Privacy Policy

LOTTEJTB Co., Ltd., doing business as the Site (referred to as "the Site", "we", "us", or "our"), is committed to protecting your personal information. This Privacy Policy explains how we collect, use, share, and protect personal data when you visit the Site or use our services (including making tour bookings or inquiries). It also outlines your rights under applicable privacy laws, including the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). This policy applies to all visitors to the Site and customers who use the Site's services worldwide.

By using the website or services, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use of our site and services.

Article 1 (Information We Collect)

We collect both personal information that you provide directly and data collected automatically through your interaction with the Site or services.

①    Information You Provide to Us: When you make a booking, inquire about a tour, create an account, or contact us, you may provide personal details such as your name, email address, phone number, gender, date of birth, nationality, and any other information necessary to process your request (for example, tour preferences or special requirements). If you book a tour, we will also collect any details needed to facilitate the booking, such as the names of other participants you register. For certain travel bookings, we may request additional details like passport information or dietary requirements if needed for the tour.

②    Payment Information: If you make a purchase or booking, our payment processing partners will collect your payment card details or other payment information. This may include credit/debit card number, expiration date, and security code, or details for alternative payment methods. We do not store your full payment card details on our systems; payment data is processed securely by our authorized payment processor in compliance with applicable security standards (e.g., PCI-DSS).

③    Communications: If you communicate with us (via email, phone, or contact forms), we will collect the content of your communication and any contact information you provide (such as your email address or telephone number) so that we can respond to you. This includes inquiries about tours, customer service requests, and any feedback you provide.

④    Optional Information: We may also collect optional demographic information (such as your gender, travel interests, or preferences) if you choose to provide it, for example to personalize your experience. Providing this information is not required to use our services.

⑤    Information Collected Automatically: When you visit the Site, our systems automatically collect certain technical information about your visit. This includes data like your device’s IP address, browser type and version, device type, operating system, referring website, pages you viewed on our site, the dates and times of your visits, and other standard web log information. We also gather data on how you interact with our site (such as clicks, scrolling, and page response times). This device and usage information helps us administer and secure the Site and provides us with analytics on user behavior.

⑥    Cookies and Tracking Technologies: We use cookies and similar tracking technologies (like web beacons or pixels) to collect information automatically from your browser or device. Cookies are small text files stored on your browser that allow us to recognize you and remember your preferences. For example, if you add tours to a wish list or booking cart, cookies help us keep track of those items. Cookies also enable certain site features and remember your account login so you don’t have to re-enter it on each visit. We use both session cookies (which expire when you close your browser) and persistent cookies (which remain on your device until deleted or expired) for functionality and analytics. You have the ability to disable or delete cookies through your browser settings at any time. However, please note that if you reject cookies, some features of our site may not function properly.

We rely on the EU–US Data Privacy Framework or Standard Contractual Clauses (SCCs) to ensure adequate protection when personal data is transferred to U.S.-based services like Google Analytics and Meta Pixel.

⑦    Analytics Data: We use third-party analytics tools (such as Google Analytics) to understand how users find and use the Site. These tools use cookies and similar technologies to collect data about website usage (e.g., pages visited, time spent on pages, links clicked) and report trends. We have enabled IP anonymization for Google Analytics in applicable regions, so your IP address is truncated before being sent to Google to enhance your privacy. The usage data collected is aggregated and does not directly identify you. This information helps us improve the Site content, performance, and user experience. You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on or by using browser settings to block cookies.

⑧    Advertising and Remarketing: With your consent where required, we may use advertising cookies or pixels provided by third parties (such as Google Ads/Facebook) to deliver personalized ads to you on other platforms. For example, if you visit our site, Google’s remarketing service may use a cookie to recognize you so that we can show you our ads on other websites you visit later. These technologies help us present products or tours that might interest you. You can opt-out of interest-based advertising through your browser’s privacy settings or via industry websites such as the NAI Opt-Out page for U.S. users or the Your Online Choices page for EU users.

⑨    Children’s Privacy: Our services are intended for general audiences and are not directed at children. We do not knowingly collect personal information from children under the age of 13 (or the minimum age required in the user’s jurisdiction) without verified parental consent. However, if we become aware that we have inadvertently collected personal data from a child, or if it becomes necessary to collect data from a child (such as for essential service delivery), we will take additional steps to protect that data, including: Making reasonable efforts to verify the child’s age and the legal authority of the person providing consent.

1)    Obtaining verifiable parental or guardian consent before collecting or using any personal information from the child.

2)    Providing the parent or legal guardian with clear notice regarding the types of information collected, the purposes of collection, and whether the data will be shared with third parties.

3)    Offering the parent or legal guardian the right to access, correct, delete, or restrict the processing of the child’s information, or to withdraw prior consent at any time.

4)    Limiting the collection of information to what is reasonably necessary for the child’s participation in the activity or service.

We encourage parents and guardians to monitor their children’s online activities and to contact us if they believe that we may have collected information from their child without proper consent. We will promptly delete such data in accordance with applicable law.

Article 2 (How We Use Your Information)

We use your personal information for the following purposes, and we ensure that we have a valid legal basis (under GDPR) for each use:

①    To Provide Services and Process Bookings: We use your personal data to process your tour bookings and travel arrangements, including reserving your spot on tours, processing payments, issuing tickets or vouchers, and communicating with you about your trip. For example, we will use your name and contact details to confirm your reservation and send you itineraries or booking confirmations. We also use the information to provide any customer support you request and to manage any changes or issues with your bookings. Legal basis: This is generally necessary for the performance of a contract – when you book a tour or service, we must use your data to fulfill our contract to provide that service.

②    To Respond to Inquiries and Communicate with You: If you contact us with questions, feedback, or requests, we will use your provided information to respond and communicate. This includes responding to customer service inquiries, answering questions about tours, and sending notifications or alerts you request (e.g. price changes or availability). Legal basis: This is within our legitimate interests to provide effective customer service, or may be necessary for taking steps at your request prior to entering into a contract (for instance, answering pre-booking inquiries).

③    To Personalize Your Experience: If you provide preferences (such as interests or demographic info like gender), we may use this to customize tour recommendations or content on our site to better suit your interests. We may also use past booking history to suggest relevant products or promotions. Legal basis: Consent (where we explicitly ask for your consent to use data for personalization) or legitimate interests in improving our services and marketing.

④    For Marketing (with Consent): We may use your email or contact info to send you promotional communications such as newsletters, special offers, or information about new tours and services, only if you have consented to receive such marketing. You can opt-out of marketing emails at any time by clicking the unsubscribe link in the email or contacting us. We will not spam you, and we will honor all opt-out requests. Legal basis: Consent (for GDPR purposes, we will only send direct marketing to EU individuals with prior consent). California residents have the right to opt-out of the “sale” of personal information; however, the Site does not sell your personal information to third parties for monetary value. Any sharing for marketing is done in accordance with this Policy and with your consent.

⑤    To Improve and Analyze Our Services: We use data (especially aggregated and analytic data) to understand how our services are used and to make improvements. This includes analyzing website traffic and user behavior to fix technical issues, optimize navigation, and improve content and tour offerings. It also includes testing changes and measuring the effectiveness of our advertising. Legal basis: Legitimate interests – it is in our interest to analyze and improve our services to benefit our business and users, and these activities typically do not override your privacy rights (especially when data is aggregated or pseudonymized).

⑥    To Ensure Security and Prevent Fraud: We may process personal data (like IP addresses or browser info) to maintain the security of the Site and services, prevent fraudulent bookings or misuse of our services, and to detect and protect against technical issues or attacks (for example, we may use automated systems to flag suspicious login attempts or transactions). We also may use CCTV at our physical premises (if you visit an office) for security. Legal basis: Legitimate interests in protecting our business, customers, and systems from fraud and security threats, and/or legal obligation if we are required by law to ensure certain security standards.

⑦    To Comply with Legal Obligations: We will use and retain personal information as necessary to comply with our legal and regulatory obligations. This includes keeping records for tax and accounting purposes, verifying identities where required by law, and responding to lawful requests by public authorities. For example, under Korean law or other applicable laws, we may need to retain transaction records for a certain period, or under EU law we might need to provide certain information to authorities for compliance purposes. Legal basis: Compliance with a legal obligation (GDPR Article 6(1)(c)).

⑧    To Protect Vital Interests: In rare circumstances, we may need to process personal data to protect someone’s life or physical safety. For instance, if you have a medical emergency on a tour, we might share relevant personal info with medical providers. Legal basis: Vital interests (GDPR Article 6(1)(d)), though this is expected to occur only in extraordinary situations.

We will not use your personal information for purposes that are incompatible with the above, unless we obtain your consent or are required/permitted by law to do so. If we plan to process your information for a new purpose, we will provide you with notice and, if required, seek your consent.

Article 3 (Cookies & Tracking Technologies)

As noted, we use cookies and similar technologies on the Site to ensure it functions properly and to enhance user experience. Here is a summary of our use of cookies:

①    Essential Cookies: These cookies are necessary for the Site to operate. They enable core functionalities such as secure login, shopping cart preferences, and load balancing. Without these cookies, services you have asked for (like adding a booking to your cart or logging into your account) cannot be provided.

We rely on the EU–US Data Privacy Framework or Standard Contractual Clauses (SCCs) to ensure adequate protection when personal data is transferred to U.S.-based services like Google Analytics and Meta Pixel.

②    Analytics Cookies: We use analytics cookies (e.g., Google Analytics cookies) to collect information about how visitors use our site. This helps us measure and improve the performance of the Site. For example, we learn which pages are most and least popular and see how visitors move around the site. The data collected is typically aggregated and not used to identify you personally. Google Analytics may set its own cookies to track user interactions; however, we have configured Google Analytics to anonymize IP addresses for visitors from the EU/EEA. You can opt out as described in Section 1 (Analytics Data).

③    Advertising Cookies: Third-party advertising partners (like Google or social media platforms) may use cookies or pixels on our site to collect information about your browsing activities, in order to provide you with targeted advertising on other sites. For example, if you view the tour on the Site, you may later see an ad for the Site on another site. We only engage in such advertising cookie use where permitted by law, and we obtain consent where required (such as in the EU). You can manage or block advertising cookies through your browser settings or via industry opt-out sites as mentioned above.

For users located in the EEA, we obtain explicit opt-in consent before enabling any non-essential cookies, including analytics or advertising cookies. You may manage your preferences via the cookie settings panel on our website.

④    Your Choices: When you first visit our site from certain regions, you may see a cookie consent banner allowing you to accept or reject non-essential cookies. Even after accepting, you can always adjust your browser settings to remove or block cookies. Please note that disabling all cookies (including essential cookies) may affect website functionality. For mobile app usage (if any), you can typically reset advertising identifiers in your device settings.

We also honor “Do Not Track” (DNT) signals to the extent possible. If your browser is configured with DNT enabled, our advertising and analytics partners will be signaled to adjust their data collection accordingly. However, not all third parties respond to DNT signals.

For more detailed information, please see our [Cookies Policy] (if available) which provides a deeper explanation of the types of cookies we use and your options.

Article 4 (How We Share Your Information)

We treat your personal information with care and confidentiality. We do not sell your personal data to third parties. However, in order to provide our services and run our business, we sometimes need to share information with third parties in the following categories:

①    Travel Service Providers (Guides, Hotels, Operators): When you book a tour or activity through the Site, we will share the necessary personal details with the local tour operators, tour guides, hotels, transportation companies, or other third-party providers that will host or facilitate your experience. For example, if you book a guided city tour, we will provide your name and contact info to the tour guide or tour company running that tour so they can prepare for your arrival. Similarly, if your tour package includes hotel accommodation, we will share your details with the hotel for booking purposes. These providers will use your information strictly to provide the contracted service (e.g., to reserve your room or register you for the tour) and for no other purpose.

②    Business Partners and Affiliates: We may share your information with trusted business partners or affiliates of LOTTEJTB Co., Ltd. who are involved in delivering the services you request. This includes, for example, other companies within the LOTTE group or partner travel agencies that assist in fulfilling your bookings or providing customer support. All such parties are required to handle your information in compliance with this Privacy Policy and applicable data protection laws.

Our booking engine is provided by Bókun, a company based in Iceland (within the EEA) and part of the Tripadvisor group. Data processing by Bókun complies with EEA GDPR requirements.

③    Service Providers (Processors): We use third-party service providers to perform certain functions on our behalf, and in doing so they may have access to personal data only as needed to perform their functions. Examples which is the booking engine platform we use to manage tour reservations, payment providers to process credit card transactions, IT hosting and infrastructure providers (for website hosting or data storage), email service providers (to send transactional emails like booking confirmations), and analytics/marketing service providers. These companies act as our data processors and are bound by contracts to only use your data per our instructions and to protect it. For instance, our booking platform is powered. (based in Iceland), which processes your booking details on our behalf. These company is contractually obligated to protect your data and it operates under stringent data protection standards in line with GDPR. Similarly, our payment processors use your payment data solely to process payments and are PCI-DSS compliant.

④    Payment Processors and Financial Institutions: When you make a payment, the transaction is handled by third-party payment processors (such as credit card companies or banks). These entities receive the necessary personal and financial data to verify and complete the payment. They may also use your information for fraud prevention and credit risk reduction. We authorize these payments in a secure manner and do not receive or store sensitive financial information like full credit card numbers (other than perhaps the last few digits for reference). Payment providers may be independently responsible for the personal data they process to fulfill regulatory requirements (e.g., anti-fraud, anti-money laundering laws).

⑤    Advertising and Analytics Partners: As noted in the Cookies section, third-party advertising networks and analytics providers may receive some limited data about you (via cookies or similar tracking tech) when you use our site. For example, Google may receive your device identifiers or site browsing information for analytics and advertising purposes. These third parties use the information to provide services to us (analytics) or to serve advertisements tailored to your interests (with appropriate notice & consent where required). We do not share directly identifiable personal data (like your name or email) with these partners for advertising, but they may automatically collect pseudonymous identifiers as you browse our site.

⑥    Legal and Safety Disclosures: We may disclose personal information to third parties when required by law or necessary to protect rights and safety. This includes sharing information:

1)    To comply with legal obligations: If we receive a lawful subpoena, court order, or other mandatory request for data, we may need to disclose certain information to regulators, law enforcement agencies, or governmental authorities. For example, tourist regulatory bodies or tax authorities might lawfully require certain data, or a court may order us to provide information as part of a legal proceeding.

2)    To enforce our terms and protect our rights: We may share data when necessary to enforce our Terms of Service or other agreements, or to investigate potential violations thereof.

3)    To protect safety: If necessary, we may share information to protect the rights, property, or safety of the Site, our employees, our users, or the public. For instance, sharing information with relevant authorities in cases of fraud prevention or if a customer’s actions pose a safety risk.

⑦    Business Transactions: In the event of a business transfer (such as a merger, acquisition, reorganization, or sale of all or part of our business or assets), user information (including personal data) may be among the assets transferred to the buyer or successor entity. If such a transfer occurs, we will ensure that your personal data remains subject to confidentiality obligations and we will notify you (for example, via email or a prominent notice on our site) of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal data as a result of the transfer.

⑧    With Your Consent: Apart from the cases listed above, if we ever need to share your information in a way that is not covered by this Privacy Policy, we will explain the situation to you and obtain your consent before doing so. You are free to withhold or withdraw such consent at any time.

Third-Party Data Sharing Summary: In summary, we only share personal data with third parties to run our services and fulfill your requests, under strict conditions. All third parties who receive personal data from us are expected to handle it with the same level of care and security that we do, and to use it only for the intended purpose. We do not allow any third-party service providers to use your information for their own marketing or other independent purposes.

If you have questions about third parties that may have access to your data, feel free to contact us for more information. We can provide a list of the categories of partners we work with and, if required by applicable law, the specific parties.

Article 5 (International Data Transfers)

the Site is a global service based in the Republic of Korea, and we work with travelers and partners around the world. This means that your personal information may be transferred to and stored or processed in countries other than your own, including outside the European Economic Area (EEA) or outside the United States. For example:

①    Our headquarters and servers may be located in Seoul, South Korea, so data you provide might be stored on servers in Korea.

②    We use service providers in various countries (for instance, our booking engine provider is in Iceland within the EEA, and we use analytics and advertising services from companies in the United States).

③    When you book international travel, we will send your details to local tour operators or hotels in the country where your tour will take place, which could be outside your country of residence.

Data Protection in Other Countries: When your data is transferred to a country that may not have the same level of data protection laws as your home country, we take steps to ensure your information remains protected. If you are in the EU/EEA or UK, for instance, and we transfer your data to a third country, we will ensure a legal transfer mechanism is in place. Our measures include:

①    Adequacy Decisions: We may transfer data to countries that the European Commission has deemed to have an “adequate” level of data protection. (For example, the EU has determined that certain countries, such as South Korea, provide adequate protection for personal data under their domestic laws, allowing free data flow.) Where such an adequacy decision is in place, cross-border data transfer is allowed.

②    Standard Contractual Clauses (SCCs): For transfers to countries without an adequacy decision, we utilize the European Commission’s Standard Contractual Clauses as a safeguard. These are contractual commitments between us and the recipient of the data, binding them to protect the data in line with EU privacy standards. We have signed SCCs (or the UK International Data Transfer Agreement, as applicable) with our service providers and partners outside the EEA to cover the export of personal data.

③    Other Safeguards: In some cases, we may rely on other transfer mechanisms permitted by law, such as the necessity of the transfer for the performance of a contract (for example, if you are an EU customer booking a tour in a country outside the EU, the transfer of your data to that tour provider is necessary to perform the contract you’ve entered into). We may also rely on your explicit consent for certain international transfers when offering specific services, in which case we will inform you and obtain consent. Additionally, we implement technical measures like encryption and pseudonymization where feasible to add extra protection during data transit.

Data Storage Location: Your personal data may be stored on servers located in South Korea, European Union (e.g., in Ireland or Germany if we use EU-based cloud storage), United States, or other jurisdictions where our service providers maintain facilities. Regardless of where data is stored, we apply consistent privacy protections as described in this Policy.

Your Acknowledgment: By using our services or submitting your information to us, you acknowledge that your information may be transferred to countries outside of your country of residence. We understand that data protection laws vary by country, but we want to reassure you that when your personal data travels across borders, we take appropriate steps to safeguard it.

If you have questions about our international data transfer practices or want more details about the safeguards we have put in place, please contact us (see Contact Information section below). We can provide a copy of the relevant contractual safeguards upon request (subject to any confidentiality requirements).

Article 6 (Data Retention)

We will retain your personal data only for as long as necessary to fulfill the purposes we collected it for, including any legal, accounting, or reporting requirements. Specifically:

①    Booking and Inquiry Data: If you make a tour booking or send an inquiry, we will keep the personal information related to that booking/inquiry for as long as needed to provide the services and handle any post-trip issues or inquiries. In general, we retain booking-related personal data for up to 30 days after the end of your tour, after which we will delete or anonymize it. This retention period allows us to address any after-service queries, complaints, or follow-up communications (such as sending you a summary of your trip or gathering feedback) shortly after your tour is completed. After 30 days, personal data such as contact details and travel details will be removed or de-identified in our active systems.

①    Account Information: If you have created an online account with the Site, we will retain your account data (such as your name, email, password, and profile information) for as long as your account is active. You can delete your account at any time, and upon deletion, we will remove or anonymize personal data associated with your profile (except for any data we are required to retain for legal reasons). If your account is inactive for an extended period, we may contact you to ask if you want to maintain it. Data from deactivated or deleted accounts will be securely archived or erased, subject to our legal retention requirements.

②    Marketing Data: If you have subscribed to our newsletter or consented to receive marketing communications, we will retain your contact information for that purpose until you unsubscribe or withdraw your consent. Once you opt out, we will promptly remove you from our marketing list (although we may keep a record of your request to ensure we honor it going forward). We may also keep a suppression list (email addresses of individuals who have unsubscribed) indefinitely to ensure we do not accidentally send you emails after you have opted out.

③    Log and Analytics Data: We generally retain website log files and analytics records for a short period (often 30 days to 1 year) for the purposes of security, fraud detection, and analyzing site performance. These logs may include IP addresses and visit timestamps. After this period, we either delete the data or store it in an aggregate form that does not identify individuals.

④    Legal Compliance and Disputes: In some cases, we may need to keep certain information for longer if required by law. For instance, financial records (including invoices, payments, and transaction records) may be retained for tax, audit, and accounting purposes for a period mandated by law (e.g., seven years under certain jurisdictions’ laws). Similarly, if we are handling a dispute or legal claim involving your data, we will retain the relevant information until the issue is resolved and no further claims are expected. During such a period, your data will be securely stored and isolated from routine use.

After the applicable retention period has ended, we will ensure that your personal data is either securely deleted or irreversibly anonymized (so that it can no longer be associated with you). For example, we may remove identifying details from the data so it can be used for statistical purposes without identifying you.

Backup Systems: Please note that residual copies of your personal data might remain in our backup systems for a short duration after deletion, but will be overwritten in the normal course of backup cycles. We maintain backup data to ensure we can recover from unexpected disruptions, and we protect these backups with strong security as well.

If you have any specific questions about how long we keep a particular type of data, you can contact us (see Contact Information below) and we’ll be happy to provide more detail.

Article 7 (Your Rights and Choices)

We respect your rights to your personal data. Depending on your location and the laws that apply to you, you have a number of rights regarding the personal information we hold about you. We have outlined these rights below. You can exercise these rights at any time by contacting us (see the Contact Information section).

①    Rights for Individuals in the European Union / European Economic Area (GDPR)

If you are in the EU/EEA (or otherwise subject to GDPR), you have the following rights under the GDPR:

1)    Right of Access: You have the right to request confirmation of whether we are processing your personal data, and if so, to request a copy of the personal data we hold about you. This includes the right to ask for information on the categories of data, the purposes of processing, the categories of recipients to whom data has been disclosed, the retention period or criteria for determining it, and the source of the data (if not collected directly from you). We will provide you with a copy of your personal data in a commonly used electronic form, unless you request a different method. For additional copies, we may charge a reasonable fee based on administrative costs.

2)    Right to Rectification: If any of your personal information is inaccurate or incomplete, you have the right to request that we correct or update it without undue delay. For example, if you change your phone number or notice we have misspelled your name, you can ask us to fix it. We encourage you to keep your information up-to-date and will honor requests to rectify inaccurate data.

3)    Right to Erasure (Right to be Forgotten): You have the right to request the deletion of your personal data in certain circumstances. This right applies, for instance, if the data is no longer needed for the purposes it was collected, if you withdraw consent (and no other legal basis for processing applies), if you have objected to processing (see below) and we have no overriding legitimate grounds to continue, if the data was processed unlawfully, or if erasure is required to comply with a legal obligation. When you exercise this right, we will erase your data (and instruct any processors to do so as well) unless an exemption applies. Please note, we might not be able to fulfill an erasure request in full if we are legally required to keep certain data (e.g., for financial reporting) or if the data is necessary to establish, exercise, or defend legal claims.

4)    Right to Restrict Processing: You have the right to request that we limit the processing of your personal data in certain situations. You can request restriction if: you contest the accuracy of the data (for a period enabling us to verify it); the processing is unlawful but you prefer restriction to erasure; we no longer need the data but you need it for legal claims; or you have objected to processing (pending verification of overriding grounds). When processing is restricted, such data will be marked and only processed for specific purposes (like storage or legal claims) unless you consent or further processing is legally permitted.

5)    Right to Data Portability: For data that you provided to us and that we process by automated means on the legal basis of consent or contract, you have the right to request a copy in a structured, commonly used, machine-readable format, and you have the right to transmit that data to another controller (or have us transfer it, where technically feasible). In plain terms, this allows you to take the data you gave us in a usable format and reuse it elsewhere. This right only applies to information you have provided to us (e.g., your account details, or data generated by your usage of our service under consent/contract), not to data we have created internally.

6)    Right to Object: You have the right to object to certain types of processing of your personal data at any time, on grounds relating to your particular situation. This includes the right to object to processing carried out for our legitimate interests or for a task in the public interest/exercise of official authority. If you raise an objection, we will stop processing the personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or unless we need to continue processing for the establishment, exercise, or defense of legal claims. Importantly, you have an unconditional right to object to your data being used for direct marketing purposes. If you object to processing for direct marketing, we will cease processing your data for those purposes immediately (including any related profiling).

7)    Right to Withdraw Consent: Where we rely on your consent as the legal basis for processing (for example, for sending marketing emails), you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal. If you withdraw consent, we will stop the specific processing that was based on consent. For example, if you withdraw consent for marketing, we will stop sending you marketing emails.

8)    Right not to be Subject to Automated Decisions: You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you, unless it is necessary for entering into or performing a contract, is authorized by law, or you have given explicit consent. the Site does not engage in fully automated decision-making without human involvement that has a significant impact on individuals (such as credit scoring, etc.) in the context of our services. Should that change, we will inform you and ensure such processing is carried out in compliance with GDPR Article 22, including providing you the right to obtain human intervention and to contest the decision.

9)    Right to Lodge a Complaint: If you believe that we have infringed your data protection rights or not handled your personal data in accordance with the law, you have the right to lodge a complaint with a supervisory authority in the EU/EEA. Typically, this would be the authority in the country of your residence, place of work, or where the issue occurred. We would, however, appreciate the chance to address your concerns directly before you approach a regulator, so please feel free to contact us about any complaint and we will do our best to resolve it.

②    Rights for California Residents (CCPA/CPRA)

If you are a resident of California, you have certain rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). These include:

1)    Right to Know: You have the right to request that we disclose to you the personal information we have collected about you in the past 12 months, including the categories of personal information, the categories of sources of that information, the business or commercial purposes for collecting or sharing it, the categories of third parties with whom we share it, and the specific pieces of personal information we have about you. Essentially, you can ask us to provide you with a report of the personal data we have collected and used about you. You can make a verifiable consumer request for this information up to two times per 12-month period, free of charge.

2)    Right to Delete: You have the right to request that we delete any personal information about you that we have collected from you and retained, subject to certain exceptions. Once we receive and confirm a verifiable deletion request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. For instance, we may deny deletion requests if retaining the information is necessary for us or our service providers to complete the transaction for which we collected it, to detect security incidents, to comply with legal obligations, or other reasons permitted by CCPA (we will inform you of any such reasons in our response).

3)    Right to Correct: Under the CPRA amendments, you have the right to request correction of any inaccurate personal information we maintain about you. Upon receiving a verifiable request, we will use commercially reasonable efforts to correct the inaccurate information as directed by you.

4)    Right to Opt-Out of Sale or Sharing: CCPA gives you the right to opt out of the “sale” of your personal information. The CCPA’s definition of “sale” is broad and includes sharing of personal information for valuable consideration. the Site does not sell your personal information for money. However, the term “sale” could include certain types of data sharing that involve cookies and advertising (sharing identifiers with third-party advertising networks could be considered a “sale” under CCPA’s definition). We treat such sharing as something you can opt out of. We also acknowledge the right to opt out of sharing of personal information for cross-context behavioral advertising (introduced by CPRA). If you are a California resident and wish to opt out of any potential “sale” or “sharing” of your personal information, you may do so by using the “Do Not Sell or Share My Personal Information” link on the Site (if available) or by contacting us with your request. If you opt-out, we will honor your request and, if applicable, adjust our data practices (for example, by instructing third-party ad partners to cease using your data for targeted advertising). Additionally, if our site detects a Global Privacy Control (GPC) signal from your browser indicating an opt-out preference, we will treat that as a valid opt-out request.

5)    Right to Limit Use of Sensitive Personal Information: If we collect “sensitive personal information” (as defined by California law, e.g., government IDs, financial account login, precise geolocation, racial or ethnic origin, etc.) for purposes beyond what is necessary to provide our services, you have the right to direct us to limit the use of such sensitive information to certain allowed purposes (like providing the services or security). In general, the Site does not collect or use sensitive personal information for inferring characteristics or for purposes other than providing services (except possibly payment information, which we use only to process transactions). If this right applies, we will provide a mechanism to exercise it.

6)    Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. This means, for example, we will not deny you services, charge you different prices, or provide a lesser quality of service just because you exercised your privacy rights. However, please note that if the exercise of your rights limits our ability to process information (for instance, if you ask us to delete all your data), we may not be able to provide you with certain services that rely on that information.

③    Exercising Your California Rights: To exercise your CCPA rights, you (or your authorized representative) can submit a verifiable consumer request to us by contacting us via the methods listed in the Contact Information section (e.g., by email or phone). We will need to verify your identity (or authority, if through an agent) before processing such requests to ensure we are providing information to the correct individual. This may involve asking you to provide certain information that we have on file (such as your email, recent booking details, or other information) to match against our records. We will use information provided in a request solely to verify and fulfill the request.

We aim to respond to your request within 45 days of receipt. If we need more time (up to an additional 45 days, for a total of 90 days), we will inform you of the reason and extension in writing. Any disclosures we provide will cover only the 12-month period preceding the verifiable request's receipt. For data portability requests, we will select a format to provide your personal data that is readily usable.

California’s “Shine the Light” law (Civil Code Section §1798.83) also permits California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their own direct marketing purposes without your consent. If you have questions about this, you may contact us.

④    Exercising Your Rights (All Users)

To exercise any of the rights above or to make any request regarding your personal data, please contact us using the details in the Contact Information section below. Specify what right you wish to exercise and the scope of the request. We will respond to all legitimate requests and inform you of the actions taken or any required information we might need.

Please note:

1)     Verification: For security, we may need to verify your identity before fulfilling your request (especially for access, deletion, or copy requests) to ensure that we do not disclose personal data to the wrong person. Verification methods may vary depending on your relationship with us (we might ask you to confirm specific details we have on record, etc.). Authorized agents must provide proof of authorization and we may still verify your identity directly.

2)     No Fee Usually Required: Exercising your rights is free of charge. However, if a request is unfounded or excessive (for example, repetitive requests), we may charge a reasonable fee or refuse to act on the request. We will explain our reasoning in such cases.

3)     Response Time: We strive to respond within one month of receiving a request. If the request is complex or if you have made multiple requests, we may extend this period by an additional two months, but we will inform you of the extension and the reasons for it.

Article 8 (How We Protect Your Information)

We take the security of your personal information very seriously. the Site has implemented a variety of technical, administrative, and physical security measures to safeguard the personal data we process, in order to prevent loss, theft, misuse, and unauthorized access, disclosure, alteration, or destruction of your information. These measures include:

①    Encryption: All sensitive data transfers between your browser and the Site are protected using TLS/SSL encryption. This means that when you enter personal information (such as payment details or login credentials) on our site, the data is encrypted in transit. We also encrypt personal data at rest where appropriate. For example, passwords are stored using cryptographic hash functions and payment transactions are processed through secure, PCI-compliant gateways (we do not store your raw payment card data on our servers).

②    Access Controls: We restrict access to personal data to authorized employees and service providers who need it to perform their job duties. Our staff are bound by confidentiality obligations and trained on data protection. We use role-based access controls to ensure people only access the minimum data necessary. For instance, our tour guides will receive your name and necessary contact info for a booking, but they will not have access to other sensitive data like your payment details or account credentials. Administrative access to systems containing personal data is limited to trained personnel and requires strong authentication (such as multi-factor authentication).

③    Security Monitoring: Our IT systems are monitored for potential vulnerabilities and attacks. We use firewalls, anti-virus/anti-malware protection, and intrusion detection systems to guard against unauthorized access. We also keep our software, website platform, and servers up to date with the latest security patches.

④    Testing and Assessments: We periodically conduct security assessments, such as penetration testing and code reviews, to evaluate the strength of our protections. Any identified issues are promptly addressed. We also utilize secure development practices when building or updating features, to minimize security risks from the outset.

⑤    Data Minimization: We follow the principle of data minimization – we only collect and retain personal data that is relevant and necessary for the stated purposes. By limiting the data we hold, we reduce the risk exposure. When data is no longer needed, we ensure it is safely disposed of (deleted or anonymized) as described in the Data Retention section.

⑥    Physical Security: For any physical servers or data centers we use, there are appropriate physical security controls in place (such as access badges, surveillance, and 24/7 security). In our offices, any printed documents containing personal data are stored securely and shredded when no longer needed.

⑦    Employee Training and Policies: We maintain internal privacy and security policies that our employees must adhere to. We train our team on best practices for data protection, how to identify and report security incidents, and the importance of confidentiality.

Despite all these measures, it is important to note that no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security. Cyber threats and new vulnerabilities emerge constantly, but we do our best to update our safeguards accordingly. We also rely on you to play a part in protecting your data: please use a strong, unique password for the Site, do not share your account credentials, and alert us immediately if you suspect any unauthorized access to your account or personal data.

In the unfortunate event of a data breach that affects your personal information, we will notify you and relevant authorities as required by law. We have a breach response plan in place to quickly mitigate and investigate any security incidents.

If you have any questions about the security of your personal data or if you suspect any vulnerabilities, please contact us.

Article 9 (Policy Updates and Changes)

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make changes, we will post the updated policy on this page and update the "Last Updated" date at the top of the policy. If the changes are significant, we will provide a more prominent notice (such as a banner on the Site or an email notification).

For example, if we were to change the types of personal data we collect or the purposes for which we use data in a material way, we would notify users in advance and, if required by law, obtain your consent for the new practices.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting the personal information we collect. Your continued use of website or services after any changes to this Privacy Policy will constitute your acknowledgment of the changes and agreement to be bound by the updated policy, to the extent permitted by law.

If you do not agree with any updates or changes, you should stop using our services and can request that we remove your personal information as per the procedures outlined above (see "Your Rights").

For historical reference or upon your request, we can provide prior versions of our Privacy Policy. We maintain an archive of past privacy notices as required by certain regulations (e.g., CCPA requires that we note changes).

Article 10 (Contact Information)

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please do not hesitate to contact us. We are here to help and will respond as promptly as possible.

Controller (Data Controller): LOTTEJTB CO., LTD.

Business Address: 13F, Seosomun-ro, Jung-gu, Seoul, Republic of Korea

Phone: +82-2-6313-8592

Email: privacy@lottejtb.com

You may contact us by email or phone for any matter, including to exercise your rights as described in Article 7, to ask about deleting or correcting your data, or to inquire about our data practices. When you contact us about your personal data, please include your name and contact information and specify clearly the nature of your request or question. This will help us address your inquiry more effectively.

If you prefer, you may also send postal mail to our business address listed above (Data Protection Officer (DPO): KO Munyoung).

As of this update, we have not designated an EU representative. We will update this section if such designation becomes necessary.

Data Protection Officer (if applicable): If we have appointed a Data Protection Officer or EU Representative as required by GDPR, the contact details will be provided here. (As of the last update, please use the contact information above for all privacy-related inquiries.)

We value your privacy and trust. Thank you for choosing the Site for your travel experiences – we are dedicated to safeguarding your personal information and making your journeys safe and enjoyable.

[Addendum]

These Terms and Conditions shall take effect on July 25, 2025.