Monito Privacy Policy
Grepp, Inc. (hereinafter "the Company") complies with the Personal Information Protection Act and applicable laws and regulations to lawfully process and safely manage personal information in order to protect the freedom and rights of users. In accordance with Article 30 of the Personal Information Protection Act, the Company establishes and discloses the following Privacy Policy to inform users of the procedures and standards for the processing and protection of personal information and to enable prompt and smooth handling of related grievances.
Key Personal Information Processing Labels
The Company collects personal information for the following purposes. The collected personal information shall not be used for purposes other than those listed below, and prior consent shall be obtained in the event of any change in the purpose of use.
1. Website Membership Registration and Management
Identity verification and confirmation of intent to register for membership-based services; maintenance and management of membership qualifications; prevention of unauthorized and illegal use of services; processing of inquiries and consultations; issuance of various notices and notifications; handling of grievances; resolution of disputes.
2. Provision of Goods and Services
Individual identification for the provision of content such as assessments; transmission of information generated during service use (e.g., assessment results); communication between members; purchase of services and payment of fees; dispatch of contracts and invoices; provision of content; dispatch of goods and supporting documents.
3. Marketing and Advertising
Provision of personalized services; service guidance and recommendation; collection of statistics and access frequency data for service improvement and new service development; placement of advertisements based on statistical characteristics; provision of event information and participation opportunities; statistical analysis for employment and job market trend research; data analysis for service enhancement.
① In processing personal information, the Company categorizes and notifies users as follows: (1) Items processed without consent (e.g., legal compliance, conclusion and performance of contracts); (2) Items processed with consent (e.g., optional services, marketing); (3) Items collected pursuant to a statutory basis.
| Category | Purpose of Collection | Items Collected | Legal Basis |
|---|---|---|---|
| Corporate Membership Registration | Membership registration and management | Name, email address (user ID), password, mobile phone number, DI | Performance of contract (Personal Information Protection Act, Art. 15(1)(ii)) |
| Paid Service (Card Payment) | Payment processing | Card issuer name, card number, card expiry date, (optional) email address | Legal obligation (Act on Consumer Protection in Electronic Commerce, Art. 6); Performance of contract (Personal Information Protection Act, Art. 15(1)(ii)) |
| Paid Service (Wire Transfer) | Payment processing | Depositor name, bank name, (optional) email address | Legal obligation (Act on Consumer Protection in Electronic Commerce, Art. 6); Performance of contract (Personal Information Protection Act, Art. 15(1)(ii)) |
| Inquiries | Handling of inquiries and consultations | Company name, industry, name, company phone number, email address | Performance of contract (Personal Information Protection Act, Art. 15(1)(ii)) |
| Examination Taking | Recruitment procedures | Name, email address (user ID), (for recruitment examinations) test results submitted to the prospective employer | Performance of contract (Personal Information Protection Act, Art. 15(1)(ii)) |
| Examinee Proctoring | Prevention of misconduct | Computer screen recordings; video footage captured via webcam or mobile device camera | Consent (Personal Information Protection Act, Art. 15(1)(i)); Performance of contract (Personal Information Protection Act, Art. 15(1)(ii)) |
| Examinee Identity Verification | Identity verification | Name, date of birth, examinee photograph (via webcam or mobile device camera), copy of identity document | Legal obligation (Personal Information Protection Act, Arts. 24-2 and 15(1)(ii)) |
| Marketing Consent | Transmission of promotional and event information | Email address, name, contact information, company name, industry | Legal obligation (Personal Information Protection Act, Art. 15(1)(i); Act on Promotion of Information and Communications Network Utilization and Information Protection, Art. 50) |
1. The Company collects personal information within the minimum scope necessary for service provision, with the user's consent and in accordance with applicable legal bases. All collected personal information is used only within the scope of the notified purposes.
2. With respect to the collection of personal information, essential items such as name and email address required for core service provision are collected as items processed without consent under "performance of contract" or "legal compliance." All other personal information is classified as items processed with consent, and individual consent procedures are established. Certain items may also be collected pursuant to a statutory basis and processed without separate consent in such cases.
3. Users have the right to refuse consent to the collection and use of personal information. However, if consent is refused for items processed with consent, the use of services related to those items may be restricted. Items processed without consent, such as those required for the performance of a legal obligation or a contract, may be processed without separate consent.
② The methods of collecting personal information are as follows:
1. Collection online through website membership registration and via telephone or email.
2. Provision to identity verification agencies or payment gateway (PG) companies following consent to third-party disclosure.
The Company retains and uses personal information for the period notified and agreed upon. Upon achievement of the purpose of collection and use, expiration of the retention period, or withdrawal of the user's consent to collection and use, the collected personal information is destroyed without delay. However, where retention is required under applicable laws and regulations or pursuant to internal policies, only the minimum period and items necessary for the achievement of the purpose are retained.
1. For members: The retention and use period of personal information runs from the conclusion of the online/mobile service agreement (membership registration) until the termination of the service agreement (withdrawal request).
2. For corporate examination candidates: Of the personal information collected for the performance of its contract with the corporate client, the Company retains personal information other than the candidate number for two (2) years from the date of the last examination sitting, after which it is automatically deleted or anonymized.
3. Separately consented items: Where separate consent has been obtained from the data subject pursuant to the applicable service, the retention and use period of the relevant personal information shall be as notified at the time of consent to collection.
4. Dispute-related: In the event of a civil complaint, lawsuit, or other dispute between the Company and a user, personal information may be retained and used until the dispute is resolved.
5. Retention pursuant to applicable laws: Where retention is required by law, personal information is retained and used for the period prescribed by the relevant law.
| Information Retained | Retention Period | Basis for Retention (Statute and Provision) |
|---|---|---|
| Records relating to labeling and advertising | 6 months | Act on Consumer Protection in Electronic Commerce, Art. 6 and Enforcement Decree thereof, Art. 6(1)(i) |
| Records relating to contracts or withdrawal of offers | 5 years | Act on Consumer Protection in Electronic Commerce, Art. 6 and Enforcement Decree thereof, Art. 6(1)(ii) |
| Records relating to payment and supply of goods and services | 5 years | Act on Consumer Protection in Electronic Commerce, Art. 6 and Enforcement Decree thereof, Art. 6(1)(iii) |
| Records relating to consumer complaints or dispute resolution | 3 years | Act on Consumer Protection in Electronic Commerce, Art. 6 and Enforcement Decree thereof, Art. 6(1)(iv) |
| Service usage records, access logs, access IP information | 3 months | Protection of Communications Secrets Act, Art. 15-2 and Enforcement Decree thereof, Art. 41 |
| Records of cash receipts and tax invoices | 1 year | Value-Added Tax Act, Art. 71(3) (Books and tax invoices retained for 1 year) |
| Transaction records including tax invoices and receipts | 5 years | Value-Added Tax Act, Art. 71(3); Framework Act on National Taxes, Art. 85-3 (Tax invoices and receipts retained for 5 years after the final tax return deadline) |
① The Company processes personal information only within the scope specified in Article 1 of this Privacy Policy and discloses personal information to third parties only in cases falling under Article 17 (Provision of Personal Information) of the Personal Information Protection Act, such as the user's consent or special provisions of law.
② The Company discloses personal information to third parties as follows (a list of recipients is available on a separate screen by clicking the link):
| Recipient | Purpose of Disclosure | Information Disclosed | Retention and Use Period |
|---|---|---|---|
| Examination administering and participating institutions | Examinee proctoring | Computer screen recordings; video footage captured via webcam or mobile device camera | 30 days after the end of the examination |
| Examination administering and participating institutions | Examinee identity verification | Name, date of birth, examinee photograph captured via webcam or mobile device camera, masked copy of identity document | 35 days after the end of the examination |
③ Personal information may also be disclosed where required under Article 18 of the Personal Information Protection Act or upon request by a law enforcement agency for investigative purposes in accordance with the procedures and methods prescribed by law.
④ Users may refuse to consent to third-party disclosure and may withdraw consent at any time. However, certain services based on third-party disclosure may be restricted, and withdrawal may be limited in the following circumstances (statutory obligations, risk of infringement of others' rights, difficulty in performing a contract, etc.).
① The Company entrusts personal information processing tasks to external specialized vendors as follows in order to provide smoother services to users, and does not entrust personal information to third parties without the user's prior consent. However, where a user uses the Monito login service or services of external affiliated companies, the Company may entrust personal information to third parties within the necessary scope after obtaining the user's consent, and where overseas services are used, the Company either notifies users of the trustee and the country of transfer or obtains separate consent before transferring personal information overseas.
1. Domestic Entrustment Status of Personal Information Processing
2. Overseas Entrustment Status of Personal Information Processing
② When entering into entrustment agreements, the Company specifies in the contract or other documents matters relating to: prohibition of processing personal information for purposes other than those of the entrusted tasks; technical and administrative safeguards; restrictions on re-entrustment; supervision and oversight of trustees; and liability for damages, among others. The Company also supervises and oversees whether the trustee processes personal information in a secure manner.
③ In the event of any change in the content of entrusted tasks or the trustee, such changes are disclosed through this Privacy Policy without delay.
The Company destroys personal information upon achievement of the purpose of collection and use or expiration of the retention period. The procedures and methods for destruction are as follows. However, exceptions apply where retention is required under other applicable laws (the items and basis for retention of personal information retained pursuant to other laws are available in 'Article 3 Retention and Use Period of Personal Information').
Destruction Procedures
Personal information for which the purpose of collection and use has been achieved is destroyed without delay. Where retention is required under applicable laws and regulations, the information is transferred to a separate database (DB) and, after being securely retained for a specified period (see retention and use period of personal information) in compliance with internal regulations and applicable laws, destroyed without delay. Personal information transferred to the DB is not used for any other purpose except as required by law.Destruction Methods
Personal information stored in electronic file format is deleted using technical methods that render the records unrecoverable. Personal information recorded or printed on paper is destroyed by shredding or incineration.
① Users may exercise rights against the Company at any time, including the right to access, correct, delete, or request suspension of processing of personal information; withdrawal of consent; and the right to object to or request an explanation of automated decisions (hereinafter "exercise of rights"). However, the exercise of rights may be restricted in the following cases, among others:
1. Where there is a special provision in law or compliance with a statutory obligation is unavoidable.
2. Where there is a risk of harm to the life or body of another person, or of unjustifiably infringing upon the property or other interests of another person.
3. Where, in cases in which failure to process personal information would make it impossible to provide the services agreed upon with the data subject, the data subject has not clearly expressed an intention to terminate the relevant contract.
② The exercise of rights may be made to the Company via email or other means pursuant to Article 41(1) of the Enforcement Decree of the Personal Information Protection Act, and the Company shall take action without delay.
1. Users may directly access, correct, or delete their personal information at any time through [My Page > Account Management] on the website, or request access via [FAQ/Inquiries].
2. Users may withdraw consent to the collection and use of personal information at any time through [Membership Withdrawal].
③ Rights may also be exercised through a legal representative or an authorized agent of the user. In such cases, a power of attorney in the form prescribed by Annex 11 of the 'Notification on Personal Information Processing Methods' must be submitted.
④ The right to request access to or suspension of processing of personal information may be restricted pursuant to Article 35(4) and Article 37(2) of the Personal Information Protection Act.
⑤ Where personal information is expressly designated as a subject of collection under another law, deletion of such personal information may not be requested.
⑥ The Company verifies whether the person exercising rights is the data subject or a duly authorized agent.
⑦ Users may exercise rights through the department listed below, and the Company shall endeavor to ensure prompt processing of such requests:
1. Department for receipt and processing of requests for access to personal information: C/S Department
2. Contact: 1533-1886
3. Email: privacy@grepp.co
① The Company uses "cookies" that store and frequently retrieve user information regarding the use of the Monito service in order to provide personalized and customized services. Cookies are small pieces of information transmitted from the server operating the website to the user's browser and may be stored on the user's computer or mobile device, and are automatically sent to the server upon access to the website.
② The Company may collect users' unique identifiers (User IDs) and service usage records through cookies, which are used for the following purposes:
1. Analysis of access frequency and visit time of members and non-members.
2. Identification of users' areas of interest and tracking of usage behavior.
3. Analysis of event participation rates and visit frequency.
4. Provision of personalized services.
③ Users have the option to choose whether to allow cookie installation. Users may allow all cookies, require confirmation each time a cookie is stored, or refuse all cookie storage through their web browser's options settings. However, refusing cookie storage may restrict the provision of certain personalized services.
1. Chrome: Browser menu (upper right, ⋮) > Settings > Privacy and security > Clear browsing data / Third-party cookies > Block third-party cookies
2. Microsoft Edge: Browser menu (upper right, ⋮) > Settings > Privacy, search, and services > Cookies > Disable "Allow sites to save and read cookie data (recommended)"
3. Safari (iOS): Settings > Safari > Advanced > Block All Cookies
4. Samsung Internet: Browser menu (lower, ≡) > Privacy > Enable Secret Mode
④ The Company may also collect user information through "sessions" in the course of providing services. A session is a temporary file transmitted from the server to the user's device while the user is accessing the site; it is used to maintain the connection and is automatically deleted upon closing the browser.
⑤ Data subjects may refuse the collection, use, and provision of behavioral information by changing the settings of their browser or mobile device. Please refer to the browser-specific cookie settings guidance above for detailed instructions.
⑥ The Company does not collect behavioral information or use it for targeted advertising. However, if such use becomes necessary in the future, notice will be provided in the Privacy Policy.
The Company implements the following technical and administrative safeguards to ensure the security of personal information and to prevent loss, theft, leakage, forgery, alteration, or damage of personal information in the course of processing.
Establishment and Implementation of Internal Management Plans
Internal management plans for the protection of personal information are established and implemented to ensure the secure processing of personal information.Minimization and Training of Personal Information Handlers
Personnel authorized to handle personal information are designated and managed, and training on secure management is provided to such personnel.Restriction of Access to Personal Information
Necessary access control measures are implemented by granting, modifying, and revoking access privileges to database systems that process personal information.Retention of Access Records
Records of access to personal information processing systems are retained and managed for a minimum of two (2) years.Encryption of Personal Information
Personal information that is required to be stored in encrypted form under applicable laws is securely stored and managed by applying a secure encryption algorithm.Installation and Periodic Inspection of Security Programs
Security programs are installed and periodically inspected to prevent leakage and damage of personal information caused by hacking or computer viruses.
① The Company designates a personal information protection department as set out below to take overall responsibility for personal information processing operations and to handle complaints and provide remedies related to the processing of personal information by the data subject. For any inquiries regarding personal information, please contact the Personal Information Protection Officer below.
- Personal Information Protection Officer: Lim Sung-su (CEO)
- Contact: 1533-1886
- Email: privacy@grepp.co
② The following agencies are independent of the Company. If you are not satisfied with the Company's own personal information complaint handling or remedy results, or if you require more detailed assistance, please contact these agencies:
- Personal Information Dispute Mediation Committee: 1833-6972 (no area code) (www.kopico.go.kr)
- Personal Information Infringement Report Center: 118 (no area code) (privacy.kisa.or.kr)
- Supreme Prosecutors' Office Cyber Investigation Division: 1301 (no area code) (www.spo.go.kr)
- National Police Agency Cyber Investigation Bureau: 182 (no area code) (cyberbureau.police.go.kr)
The Company operates and manages video information processing devices at its headquarters as follows.
Video Surveillance Systems Operation and Management Policy
The Company's Privacy Policy may be amended in accordance with changes in laws and guidelines and the Company's terms and internal policies. In the event of any amendment, the Company shall disclose the amended content through the Company's website or by email in accordance with Article 30 of the Personal Information Protection Act and Article 31 of its Enforcement Decree.
Effective Date: June 22, 2026
Privacy Policy Amendment History

