Shipping will be paused from May 19th to June 3rd due to warehouse relocation.
Privacy & Cookie Policy
PRIVACY POLICY
AGN Korea Limited / Subdued
www.kr.subdued.com
Effective Date: March 2026 | Jurisdiction: Republic of Korea
1. Introduction and Scope
This Privacy Policy ("Policy") is issued by AGN Korea Limited ("Company", "we", "us", or "our") in compliance with the Personal Information Protection Act of Korea (Act No. 10465, as amended; "PIPA") and its implementing regulations, including the Enforcement Decree of PIPA and the Standards for Personal Information Protection.
This Policy applies to personal information collected from users who access our website www.kr.subdued.com and utilise our e-commerce services (collectively, the "Services"). It describes the types of personal information we collect, the purposes for which it is used, and the rights of data subjects under PIPA.
By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy.
2. Personal Information Protection Officer (PIPO)
Pursuant to Article 31 of PIPA, we have designated a Personal Information Protection Officer responsible for overseeing the processing of personal information and handling related complaints and damage relief:
Personal Information Protection Officer (PIPO)
Name / Title: Roberto Sergi
Department: Legal Representative
Email: supportasia@subdued.com
Telephone: +82 02-2205-4150
The PIPO may be contacted for any requests, enquiries, or complaints regarding the processing of your personal information.
3. Categories of Personal Information Collected
We collect personal information in the following categories (Article 15 PIPA – lawful basis for collection):
3.1 Information Provided Directly by the User
• Name, email address, telephone number, postal address
• Account login credentials (username, hashed password)
• Order and delivery information (billing details, delivery address, purchased items)
• Communications and customer service records
3.2 Information Collected Automatically
• IP address, device identifier, browser type and operating system
• Cookies, pixel tags, and web beacons (see Section 9)
• Access logs, session data, pages visited, time and frequency of access
• Service usage records and purchase history
3.3 Sensitive Information
We do not intentionally collect sensitive personal information (as defined in Article 23 PIPA, e.g. ideology, belief, union membership, political views, health data, sexual orientation, criminal history). If such information is inadvertently received, it will be immediately deleted.
4. Purpose of Processing Personal Information
Pursuant to Article 15 of PIPA, we process personal information only for the following specified and lawful purposes:
1. Identity verification and account registration
2. Processing, delivery, and management of orders and transactions
3. Payment processing and billing
4. Customer service, enquiry handling, and dispute resolution
5. Service improvement, personalisation, and development of new features
6. Sending marketing and promotional communications (with separate consent)
7. Statistical analysis and internal reporting (using anonymised or aggregated data where possible)
8. Legal compliance, fraud prevention, and security monitoring
We will not use your personal information for purposes other than those stated above without your prior consent or a legal basis under PIPA.
5. Retention Period and Destruction of Personal Information
Pursuant to Article 21 of PIPA, personal information is retained only for the period necessary to fulfil the stated collection purpose and is thereafter destroyed without delay. The following retention periods apply:
Category – Retention Period – Legal Basis
• Account information – Until withdrawal of membership + 30 days – User consent
• Order and transaction records – 5 years – Act on Consumer Protection in Electronic Commerce, Art. 6
• Contract and subscription records – 5 years – Act on Consumer Protection in Electronic Commerce, Art. 6
• Payment records – 5 years – Act on Consumer Protection in Electronic Commerce, Art. 6
• Complaint and dispute records – 3 years – Act on Consumer Protection in Electronic Commerce, Art. 6
• Access logs (service usage records) – 3 months – Protection of Communications Secrets Act, Art. 15-2
Upon expiry of the retention period, personal information in electronic form is irreversibly deleted using technical methods preventing recovery, and physical records are shredded or incinerated.
6. Provision of Personal Information to Third Parties
Pursuant to Article 17 of PIPA, we do not provide personal information to third parties except in the following circumstances:
• With the prior consent of the data subject
• Where required by applicable law or pursuant to a lawful request from a government authority
• Where necessary to protect the life, physical safety, or property of the data subject or a third party in emergency circumstances where prior consent cannot be obtained
Where we intend to provide personal information to a third party, we will notify you in advance of the recipient, the purpose of provision, the categories of data to be provided, and the recipient’s retention period, and obtain your consent.
We do not sell or rent personal information to third parties for commercial purposes.
7. Entrustment (Outsourcing) of Personal Information Processing
Pursuant to Article 26 of PIPA, we entrust the processing of personal information to the following third party processors as necessary to provide our Services:
• American Express, Apple Pay, Google Pay, Kakao, Mastercard, NeverPay, Visa - Purpose: Payment processing and fraud prevention
• SF and ILyang - Purpose: Order fulfilment and delivery management
• To be determined - Purpose: Data hosting, system maintenance, and security
• Klaviyo - Purpose: Email dispatch and marketing automation
• Google Analytics – Purpose: Website analytics and user behaviour analysis
All processors are bound by written agreements that prohibit the use of personal information for any purpose other than the entrusted task, require implementation of appropriate security measures, and impose restrictions on sub-entrustment. Details of sub-entrusted processors are disclosed on our website.
8. Cross-Border Transfer of Personal Information
Pursuant to Article 28-8 of PIPA (as amended), where personal information is transferred outside the Republic of Korea (e.g. to cloud service providers or international affiliates), we will:
• Obtain your prior consent to the transfer, specifying the recipient, country, purpose, categories of data, and retention period; or
• Conclude a standard contractual agreement approved by the Personal Information Protection Commission ("PIPC") or adopt equivalent safeguards; or
• Rely on another lawful basis under PIPA or applicable international transfer frameworks
If you would like information on the recipients and countries to which your data may be transferred, please contact our PIPO.
9. Cookies and Automated Data Collection
Our website uses cookies and similar technologies. Cookies are small text files stored on your device that enable website functionality and analytics. We use the following categories:
• Essential cookies – necessary for website operation and access to secure areas
• Performance cookies – collect information about how visitors use the website (e.g. Google Analytics)
• Functionality cookies – remember your preferences and personalise your experience
• Marketing cookies – track visits across websites to display relevant advertising
You may refuse or delete cookies through your browser settings. Refusing non-essential cookies will not affect access to the core functions of our website, but may limit some personalisation features. A cookie consent banner is displayed on your first visit to the website.
10. Technical and Organisational Security Measures
Pursuant to Article 29 of PIPA and the Standards for Personal Information Protection, we implement the following security measures:
• Establishment and implementation of an internal personal information management plan
• Access control and management (role-based authorisation, minimum privilege principle)
• Encryption of passwords and sensitive personal information at rest and in transit (TLS/SSL)
• Intrusion detection and monitoring systems
• Regular security audits and vulnerability assessments
• Physical security controls for server rooms and document storage
• Staff training on personal information protection
11. Rights of Data Subjects and How to Exercise Them
Pursuant to Articles 35–37 and 39-7 of PIPA, you have the following rights in respect of your personal information:
• Right of access – to request confirmation of and access to personal information held about you
• Right to correction – to request correction of inaccurate or incomplete personal information
• Right to erasure – to request deletion of your personal information (subject to statutory retention requirements)
• Right to suspension of processing – to request that processing be suspended, where permitted
• Right to data portability – to receive your personal information in a structured, machine-readable format (where technically feasible)
• Right to withdraw consent – at any time, without affecting the lawfulness of processing prior to withdrawal
To exercise any of the above rights, please submit a written or electronic request to our PIPO at supportasia@subdued.com. We will respond within 10 business days of receiving a valid request (15 business days in complex cases, with prior notification).
Your rights may be exercised directly or through an authorised representative. Where a request is submitted through a representative, a power of attorney and proof of identity will be required.
We may decline to fulfil a request in limited circumstances, including where required by law or where it would infringe the rights of a third party. In such cases, we will notify you of the grounds for refusal.
12. Marketing and Promotional Communications
We will send marketing and promotional communications (including commercial information by email, SMS, or push notification) only with your prior, voluntary, and specific consent, as required under PIPA and the Act on Promotion of Information and Communications Network Utilization and Information Protection ("Network Act").
You may withdraw your consent to receive marketing communications at any time, free of charge, by clicking "Unsubscribe" in any marketing message or by contacting our PIPO. Processing of your opt-out will take effect within 10 business days.
13. Processing of Children’s Personal Information
Pursuant to Article 22-2 of PIPA, we do not knowingly collect personal information from children under the age of 14 without the consent of a legal guardian. Where it comes to our attention that personal information of a child under 14 has been collected without guardian consent, we will take steps to delete such information promptly.
For users between the ages of 14 and 18, certain processing activities may require parental or guardian consent depending on applicable requirements.
14. Automated Decision-Making and Profiling
Pursuant to Article 37-2 of PIPA (effective 2023 amendment), where we make decisions that significantly affect you solely by automated means (including profiling), you have the right to request an explanation of the decision and to contest it. Please contact our PIPO to exercise this right.
15. Remedies and Supervisory Authority
If you believe that your personal information rights have been violated or that we have not complied with our obligations under PIPA, you may lodge a complaint with the following authorities:
Personal Information Protection Commission (PIPC)
Website: www.pipc.go.kr | Telephone: 182 (without area code)
Korea Internet & Security Agency (KISA) – Privacy Infringement Report Centre
Website: privacy.kisa.or.kr | Telephone: 118 (without area code)
Cyber Crime Investigation Unit – Supreme Prosecutors’ Office
Website: cybercrime.spo.go.kr | Telephone: 1301
Cyber Safety Bureau – National Police Agency
Website: ecrm.police.go.kr | Telephone: 182
16. Changes to This Privacy Policy
We may amend this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. Where material changes are made, we will provide prominent notice on our website or through direct communication at least 7 days before the changes take effect (30 days in advance where changes concern material matters such as the collection of additional categories of personal information or changes to retention periods).
The current version of this Policy is always available on our website at kr.subdued.com/pages/privacy-cookie-policy
This Privacy Policy is governed by the Personal Information Protection Act (PIPA) of the Republic of Korea (Act No. 10465, as amended) and related regulations.
Version: 1.0 | Effective Date: March 2026
