50% Discount Coupon

Privacy Policy

Effective Date : May 18, 2023

The current Terms of Use is posted below (last updated: May 18, 2023). Click here to view the previous version

General Data Protection Policy

This Privacy Policy explains how 4by4 Inc. (“Company”) processes the personal data of our users, including without limitation, the options that a user selects for the collection, utilization and disclosure (provision) of user’s certain data.

For the purpose of data protection of our users in compliance with the Personal Information Protection Act of the Republic of Korea as well as the General Data Protection Regulation (the “GDPR”) of the EU, Company maintains a record of processing activities (Article 30, GDPR), designates a Data Protection Officer (DPO) to operate our business in accordance with the GDPR (Article 37, GDPR), implements Data Protection Impact Assessment (DPIA) under the supervision of the Data Protection Officer (Article 35, GDPR) and trains our employees for data protection (Article 39, GDPR).

Company has established a legal framework to process personal data including sensitive data (Articles 6 and 9, GDPR) and is acquiring the explicit consent of the data subject in processing user’s personal data (Article 7, GDPR). We have the explicit consent of a data subject in case of automated individual decision-making, including profiling (Article 22, GDPR) and the consent of the holder of parental responsibility over a child for a child’s data processing, in which case we make reasonable efforts to verify whether such consent is given or authorized by the lawful person, taking into consideration available technology (Article 8, GDPR). Additionally, in case of transferring personal data to other countries, Company has the explicit consent of a data subject (Article 49, GDPR).

Company enables a data subject to exercise user’s rights guaranteed by the GDPR as follows: the right to receive data (Articles 13 and 14, GDPR), the right to access (Article 15, GDPR), the right to rectification (Article 16, GDPR), the right to erasure (Article 17, GDPR), the right to restriction of processing (Article 18, GDPR), the right to data portability (Article 20, GDPR), the right to object (Article 21, GDPR) and the right not to be subject to an automated individual decision-making, including profiling (Article 22, GDPR).

Company is in compliance with the obligations of data protection by design and by default (Article 25, GDPR). And Company implements technical and operational measures reasonably necessary to prevent data from leakage and breach (Article 32, GDPR). We notify personal data breach to the supervisory authority within 72 hours after having become aware of a breach (Article 33, GDPR) and communicate a personal data breach to a data subject without delay if the personal data breach is likely to result in a high risk to the rights and freedom of data subjects (Article 34, GDPR).

This Privacy Policy may be used as proof that Company is in compliance with the requirements of the GDPR.

Overview of Privacy Policy for User

If Company directly collects personal data from a data subject, we will comply with the obligations of Article 13 of the GDPR.

In case of transferring personal data to other countries for the provision of services, Company will comply with Article 49 of the GDPR by obtaining the explicit consent of the data subject.

Data Protection Officer (DPO) and Contact

The service provider and controller of personal data is as follows:

  • Controller of Personal Data (“Controller”)
  • 4by4 Inc.
    12-14F, 479, Gangnam-daero, Seocho-gu, Seoul, Korea 06541

    Company is Controller and is responsible for data protection of users and designates Data Protection Officer (DPO) as stated below to handle the user’s data protection related complaint and resolve issues, if any. The contact information of Data Protection Officer (DPO) and Company’s Data Protection Department are as follows.

  • Data Protection Officer (DPO)
  • Name: Inho Choi
    Department: KEYCUTstock Business Division
    Position: Head of Division
    Tel.: +82 2-545-9953
  • Data Protection Department
  • Name: Donghoon Kim
    Department: Development Team
    Position: Team Leader
    Tel.: +82 2-545-9953

    Users can submit all personal data protection related complaints that may arise when using Company’s services to the DPO or the Platform Development Team, which is the Data Protection Department. Company will give users sufficient responses to inquiries.

    If a user contacts Company for assistance related to data protection, Company may need to authenticate the identity of the user before resolving the request for the user’s and our safety.

    Personal Data to be Processed and Purpose of Process

    The personal data of users to be processed by Company and the purpose of processing each personal data are as follows. The personal data being processed shall not be used for any purpose other than the following, and if the purpose of using the personal data is changed, Company will take the necessary measures such as obtaining individual consent from users.

    Personal data requested to be provided to Company are classified into required data and optional data depending on the activity details. When required data regarding certain activities are not provided, users cannot participate in such activities.

  • Personal data provided by users to Company
  • -For the purposes of verifying identity, providing age-restricted services, processing complaints, etc. for use of Company’s services : (Required data) Name, date of birth, ID, password

    -For the purpose of providing services to our corporate member, etc. : (Required data): Company name, department, title, industry, company phone number, fax number, company address

    -For the purposes of securing accurate delivery address for bills, products, and giveaways, delivery of notice, confirmation of intent, securing effective communication method such as complaint processing and new service development: (Required data) Email address, phone number, mobile number, address

    -For the purpose of marketing and advertisement: (Optional data): Email address, phone number, mobile number, address

    -For the purpose of using paid information and contents, payment and refund for product purchase/lease: (Required data): Bank account number, credit card information, transaction records

  • Personal data produced or automatically collected by Company
  • Company may collect the personal data of users listed below for the specified purposes while using the service. If a user refuses to do so, there may be inconveniences in using the service or difficulties for Company in providing the service.

    -For the purposes of preventing improper use, preventing unauthorized use, developing new service, and providing custom service: Access log, access IP information, cookies, service use records, frequently used websites

    -For the purpose of providing services and settling payment: Profile data such as user’s name and password, detailed purchase information and information on licensed contents

    Use of Personal Data

    Company uses personal data to provide, analyze, administer, enhance and personalize services and marketing, to process registration, orders and payments, and to communicate with user on these and other topics.

    Company uses personal data for:

    -Authentication and provision of access authority for KEYCUTstock website, mobile applications, and services

    -Processing financial transactions for users

    -Transmission or order, renewal confirmation

    -(If applicable) Registration of authority for users for technical support provided to registered users or other benefits

    -Response to customer service requests, inquiries and considerations

    -User account management

    -Transmission of product or service information requested by users

    -Provision of data regarding benefits and services of KEYCUTstock and designated third party

    -Provision of promotion, giveaway management and results participated by users

    -Investigation into illegal activities in breach of KEYCUTstock service agreement, prevention and actions against such activities

    -Research and product service development, and improvement of KEYCUTstock website, service and product

    -Provision of customized services such as service, search results, and product provision appropriate for users

    Method of Collection and Grounds for Collection

    Company collects personal data of users in the following manner in compliance with Article 6(1)(a) of the GDPR and Article 15 Paragraph 1 Item 1 of the Personal Information Protection Act:

    -Collection when users enter personal data or provide personal data to Company through website, mobile devices, document, fax, phone, customer center inquiry, and event or when Company creates personal data in the process of using the service, with the prior consent of the users

    -Collection through provision of personal data through affiliated services or organizations

    -Collection through Company’s automatic collection system, such as cookie

    Processing and Retention Period of Personal Data

    Personal data shall be destroyed immediately after attaining its purpose of processing as a general rule. Processing and retention period of each personal data are as follows.

    -Membership data: By membership cancellation date

    -Payment data: By payment completion date or debt repayment date, whichever comes later

    -Data collected for surveys or events: By the time of concluding the surveys or events

    In addition, Company shall destroy personal data without delay if we close our business, or if users request the destruction of personal data or withdraw their consent to collection and use of personal data. Provided that Company shall retain the personal data for a certain period of time as specified in the relevant laws when there is a necessity to retain the data due to relevant laws.

    -Processing and retention under the Act on the Consumer Protection in Electronic Commerce

    -Records of contract or subscription withdrawal: 5 years

    -Records on payment and contents supply: 5 years

    -Records on marks and advertisements: 6 months

    -Records of website use and visit, access log, access IP under the Protection of Communications Secrets Act: 3 months

    -Records on electronic financial transactions under Electronic Financial Transactions Act: 5 years

    Even when the retaining period of user’s personal data has elapsed or the purpose of processing it has been achieved, if it is necessary for Company to continue to retain the personal data in accordance with internal policies or other laws, Company shall move the personal data concerned to a separate database or store it in a different storage place.

    Company shall store and manage the personal data of users who have not used the service for one (1) year separately from other users’ personal data in accordance with the ‘personal data validity period plan’ pursuant to Article 39-6 of the Personal Information Protection Act and Article 48-5 of the Enforcement Decree of the same Act.

    Company shall notify the users of the fact that the users’ personal data will be stored and managed separately, the scheduled date of separate storage and management, and the items of personal data to be stored and managed separately, by available methods such as in writing or by e-mail thirty (30) days prior to the separate storage and management of users’ personal data. If users do not wish to store and manage the personal data separately, users should use Company's services by logging in before we implement the separate storage. Company will keep the separated personal data for four (4) years and then destroy it without delay, but the user may log in to Company's service before it is destroyed and restore the separated personal data.

    In addition, the following personal data may be retained by Company for the minimum period specified below to attain its purpose of preventing other significant damages to Company or in preparation for other criminal and legal proceedings even if there are no legal basis.

    -Identity data to prevent re-joining after the membership has been cancelled: Until 7 days after cancellation

    -Identity data for transaction refusal when the member has been dismissed according to user agreement: Until 1 year after dismissal

    -Draft service records: Until the end of 3 years for protection of copyrights and licenses

    -Download service records: Until the end of 15 years for protection of copyrights and licenses

    Disclosure of Personal Data (Provision of Personal Data to Third Party and Consignment of Personal Data Processing)

  • Provision of personal data to third party
  • Company processes personal data for the limited purpose of processing personal data and will, in principle, neither process it beyond such scope nor disclose or provide it without user’s prior consent. However, if Company discloses/provides personal data of users to any third party, Company will notify the user of and obtain user’s consent to the following: recipients, purpose to use personal data, items to be disclosed, a period during which data is retained and used, the notice that a user can disagree to disclosure, and disadvantage, if any as a result of such disagreement. Provided that personal data of a user may be disclosed/provided to any third party if and to the extent that it falls under Article 17 and Article 18 of the Personal Information Protection Act.

  • Consignment of personal data processing
  • Company has consigned the process of personal data as follows for the provision of certain services necessary for smooth processing of personal data. Company has stipulated matters on prevention of personal data processing for purposes other than the outsourced purpose, technical and managerial safeguards of personal data, restriction on re-consignment, management, supervision of the consigned company, responsibility for compensation, etc. in a written agreement in accordance with the relevant laws such as the Personal Information Protection Act, and Company manages and supervises the consigned company so that it will not violate the laws related to protection of personal data in order to ensure the safe management of personal data. The consigned companies and the details of the consigned work are as follows:

    Consigned Company
    Consigned Work
    Retention and use period of personal data
    Provide payment method
    Google LLC
    Provide user analysis tool
    Until membership cancellation or termination of consignment agreement
    Amazon Web Service (AWS Kor)
    Provide Cloud IT infrastructure

    Company shall disclose through this Privacy Policy without delay if the contents of the consignment or the consigned companies are changed.

    Need to Collect Personal Data

    Company needs the personal data of users for the service use contract between a user and Company and the smooth delivery of the services therein. Users are restricted from using Company’s services unless they give consent to the essential personal data that Company collects. However, users may refuse to provide optional personal data, and even if users do not consent to the collection of such data, they will still be able to use Company’s services except those that require the provision of optional personal data.

    Cross-border Transfer of Personal Data

    Company may transfer users’ personal data to companies located in other countries or other companies or manage users’ personal data in other countries for any purpose specified in this Privacy Policy. Company will take reasonable measures where the personal data is transmitted to, retained or processed by other companies in order to protect the data. Company may transfer users’ personal data to other countries after obtaining the explicit consent for transfer of personal data to third countries (Article 49 Paragraph 1 (a), GDPR). Within the EU, transfer of personal data to other countries may take place where the Commission has decided that the country in question ensures an adequate level of protection, without the consent of a user, subject to appropriate safeguards (Articles 45 and 46, GDPR).

    Entities that are transferred the personal data and its subject shall be as follows.

    Transferred entities and Contact information of the Controller
    Transferred country
    Personal data to be transferred
    Purpose of transferee, retention, use period and transferring date and time, and method
    PAYPAL Pte. Ltd.(General Agent Co., Ltd.,
    Purpose : To compile website user statistics and improve service
    Period : Until membership withdrawal or termination of
    consignment agreement Date, time and method of Transfer : From time to time through information and communication networks during the service provision process
    Google (
    Access date and time, records on service use, access IP information, Cookie
    Purpose : To compile website user statistics and improve service
    Period : Agreement termination date or 36 months from collection date, whichever comes first
    Date, time and method of Transfer : Transfer through an encrypted network when providing services
    Amazon Web Service
    Japan, U.S
    Personal information and log information collected during use of the service
    Purpose : Data storage for providing services and operation of services
    Period : For the duration of user’s membership
    Date, time and method of Transfer : Transferred through telecommunications network from time to time when providing services

    Procedure and Method of Destruction of Personal Data

    Company shall immediately destroy the personal data when it is no longer required, such as expiration of retention period of personal data and attainment of the purpose of personal data processing. Procedure and method of destruction of personal data are as follows:

  • Procedure of destruction
  • Company selects the personal data for which the reasons for destruction occurred and destroys the personal data with the approval of DPO of Company. Provided that even after the retention period of personal data has expired or the purpose of processing the personal data has been achieved, any personal data which is required to be retained under other laws will be transferred to a separate database or stored in a different storage place and will be destroyed immediately after such reasons are resolved. Personal data moved to separate database are not used for any other purpose than retainment of personal data aside from instances due to relevant laws.

  • Method of destruction
  • -Personal data stored in electronic file format are deleted using a technical method where records cannot be recovered once deleted

    -Personal data printed on paper are destroyed using shredder/incinerator

    Rights and Duties of Users and Legal Representatives, and How to Exercise

    Users or their legal representatives, as data subjects, can exercise the following rights regarding the collection, use and disclosure of personal data by Company:

  • Right of access by data subject
  • Right to rectification
  • Right to erasure (‘right to be forgotten’)
  • Right to restriction of processing (right to request the suspension of processing)
  • Right to data portability
  • Right to object
  • Rights related to automated individual decision-making, including profiling
  • Right to withdraw prior consent
  • In order to exercise any of the foregoing rights, users may (i) use the 'My Account', ‘Change My Profile’ menu on Company website or (ii) contact Company (Data Protection Department) in writing or via email. In such case, Company shall take immediate measures, provided, however, that Company may reject such request if and to the extent there are reasonable grounds prescribed in the laws and regulations, including Article 35 Paragraph 4 and Article 37 Paragraph 2 of the Personal Information Protection Act. If a user exercises the above-mentioned rights through an agent such as a legal representative or a proxy, the user should submit a power of attorney in the form separately noticed by the Data Protection Committee. Company will verify whether the person requesting for the exercise of rights of the data subject is actually the data subject or a lawful proxy.

    Security and Measures to Ensure Safety

    Company takes the security of personal data seriously. We have in place the following security measures to prevent unauthorized access to, or disclosure/provision, use or change of the personal data (Article 32 of the GDPR, Article 29 of the Personal Information Protection Act, and Article 31 Paragraph 1 Item 3 and Article 48-2 of Enforcement Decree of the same Act).

  • Encryption of personal data
  • Passwords are encrypted for storage and management and only the person who knows the password can check and change personal data. Password rules to avoid use of predictable password will be applied.

  • Plan for hacking
  • Company is putting forth our best effort to prevent leakage or damage of personal data of users from hacking, computer virus, etc.

  • Minimization and training of personal data handlers
  • Company restricts the number of personal data handlers to a minimum and we also emphasize the importance of personal data protection through managerial actions such as training of personal data handlers.

    Data Breach Escalation and Checklist

    In case of a personal data breach, Articles 33 and 34 of the GDPR requires the Controller to notify the personal data breach to the supervisory authority and communicate the personal data breach to the data subject without delay. To this end, Company takes actions regarding personal data breach before and after the occurrence of such incident in accordance with the following checklist:

  • Preparing for a data breach
  • -To prepare methods to recognize data leak and infringement;

    -To prepare detailed response plan for addressing any personal data breach that may occur;

    -To allocate responsibility for managing accident to a dedicated person or team; and

    -To train staff to know how to escalate a security incident to the appropriate person or team in our organization that can determine whether a breach has occurred.

  • Response to a data leakage and breach
  • -To have in place a process to assess the likely risk to data subjects as a result of a breach;

    -To have in place an internal process to notify the Information Commissioner’s Office (ICO) of a breach within 72 hours of becoming aware of it;

    -To have in place a Breach Notification Form to be submitted to the Supervisory Authority ICO if a data breach occurs;

    -To have a process to communicate the personal data breach to the affected individuals without delay;

    -To provide information on the leakage and infringement to data subjects, and to advise them to enable them to protect themselves from its effects; and

    -To document all leakage and breach.

  • Process of report and notification of data breach
  • -To contact the relevant supervisory authority of a breach within 72 hours after having become aware of it;

    -To directly contact the data subjects affected by a breach if it is likely to result in a high risk to their rights and freedoms; and

    -To prepare and submit/notify a Breach Notification Form to the Supervisory Authority and a Breach Notification Form to the Data Subject.


    Children, as defined in this Privacy Policy, refer to those under the age of 14. Our products and services are intended for use by individuals 14 years of age and older, and children are not eligible to use any of our services. In principle, Company does not collect any personal data from children. However, if Company learns that any personal data of children has been collected through KEYCUTstock website, it will take the appropriate steps to delete this data.

    However, if Company collects, for the provision of our services, any personal data of children, it will comply with the following procedures for the protection of children’s personal data- (Article 8, GDPR).

    -To verify if a child is subject to the guardian’s consent and such guardian has a parental authority, within the scope of reasonable efforts;

    -To have the consent from a person with parental authority on collection of the child’s personal data or to provide the child with product information and Company’s services directly;

    -To notify a person with parental authority of Company's privacy policy for children, including the items, purpose and disclosure (provision) of collected personal data;

    -To grant a person with parental authority the right to access, correct or delete or temporally suspend the processing of, the child’s personal data or the right to withdraw the prior consent of the representative; and

    -To limit the collection of personal data to the extent solely required for the participation in online activities.


    (i) Company may use users’ personal data such as IP address of user, location information and data (“profiling”) to create individual or collective profiles for the purpose of identifying how to provide the users with better services, for example, providing the users with customized content of services by analysing which aspect of Company and/or services most attracts users, and the patterns in which users use the services or (ii) to create user clusters to identify the users’ interest in Company’s products and/or services, to analyse the market and statistics or to enhance Company’s services (all websites, etc.). It may integrate the data provided by all our websites and applications with the users’ personal data provided by Company. The processing of personal data for profiling is carried out in line with the guarantees and measures specified in applicable law (Article 22, GDPR).

    Instalment, Operation and Rejection of Personal Information Auto Collection Device (Cookies), Internet Advertising

    Company uses ‘Cookies’ which frequently stores and discovers users’ personal data. Cookies are substantially small text files to be sent to the browser of the users by the server used for the operation of Company’s websites and are stored in hard disks of the users' computers. These functions are used for evaluating, improving services and customizing user experience so that Company provides way improved services for the users. The purpose of collection of cookies collected by Company is as follows:

    -Purposes of cookies, etc.: To provide targeted marketing and personal services through analysis of access frequency/visit hours of members and non-members, tracking of interests and tastes of users, counting of various event participations and visits, etc.

    -Example of configuration method (It may be different depending on the version used)

    -For Internet Explorer: Tools on top of the web browser > Internet Options > Personal Information > Setting > Advanced

    -For Chrome: Settings on the right side of the web browser > Advanced settings menu at the bottom of the screen > Content settings for personal information > Cookies

    -For Android: Internet setting > Advanced-personal information protection and security > Set-Cookie

    -For iOS: Settings menu > personal information and security > Cookies and other site data > Content settings of personal information > Cookies

    Linked websites

    KEYCUTstock website may contain links to websites of third parties with different privacy policies. When users provide personal data to such third party websites, the user’s personal data provided shall be subject to the privacy policy of the third party website. Please be aware of those privacy policies of all websites you visit.

    Social Media Widget

    KEYCUTstock website may include social media functions such as Facebook like buttons and widgets (e.g., share button or mini chat program launched from KEYCUTstock website).

    Social media functions and widgets are hosted by a third party website. Such social media functions and widgets can collect data on pages visited on website of KEYCUTstock and install and operate cookies for smooth operation of functions. The privacy policy of a company providing the social media functions and widgets shall be applied to interaction with such social media functions and widgets.

    Modification of Privacy Policy

    Company may amend or modify this Privacy Policy from time to time. In the event Company modifies this Privacy Policy, Company will make a public notice of it through Company’s website and have the consent of the users if required by relevant laws and regulations. Notice of modification shall be made at least seven (7) days in advance before enforcement and notice will be made immediately when notice in advance is not possible; provided that the significant changes in users’ rights shall be notified at least thirty (30) days in advance.

    When Company transfers, is acquired or merged with another company, Company may transfer the personal data relevant to the business of such transfer, acquisition or merger without consent from the users but Company shall announce the necessary matters through our website, and notify our users of it in accordance with the relevant laws and regulations such as the Personal Information Protection Act.


    1.This Agreement shall become effective from November 01, 2022.

    2.The previous privacy policy can be found below

    Implementation date of :

    privacy policy: November 01, 2022

    privacy policy: May 12, 2022

    privacy policy: February 5, 2021

    privacy policy: March 30, 2020