Privacy Policy
General Provisions
Tatum Co., Ltd. (hereinafter "Company") makes every effort to protect your personal information safely and complies with the relevant laws and regulations of South Korea that information and communication service providers must adhere to, as well as privacy protection regulations and guidelines.
The privacy policy may be changed due to changes in laws or to provide better services. In such cases, the Company will provide prior notice through announcements on the website or via email. The privacy policy is displayed in bold at the bottom of the main homepage screen.
Article 1. Collection and Use of Personal Information
The Company collects and uses the user's personal information for the following purposes. The personal information being processed will not be collected or used for any purposes other than the following, and if the purpose of use changes, necessary measures such as obtaining separate consent will be taken in accordance with Article 18 of the Personal Information Protection Act.
The collection and use of personal information is necessary for the use of Tatum's CNAPP service. If you refuse to collect personal information, your use of Tatum services may be restricted.
Article 2. Items of Personal Information Collected and Collection Method
The Company collects only the minimum personal information necessary for service provision. When collecting the user's personal information, the Company informs the user beforehand and seeks consent.
Consultation Request (Homepage) — Demo Application, Product Consultation, Inquiry
Purpose: Consultation and service guidance
Required items: Name, Email, Company Name
Optional items: Phone Number, Title
Information Collected During Product Use
Purpose: Service account creation and use
Required items: Email, Name
Optional items: Title, Department
Information Automatically Collected During Service Use
Purpose: Service provision and management
Collection items: Access IP information, Cookies, Visit History, Service Usage Records
During the process of consultation, suggestions, or inquiries through web page services, emails, or phone calls, the user's personal information may be collected.
Information that is automatically collected during the use of the service may be generated and collected automatically during the use of PC and mobile web.
Article 3. Retention and Use Period of Personal Information
The Company processes and retains personal information collected from users in accordance with the retention and use periods prescribed by law or the consent received when collecting personal information.
Inquiries
Record of customer consultation handling: 1 year
Electronic Commerce Act
Records related to contract or withdrawal of subscription: 5 years
Records related to payment and supply of goods: 5 years
Records related to consumer complaints or dispute resolution: 3 years
Protection of Communications Secrets Act
Visit records related to service use (login records): 3 months
Article 4. Outsourcing of Personal Information Processing
The Company stipulates necessary matters to ensure the safe management of personal information during outsourcing contracts in accordance with relevant laws.
Flex
Outsourced work: Internal HR management
Retention and use period: Until membership withdrawal or termination of outsourcing contract
MongoDB
Outsourced work: Personal information database
Retention and use period: Until membership withdrawal or termination of outsourcing contract
Article 5. Provision of Personal Information to Third Parties
The Company processes personal information only within the scope of user consent and provides personal information to third parties only in special cases specified in Articles 17 and 18 of the Personal Information Protection Act.
In the event that personal information is provided to a third party pursuant to Article 18 of the Personal Information Protection Act, the Company will disclose such facts on the homepage.
Article 6. User Rights and How to Exercise Them
Users can always view or modify their personal information and can withdraw their personal information through the member withdrawal process. If you wish to modify your personal information or withdraw membership, you can proceed as follows:
Users can modify all input information except for their ID on the 'Change Member Information' page.
Users can also request modifications and deletions through 02-6949-2446 or security@tatumsecurity.com. However, to verify that the requester is the information subject, identity verification through a standard form separately prescribed by the regulatory authority may be required.
If a user wishes to withdraw from the homepage, they can click the 'Membership Withdrawal' button on the 'Change Member Information' page of the Tatum homepage to proceed with account withdrawal.
Users can exercise their rights through the customer center and may submit a request for personal information inspection, correction, deletion, or processing cessation in writing or via email in accordance with Appendix Form No. 8 of the Enforcement Regulations of the Personal Information Protection Act.
Users can exercise their rights to personal information through an agent; in this case, an additional power of attorney in accordance with Appendix Form No. 11 of the Enforcement Regulations of the Personal Information Protection Act must be submitted.
Even if a user requests withdrawal of consent, deletion, or processing cessation of personal information, if the information is required to be retained under other laws, the retention period prescribed by those laws may take precedence.
Article 7. Destruction of Personal Information
The Company will promptly destroy personal information that has become unnecessary due to the expiration of the retention period or the achievement of the processing purpose.
If the retention period has expired or the purpose of processing has been achieved, yet the information must continue to be retained under other laws, the respective personal information will be transferred to a separate database (DB) or retained in a different location.
The process and method for destroying personal information are as follows:
a. Destruction Process The Company selects the personal information for which a reason for destruction has occurred and destroys it upon approval from the personal information protection officer.
b. Destruction Method
Personal information printed on paper will be destroyed by shredding or incineration.
Personal information stored in electronic file format will be deleted using technical methods that prevent recovery or restoration of records.
c. Personal Information Validity Period System (Dormant Account Policy)
The Company differentiates and manages long-term inactive customers (dormant accounts) who have not logged in or engaged in any usage activity (including password changes and registered information updates) for one year.
The Company provides prior notice to the customer's registered email address 30 days before the point at which the account is converted to a dormant account.
Personal information of customers classified as dormant accounts will be promptly destroyed once the purpose of collecting and using personal information has been achieved. However, if special provisions are stated in relevant laws as specified in Article 3, the period specified therein shall apply.
Article 8. Measures to Ensure the Safety of Personal Information
The Company takes the following technical and managerial measures to ensure that the personal information of users is not lost, stolen, leaked, altered, or damaged.
1. Managerial/Technical Measures
a. The Company establishes and implements internal management plans for the safe handling of personal information.
b. Through an internal dedicated organization for personal information protection, the Company confirms the implementation of personal information protection measures and the compliance of responsible persons, and takes immediate corrective action when issues are identified.
c. The Company limits the number of personnel who can handle personal information to the necessary minimum, regularly inspects the internal security status to prevent leakage, and provides regular training on personal information protection obligations for all personnel handling personal information.
2. Technical Measures
The Company has established necessary technical measures to ensure that personal information is not lost, stolen, leaked, altered, or damaged due to hacking or other threats.
Article 9. Installation and Operation of Automatic Personal Information Collection Devices and Refusal
The Company uses 'cookies' to store and retrieve user information in order to provide personalized services.
Users have the right to choose regarding cookie installation. Users can set their web browser options to allow all cookies, confirm each time a cookie is stored, or refuse to store all cookies.
Methods for refusing cookie settings are as follows:
Internet Explorer: Select Tools menu > Choose Internet Options > Click Privacy tab > Advanced Privacy Settings > Set cookie level
Chrome: Select Settings menu > Show Advanced Settings > Privacy and Security > Choose Content Settings > Set cookie level
Safari: Select Preferences menu > Choose Privacy tab > Set cookie and website data level
Refusing cookie settings may cause difficulties in service provision.
Article 10. Personal Information Protection Officer and Person in Charge
The Company has appointed the following officer and person in charge to protect users' personal information and handle related complaints.
Personal Information Protection Officer
Name: Yang Hyuk-jae
Department: Representative
Title: CPO/DPO
Phone: 02-6949-2446
Email: hyukjae.yang@tatumsecurity.com
Personal Information Protection Manager
Name: Hyun Seok-ju
Department: Information Security Team
Title: Pro
Phone: 02-6949-2446
Email: seokju.hyun@tatumsecurity.com
Users can contact the personal information protection officer and manager for all inquiries, complaints, and damage relief related to personal information protection arising while using the Company's services. The Company will respond to and handle users' inquiries without delay.
For other reports or consultations related to personal information infringement, the following institutions can be contacted:
Personal Information Infringement Reporting Center: (without area code) 118 / privacy.kisa.or.kr
Cyber Investigation Division of the Supreme Prosecutors' Office: (without area code) 1301 / www.spo.go.kr
Cyber Investigation Bureau of the National Police Agency: (without area code) 182 / ecrm.cyber.go.kr
Personal Information Dispute Mediation Committee: (without area code) 1833-6972 / www.kopico.go.kr
Article 11. Remedies for Infringement of Rights
Information subjects may apply for dispute resolution or consultation with the Personal Information Dispute Mediation Committee, the Korea Internet & Security Agency's Personal Information Infringement Reporting Center, etc., in order to seek relief from personal information infringement. For other reports or consultations, please contact the institutions below.
Personal Information Dispute Mediation: (without area code) 1833-6972 / www.kopico.go.kr
Personal Information Infringement Reporting Center: (without area code) 118 / privacy.kisa.or.kr
Supreme Prosecutors' Office: (without area code) 1301 / www.spo.go.kr
National Police Agency: (without area code) 182 / ecrm.police.go.kr
The Company ensures the right to personal information self-determination and makes efforts to provide consultation and relief for personal information infringement. If you need to file a report or seek consultation, please contact the department below.
Personal Information Protection Customer Consultation and Report
Department: Tatum Co., Ltd. Information Security Team
Contact: 02-6949-2446, security@tatumsecurity.com
Article 12. Obligation to Notify Changes to the Personal Information Processing Policy
This personal information processing policy was first established on October 26, 2020, and if there are any additions, deletions, or modifications due to changes in laws, policies, or security technology, it will be notified through the 'Notice' section of the homepage at least 7 days prior to the effective date.
However, in cases where there are significant changes to user rights, such as changes in the items of collected personal information or the purpose of use, it will be announced at least 30 days in advance and, if necessary, user consent will be obtained again.
Date of initial implementation: October 26, 2020
Date of last modification: January 23, 2026
CCTV (Fixed Video Information Processing Device) Operation and Management Policy
Tatum Co., Ltd. (hereinafter "Company") provides the following information on how video information processed by this organization is used and managed.
① Legal Basis and Purpose of Installation
The Company installs and operates video information processing devices pursuant to Article 25, Paragraph 1 of the Personal Information Protection Act for the following purposes:
Facility safety and fire prevention
Crime prevention for the safety of visitors and employees
② Installation Location, Number of Units, and Filming Scope
Installation location: Company lobby
Number of units: 1
Filming scope: Entrance
③ Management Officer and Authorized Personnel
Management Officer (CCTV Installation & Operation)
Person in charge: Head of HR Team
Organization: Tatum Co., Ltd.
Contact: 02-6949-2446
Authorized Personnel (General Oversight)
Person in charge: Head of Information Security Team
Organization: Tatum Co., Ltd.
Contact: 02-6949-2446
④ Filming Hours, Retention Period, Storage Location, and Processing Method
Filming hours: 24 hours
Retention period: 30 days from the date of filming
Storage location: Tatum Co., Ltd. server room
Processing method: Matters regarding use beyond the original purpose, provision to third parties, destruction, and requests for inspection are recorded and managed. Upon expiration of the retention period, the information is permanently deleted using methods that prevent restoration.
⑤ Method and Location for Confirming Personal Video Information
Method: Contact the authorized personnel or manager in advance and visit the organization.
Location: Tatum Co., Ltd. Information Security Team (02-6949-2446)
⑥ Measures for Requests to Inspect Personal Video Information
Those wishing to inspect, confirm the existence of, or delete personal video information must submit a Personal Video Information Inspection/Existence Confirmation Request Form. Inspection is permitted only when the information subject themselves has been filmed, or when it is clearly necessary for the protection of the life, body, or property of the information subject.
The Company will take necessary action without delay upon receipt of such requests.
⑦ Measures to Ensure the Safety of Personal Video Information
Personal video information processed by the Company is securely managed through encryption and other protective measures. As an administrative measure, access rights are granted on a differentiated basis. To prevent forgery or alteration, the date and time of creation, as well as the purpose, identity, and date/time of access upon inspection, are recorded and managed. Physical security locks are also installed to ensure safe storage.
This fixed video information processing device operation and management policy is effective from December 21, 2025.
Refusal of Unauthorized Email Collection
We refuse the unauthorized collection of email addresses posted on the Tatum Co., Ltd. official website (https://www.tatumsecurity.com/) through email harvesting programs or other technical means. Violations may be subject to criminal penalties under Article 50 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, and Article 15 of the Personal Information Protection Act.
Related Laws
Article 50, Paragraph 5, Subparagraph 3 of the Act on Promotion of Information and Communications Network Utilization and Information Protection (Restrictions on Transmission of Advertising Information for Commercial Purposes)
Article 15, Paragraph 1, Subparagraph 1 of the Personal Information Protection Act (Collection and Use of Personal Information)