network info, etc.)

    
    

  *Common items of personal (credit) information are also used in individual services.

Payment:

• Purpose: Transfer and payment using AngkorPay, service usage within AngkorPay, billing settlement.

• Account confirmation and validity check needed for usage.

• Card registration and payment, card management, points accrual, consultation, and complaint handling.

• Statistics and analysis, pseudonymization and anonymization.

Membership:

• Purpose: Membership registration and linkage, points usage and accrual.

• (Required) Name, mobile number, date of birth, gender, CI (connection info).

Angkor Pay Event Points:

• Purpose: Points issuance.

• (Required) Customer identification ID.

My Documents:

• Purpose: Issuance, registration, and termination of public electronic addresses, sending/receiving/viewing and managing electronic documents, issuance of electronic document circulation certificates, service usage.

• (Required) Name, CI (connection info), public electronic address, service usage history.

Receipts:

• Purpose: Service subscription and usage, creation and sending of electronic receipts, viewing, cost settlement, receipt management, analysis, and provision of customized information services.

• (Required) AngkorChat account, mobile number, CI (connection info), electronic receipt items, membership number, detailed receipt info.

Customer Consultation:

• Purpose: Handling of 1:1 inquiries and notifications, statistics, analysis, service research and improvement, prevention of misuse, preservation of records for dispute resolution, etc.

• (Required) Customer identification ID, email address, inquiry content (name, mobile number, account number, and other personal info entered by the customer), AngkorPay service usage history, attachments, inquiry history.

Marketing and Advertising:

• Purpose: Transmission of advertisement information through app push, text (Noti-Chat), email, providing marketing of AngkorPay and third-party news, products, benefits, events, advertisements, customized services, service research and improvement, statistics and analysis.

• (Optional) Registration information (name, date of birth, phone number, email address, gender, address, etc.), AngkorPay service usage information, information collected/generated and verified during usage.

Notwithstanding clauses 1 to 3, the company may collect and use personal (credit) information in the following cases:

1. When it is unavoidable to comply with legal obligations or special provisions under law.

   
   

2. When necessary to fulfill a contract with the user or to take measures requested by the user during the contract formation process.

   
   

3. When it is deemed necessary for the urgent interests of the user or a third party's life, body, or property.

   
   

4. Information disclosed or made public according to laws.

   
   

5. Information disclosed or made public through mediums like publication, broadcasting, or through government websites, in accordance with relevant laws.

   
   

6. When necessary for achieving the company's legitimate interests, and these interests clearly take precedence over the rights of the user. This is limited to cases where there is a significant relation to the company's legitimate interests and does not exceed a reasonable scope.

   
   

7. Information that the user has made public themselves via social media, either directly or through a third party. In this case, the scope of information is limited to what can be objectively recognized as being with the user's consent, considering the following:

   
   

   • The nature of the disclosed personal (credit) information, form of disclosure, range of targets, and the user’s intended purpose for disclosure.

   • The nature of the company's personal (credit) information processing.

   • Whether the collection purpose is significantly related to the user’s original purpose of disclosure.

   • Whether the range of disclosure targets changes due to information provision.

   • The nature and value of the personal (credit) information and the socio-economic necessity for its use.

     
     

8. In cases urgently needed for public health, safety, and welfare.

   
   

9. The company may use personal (credit) information, considering the following aspects, to determine if it is within a reasonable scope related to the original collection purpose and whether it causes disadvantage to the user, and whether measures like encryption are taken for security:

   
   

   • Whether it is related to the original purpose of collection.

   • The predictability of additional use or provision of personal (credit) information, based on the context of collection and processing practices.

   • Whether it unfairly infringes upon the interests of the user.

   • Whether measures like pseudonymization or encryption are taken for security.

Article 2 (Processing and Retention Period of Personal (Credit) Information)

1. The company processes and retains personal (credit) information within the consented processing and retention period, as follows:

   1. Financial Transaction Information: Personal (credit) information of the user is deleted from management targets within a maximum of 5 years from the end of the commercial relationship (or within 3 months from the date the purpose of collection/provision is achieved, if earlier). (Here, the end date of the commercial relationship refers to the termination of the relationship between the company and the customer due to the expiration, exercise of termination/rescission/cancellation rights, completion of the statute of limitations, settlement of claims, or other reasons according to relevant laws, terms, or agreements.)

   2. Personal (Credit) Information other than Financial Transaction Information: Retained until the user withdraws from AngkorPay.

      
      

2. Notwithstanding paragraph 1, the company separately stores personal (credit) information in the following cases:

   1. When unavoidably required to fulfill legal obligations. In this case, the legal obligation period for preserving personal (credit) information is as follows:

      • Important business documents (including electronic data) such as contracts and transaction applications: 10 years.

      • Financial transaction information, including relationship setup and transaction details: 5 years.

      • Records related to electronic financial transactions and fraudulent transactions: 5 years.

      • Information regarding the sender and recipient of financial transactions required for real-name verification and reporting: 5 years.

      • Records related to consumer complaints or dispute resolution: 3 years.

      • Records related to display and advertising: 6 months.

      • Records of contract or withdrawal of offer, payment, and supply of goods: 5 years.

      • Public electronic addresses and electronic document distribution information: 10 years.

      • All transaction-related books and supporting documents as per tax laws: 5 years.

        
        

   2. When deemed necessary for the urgent interests of the individual’s life, body, or property.

      
      

   3. When using pseudonymized information, considering the purpose and necessary minimum duration, technical characteristics of pseudonymization, nature of the information, additional information and protection level of pseudonymized information, re-identification possibility, and impact on the user upon re-identification, and preserving it for the duration set during pseudonymization.

      
      

   4. In any of the following cases:

      • When personal (credit) information of the user related to acts that disrupt the sound credit order, such as loan fraud, insurance fraud, transactions using credit card information obtained through false or fraudulent means, is needed.

      • For the development of risk management systems and credit evaluation and risk management models for users. In this case, except for unavoidable cases under other laws, measures are taken to ensure that the individual user cannot be identified.

      • When necessary to achieve the legitimate interests of the company or a third party, and these interests clearly take precedence over the rights of the user. This is limited to cases where there is a significant relation to the legitimate interests of the company or third party and does not exceed a reasonable scope.

      • When the user has explicitly expressed their wish not to delete their personal (credit) information before deletion.

      • When the deletion of personal (credit) information, due to the technical nature of information processing, harms the safety and security of the credit information system, but measures are taken, such as deleting information necessary for re-identification or linkage.

Article 3 (Provision of Personal (Credit) Information to Third Parties)

1. The company, as a principle, does not provide users' personal (credit) information to third parties. If it is necessary to provide personal (credit) information to third parties, the company is committed to informing the user in advance and obtaining their consent.

   
   

2. Notwithstanding paragraph 1, the company may provide users' personal (credit) information to third parties in the following cases:

   1. When it is deemed necessary for the urgent interests of the life, body, or property of the user or a third party.

   2. When it is unavoidable to comply with a special provision in other laws or fulfill legal obligations.

   3. When providing personal (credit) information for the purpose of entrusting the processing of such information.

   4. When providing information in accordance with a court's order for submission or a warrant issued by a judge.

   5. When providing pseudonymized information for the purpose of statistics compilation, research, or preservation of public-interest records (statistics compilation includes commercial purposes like market research, and research includes industrial research).

   6. When providing personal (credit) information to data-specialized institutions for the purpose of combining information collections.

   7. When urgently needed for public health, safety, and well-being.

   8. The company can provide users' personal (credit) information considering the following factors:

      • Whether it is related to the original purpose of collection.

      • Whether there is a possibility of further use or provision of personal (credit) information, considering the circumstances under which it was collected or processing practices.

      • Whether it unfairly infringes upon the interests of the user.

      • Whether necessary measures such as pseudonymization or encryption for ensuring safety have been implemented.

Article 4 (Processing of Personal Location Information)

1. The company processes personal location information for the following purposes:

   1. To prevent fraudulent transactions and protect transaction safety by verifying the location in financial transactions.

   2. To provide information about merchant/partner locations, nearby businesses, coupons, discounts, products, and advertisements when using payment services.

      
      

2. The company, in principle, retains personal location information until the purpose of its use/provision is achieved.

   
   

3. If the company intends to provide services using personal location information, it will obtain the consent of the subject of personal location information after specifying this in the terms and conditions.

   
   

4. Based on the Act on the Protection and Use of Location Information, the company automatically records the materials for verifying the fact of collection/use/provision of personal location information related to the subject and retains them for more than six months.

   
   

5. The company immediately destroys personal location information once the purpose of its use/provision is achieved. (However, materials for verifying the fact of collection/use/provision of location information retained under related laws are kept for more than six months.)

   
   

6. When destroying personal location information or materials for verifying the fact of collection/use/provision of location information, the company ensures that the data is irrecoverable by using technical methods that prevent regeneration of the records or through measures such as shredding or incineration.

   
   

7. The company does not provide personal location information to third parties without the consent of the subject of personal location information. In cases where third-party provision services are offered, the recipient and the purpose of provision are notified to the subject in advance, and consent is obtained. (Exceptions are made according to legal provisions or when requested by investigative agencies for investigative purposes in accordance with the procedures and methods prescribed by law.)

   
   

8. When the company provides personal location information to a third party designated by the member, it immediately notifies the member of the recipient, the time of provision, and the purpose of provision through the communication terminal device that collected the personal location information. (However, in the following cases, notification is made to the communication terminal device or email address specifically designated by the member in advance.)

   • If the communication terminal device that collected the personal location information does not have the function to receive text, voice, or video.

   • If the member has previously requested notification through online posting or other methods.

Article 5 (Procedures and Methods for Destruction of Personal (Credit) Information)

1. The company immediately destroys personal (credit) information when it becomes unnecessary, such as after the expiration of the personal (credit) information retention period or upon the achievement of the processing purpose.

   
   

2. If the retention period for personal (credit) information consented to by the user has expired or the processing purpose has been achieved, but the information needs to be retained according to other laws, the company will transfer such personal (credit) information to a separate database (DB) or store it in a different location.

   
   

3. When destroying personal (credit) information according to paragraph 1, the procedures and methods for destruction are as follows:

   1. Destruction Procedure: The company selects personal (credit) information for which a reason for destruction has occurred and destroys it according to the methods mentioned below.

   2. Destruction Method: Personal (credit) information recorded/stored on paper documents is destroyed by shredding or incineration. Personal (credit) information recorded/stored in electronic file format is deleted using dedicated erasure equipment (equipment that uses magnetic fields to delete data from storage devices) or by performing initialization or overwriting to ensure that the data cannot be restored. However, if it is significantly difficult to destroy information in such ways due to technical characteristics, the information is processed as anonymous information to ensure it cannot be restored.

Article 6 (Measures to Ensure the Safety of Personal (Credit) Information)

1. The company takes measures to ensure the safety of personal (credit) information in accordance with the Personal Information Protection Act and other related laws. The specific contents of these measures are as follows:

   1. Administrative Measures: Establishment and implementation of internal management plans, operation of dedicated organizations, regular employee training, etc.

   2. Technical Measures: Management of access rights to personal information processing systems, installation of access control systems, encryption of personal (credit) information, installation and updating of security programs, etc.

   3. Physical Measures: Access control to computer rooms, data storage rooms, etc.

Article 7 (Installation, Operation of Automatic Personal (Credit) Information Collection Devices, and Their Refusal)

1. The company uses 'cookies' to store and frequently retrieve usage information in order to provide personalized services to users. The use of cookies is as follows:

   1. Purpose of Using Cookies: Cookies are used to identify users' visit and usage patterns of each service and website, popular search terms, and whether they are securely connected. This information is then used to provide optimized information to the user.

   2. Installation, Operation, and Refusal of Cookies: You can refuse the storage of cookies by setting the options in the Privacy menu under Tools > Internet Options at the top of the web browser.

   3. If you refuse to store cookies, there may be difficulties in using personalized services.

      
      

2. Cookies are small pieces of information sent by the server operating the website to the user's computer browser and may also be stored on the hard disk of users' PCs.

Article 8 (Collection, Use, and Refusal of Behavioral Information)

1. The company collects and uses behavioral information to provide users with personalized services and benefits optimized for their usage, as well as advertisements based on behavioral information, during the service usage process.

   
   

2. The company collects behavioral information as follows:

   1. Collected Behavioral Information: User's website and app service visit history, search history.

   2. Method of Collecting Behavioral Information: Automatically collected when the user visits or runs websites and apps.

   3. Purpose of Collecting Behavioral Information: To provide personalized product recommendation services (including advertisements) based on user interests and preferences.

   4. Retention, Usage Period, and Subsequent Information Processing Method: Destroyed after 1 year from the collection date.

      
      

3. The company allows advertisers using behavioral information to collect and process such information.

   
   

4. The company collects only the minimum necessary behavioral information required for advertisements and does not collect sensitive behavioral information that can distinctly infringe on individual rights, interests, or privacy, such as thoughts, beliefs, family and kinship relations, educational and medical history, or other social activities.

   
   

5. The company does not collect behavioral information for targeted advertising from children known to be under 12 years old and does not provide advertisements using behavioral information to such children.

   
   

6. For advertisements using behavioral information in mobile apps, the company collects and uses advertising identifiers. Users can block or allow advertisements using behavioral information in apps through changes in the settings of their mobile devices. (However, the menu and method may slightly vary depending on the mobile OS version.)

   1. Android: Settings > Privacy > Ads > Reset Advertising ID or Delete Advertising ID.

   2. iOS: Settings > Privacy > Tracking > Turn off Allow Apps to Request to Track.

      
      

7. Users can inquire about issues related to behavioral information, exercise their right to refuse, and report damages through the company's customer service (pay@angkorchats.com).

Article 9 (Processing of Pseudonymized Information)

1. The company may pseudonymize and utilize personal (credit) information for purposes such as statistical compilation (including commercial purposes), scientific research (including industrial research), and preservation of public interest records.

   
   

2. Pseudonymized personal (credit) information ("pseudonymized information") is retained and used until the purpose (point in time) determined at the time of establishing the pseudonymization plan is achieved.

   
   

3. The company takes the following measures to ensure the security of pseudonymized information:

   1. Administrative Measures: Establishing and implementing internal management plans, regular employee training, etc.

   2. Technical Measures: Managing access rights to pseudonymized information, access control, preventing re-identification, installing security programs, etc.

   3. Physical Measures: Access control to computer rooms and data storage rooms, etc.

Article 10 (Access Permissions for AngkorPay App)

The access permissions that the AngkorPay app requires during its use are as follows:

1. Essential Access Permissions

   • Telephone: Access to phone status and device identification.

     
     

2. Optional Access Permissions

   • Camera: Used for scanning codes or taking photos during money transfer and payment processes.

   • Location Information: Used for confirming location during money transfer and payment.

   • Storage: For saving QR images.

     
     

3. You can use the AngkorPay app without agreeing to the optional access permissions. However, if you do not agree to these permissions, the use of certain services requiring these functions may be limited.

Article 11 (Changes to Personal Information Processing Policy)

The company will notify and implement any changes to the personal information processing policy through a notice in advance.

<Effective Date of Personal Information Processing Policy: January 1, 2024.>