Privacy policy
1. General
THUG CLUB Co., Ltd. (“THUG CLUB,” “we,” “us,” or “our”) respects your privacy and processes personal data in accordance with applicable privacy and data-protection laws. This Global Privacy Notice applies to the official THUG CLUB international online store, related customer service, and associated services (collectively, the “Services”).
This Notice applies to international visitors, customers and users, including users of the English-language Store and customers placing orders for delivery outside the Republic of Korea. The Korean Privacy Policy may apply separately to domestic Korean transactions. Where mandatory privacy or consumer-protection law in your place of residence provides greater protection, that law applies to the extent required by law.
If there is a conflict between the Global Terms of Use and this Notice with respect to the collection, processing or disclosure of personal data, this Notice controls.
2. Personal Data: Purposes, Categories, Legal Bases and Retention
We process only the personal data reasonably necessary for the purposes described below. If we materially change the purpose of processing, we will take any steps required by applicable law.
|
Processing Activity |
Purpose and Typical Legal Basis |
Personal Data |
Retention |
| Account registration and management |
Identity verification, account creation and maintenance, service notices, misuse prevention. Basis: contract performance, legitimate interests or consent where required. |
Name, email address, mobile number, account identifier, authentication information (including email-based identification and one-time login codes), preferences. |
Until account closure. Certain records may be retained where required by law or reasonably necessary for fraud prevention, disputes or security. |
| Guest checkout and order management |
Order confirmation, performance of contract, order lookup and customer support. Basis: contract performance. |
Customer name, contact details, email address, order number, order details and shipping address. |
Deleted without undue delay after the purpose is achieved, subject to statutory retention periods. |
| Payments and refunds |
Payment authorization, cancellation, refund and transaction records. Basis: contract performance and legal obligations. |
Payment token or authorization information, transaction details, cancellation and refund information, order information. |
Statutory retention periods and the period required to process the transaction. |
| Shipping, returns and exchanges |
Delivery, collection, return or exchange processing and related support. Basis: contract performance. |
Recipient name, contact details, shipping address, order number and delivery/return records. |
Deleted without undue delay after the purpose is achieved, subject to statutory retention periods. |
| Customer support and dispute handling |
Responding to inquiries, resolving complaints and disputes, service quality improvement. Basis: contract performance and legitimate interests. |
Name, contact details, email address, order information, communications and attachments you provide. |
Generally 3 years after the matter is closed, or until the dispute is resolved, unless a longer period is required by law. |
| Marketing and events |
Product and event notices, benefits, promotions and event administration. Basis: consent or another lawful basis where permitted. |
Name, email address, mobile number, marketing preferences and event-entry information. |
Until consent is withdrawn or the account is closed, unless another period is stated at collection. |
| Service use, security and fraud prevention |
Store operation, diagnostics, security, misuse prevention and incident response. Basis: legitimate interests or legal obligations. |
IP address, cookies, usage and access logs, browser/device information, error and security logs. |
Generally 3 months after use ends, unless longer retention is necessary for a legal obligation, security incident or dispute. |
| Analytics and targeted advertising, where enabled |
Visit analysis, service improvement, advertising performance measurement and personalized advertising. Basis: consent or another lawful basis where permitted. |
Visit, click, search and conversion records, online identifiers, cookie and advertising identifiers. |
Until consent is withdrawn, cookies are deleted, you opt out where applicable, or the purpose is achieved. |
We do not intentionally collect sensitive personal data or government-issued identification numbers unless required by law or necessary for a specific service and processed with an appropriate legal basis.
3. Retention Required by Law
We delete or de-identify personal data without undue delay once the retention period expires or the purpose of processing has been achieved. Where Korean e-commerce law requires retention, we store the relevant records separately as follows:
|
Record |
Legal Basis |
Retention Period |
Examples of Retained Data |
| Advertising records |
Korean Act on Consumer Protection in Electronic Commerce, Etc. |
6 months |
Advertising and promotion content, dispatch/publication records, relevant consent records. |
| Contract and withdrawal records |
Korean Act on Consumer Protection in Electronic Commerce, Etc. |
5 years |
Customer and recipient information, order number, order, cancellation, return and exchange records. |
| Payment and supply records |
Korean Act on Consumer Protection in Electronic Commerce, Etc. |
5 years |
Order number, product information, payment authorization/cancellation/refund records and delivery/supply records. |
| Consumer complaint and dispute records |
Korean Act on Consumer Protection in Electronic Commerce, Etc. |
3 years |
Customer inquiries, support communications, resolution records and dispute-response records. |
After account closure, we may retain the minimum information necessary to prevent fraudulent registration or transactions, resolve disputes and protect the Services for up to one year. That information will not be used for other purposes.
4. Disclosure of Personal Data
We do not sell personal data for monetary consideration. We do not disclose personal data to third parties except as described in this Notice, with your consent, to perform a contract, to comply with law, or where otherwise permitted by applicable law.
If we conduct a joint promotion, affiliate event, social-media integration or other activity requiring a separate disclosure of personal data, we will provide the required information about the recipient, purpose, categories of data, retention period and any choice available to you before the disclosure where required by law.
The service providers described in Section 5 may process personal data to provide the Services. Depending on the service and applicable law, they may act as processors on our behalf or process data under their own privacy notices and legal obligations.
5. Service Providers and Shopify
We engage service providers to operate the Store and fulfill orders. We require appropriate contractual, organizational and technical safeguards where applicable.
|
Service Provider / Category |
Service |
Personal Data Processed |
| Shopify Commerce Singapore Pte. Ltd., Shopify Inc., Shopify International Limited, and Shopify affiliates and authorized subprocessors |
Online-store platform, account and order management, hosting, security and technical support. |
Account, contact, order, shipping, customer-service, device and usage information. |
| Payment providers made available at checkout |
Payment authorization, fraud prevention, cancellation and refunds. |
Payment token or authorization information, transaction details and order information. |
| Shipping carriers and logistics providers identified at checkout or in delivery communications |
Delivery, tracking, return and exchange collection. |
Recipient name, address, contact details, order and delivery information. |
| Customer-support, messaging and IT service providers, where engaged |
Customer support, transaction notices, service operation and security. |
Contact details, order information, support records and usage information. |
| Analytics and advertising partners, where enabled |
Analytics, performance measurement, personalized advertising and audience management. |
Online identifiers, cookie data, device information, page views, clicks and conversion events. |
Relationship with Shopify
The Store is powered by Shopify. Shopify generally processes customer personal data as a service provider or processor to help us operate the Store. Where we enable Shopify Network Intelligence or Shopify Enhanced Services, Shopify may process certain personal data as an independent controller or business for the purposes described in Shopify’s applicable privacy materials. Where required, we provide a link to Shopify’s privacy resources and a way to exercise applicable choices or rights. The conditional wording in this paragraph applies only to the extent such features are enabled for the Store.
6. International Data Transfers
THUG CLUB is based in the Republic of Korea. We may transfer, store or process personal data in Korea and other countries where Shopify, our service providers and their authorized subprocessors operate. We apply the safeguards required by applicable law for such transfers.
| Recipients |
Shopify Commerce Singapore Pte. Ltd., Shopify Inc., Shopify International Limited, Shopify affiliates and authorized subprocessors. |
| Countries / Regions |
Singapore, Canada, the United States, Ireland and other countries where Shopify affiliates and authorized subprocessors operate. |
| Purpose and Method |
Store hosting, account and order management, security, technical support and customer-service operation. Transfers occur electronically on an ongoing basis when you browse the Store, create an account, place an order or use related Services. |
| Personal Data |
Account, contact, order, shipping and customer-service information; access and usage records; browser and device information. |
| Retention |
Until account closure, the purpose is achieved or the relevant service-provider engagement ends, subject to statutory retention periods. |
| Transfer Safeguards |
Where required, we rely on legally recognized transfer mechanisms, including adequacy decisions, contractual protections such as Standard Contractual Clauses, consent or other lawful mechanisms. |
| Contact / Subprocessors |
Shopify Support and the current Shopify subprocessor information are available through Shopify’s help and privacy resources. |
| Effect of Refusal |
These transfers may be necessary to operate the Store and fulfill orders. If you object to a necessary transfer, certain Services, including account creation, ordering, payment and delivery, may not be available. |
If you are located in the EEA, UK or Switzerland, you may obtain information about applicable transfer safeguards by contacting us. You may also review Shopify’s privacy resources for data that Shopify processes for its own purposes.
7. Deletion and Destruction of Personal Data
When the retention period expires or the purpose of processing has been achieved, we delete or destroy personal data without undue delay. Where data must be retained by law, we store it separately from other personal data.
• Electronic records are deleted using methods designed to make recovery or reconstruction impracticable.
• Paper records are destroyed by shredding or incineration.
8. Your Rights and How to Exercise Them
Depending on applicable law, you may have rights to request access to, correction of, deletion of, restriction of or objection to processing of your personal data; to receive a portable copy of certain data; and to withdraw consent. You may also manage certain account information and marketing preferences through the Store, where available.
To exercise your rights, contact our Privacy Officer or the access-request team identified in Section 12 by email or in writing. We may ask for information needed to verify your identity. We will respond within the period required by applicable law, subject to any legal limitations.
For residents of certain U.S. states, certain data sharing may be considered “sale,” “sharing” or “targeted advertising.” Where applicable, you may opt out through the Store’s Your Privacy Choices page. Where required by law, we also recognize a Global Privacy Control (GPC) signal as an opt-out request for the browser and device that sends the signal.
Where applicable law permits, you may appoint an authorized agent to make a request on your behalf. We may require evidence of authority and may verify your identity directly. We do not discriminate against you for exercising privacy rights. If you are in the EEA, UK or Switzerland, you may also have the right to lodge a complaint with your local data-protection authority.
We do not make decisions based solely on automated processing that produce legal or similarly significant effects without appropriate safeguards. Where such processing occurs and applicable law grants you rights, you may request relevant information, human review or challenge the decision.
9. Cookies, Online Identifiers and Targeted Advertising
We use cookies, pixels, tags and similar technologies for essential Store functions, security, analytics, service improvement and, where enabled, advertising. These technologies may collect IP address, browser and device information, online identifiers, pages viewed, clicks, searches, shopping activity and conversion events.
Essential cookies may be used to provide functions such as account access, shopping carts and security. Where required by law, we seek your consent before using non-essential cookies or similar technologies. You can manage non-essential cookies through the Store’s cookie settings, your browser settings or the Store’s Your Privacy Choices page, where available.
Rejecting or deleting non-essential cookies does not prevent basic use of the Store, but may affect certain features such as persistent login sessions, carts or personalization.
10. Security Measures
We use reasonable technical, administrative and organizational measures designed to protect personal data, including:
• internal privacy-management procedures and personnel training;
• least-privilege access controls and periodic access reviews;
• secure transmission, authentication safeguards and security software where appropriate;
• logging, monitoring and investigation of unusual or unauthorized activity; and
• contractual safeguards and oversight for service providers.
No method of transmission or storage is completely secure. We cannot guarantee absolute security, and information sent through unsecured channels may be exposed in transit.
11. Children
The Store is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16 without appropriate consent or another lawful basis. If you believe that a child has provided personal data in violation of applicable law, please contact us.
12. Privacy Officer, Access Requests and Complaints
| Privacy Officer |
Jiyul Kwon / THUG CLUB Co., Ltd. |
| Privacy and Customer Support Team |
CX / Customer Support |
| Access-Request Team |
CX / Customer Support |
| Email |
cs@thugclub.com |
| Telephone |
No dedicated telephone customer-service line is operated. Please submit privacy inquiries and rights requests by email. |
| Address |
43 Hoenamu-ro, Yongsan-gu, Seoul 04344, Republic of Korea. |
For questions, complaints, requests or concerns about this Notice or your personal data, please contact us using the details above. We will handle requests without undue delay in accordance with applicable law.
13. Remedies and Regulatory Contacts
If you need advice or assistance concerning a personal-data incident, you may contact the relevant supervisory authority in your jurisdiction. In the Republic of Korea, the following organizations may also be contacted:
• Personal Information Infringement Report Center: privacy.kisa.or.kr / 118 (Korea)
• Personal Information Dispute Mediation Committee: kopico.go.kr / 1833-6972 (Korea)
• Prosecution Service: spo.go.kr / 1301 (Korea)
• National Police Agency: ecrm.police.go.kr / 182 (Korea)
14. Changes to This Global Privacy Notice
We may amend this Notice when our services, technology, legal obligations or data-processing practices change. For material changes, we will provide notice at least 30 days before the effective date where required by law. For other changes, we will provide notice at least 7 days before the effective date through the Store or another appropriate method.
This Global Privacy Notice is effective as of 06 July 2026.