Privacy Policy
Last modified: June 16, 2026Effective date: July 20, 2026
📣
Upcoming Policy Change
This policy will be updated on July 20, 2026 in connection with the introduction of short-term rental services and the revision of our cookie policy.
The current policy remains in effect until the effective date.
House Sarah Co., Ltd. (hereinafter 'the Company') respects the privacy rights of its users. In providing services through WECO STAY (www.wecostay.com) (hereinafter 'the Site'), the Company establishes and discloses this Privacy Policy in accordance with Article 30 of the Personal Information Protection Act and relevant laws and regulations, in order to protect users' personal information and to handle related complaints promptly and smoothly.
For users in the Republic of Korea, the Company complies with the Personal Information Protection Act ("PIPA"). For users residing in the European Union (EU) and European Economic Area (EEA), the Company complies with the General Data Protection Regulation ("GDPR"). Unless otherwise stated, this policy applies to all users of WECO STAY services worldwide. Where GDPR applies, additional rights and obligations under the GDPR are described in Article 9.
For users in the Republic of Korea, the Company complies with the Personal Information Protection Act ("PIPA"). For users residing in the European Union (EU) and European Economic Area (EEA), the Company complies with the General Data Protection Regulation ("GDPR"). Unless otherwise stated, this policy applies to all users of WECO STAY services worldwide. Where GDPR applies, additional rights and obligations under the GDPR are described in Article 9.
1. Data Controller
1.1 Primary Data Controller
When this Privacy Policy refers to 'the Company,' it refers to House Sarah Co., Ltd. ('Data Controller'), which is responsible for your personal information under this Privacy Policy. House Sarah Co., Ltd. operates WECO STAY (www.wecostay.com) and provides through that site the serviced-residence service 'WECO STAY' and the short-term rental service 'WECO LIVING.' Where GDPR applies, the Company acts as the Controller of your personal information in accordance with this policy.
1.2 Payment Data Controller
This Privacy Policy also applies to the payment services provided to users by Danal, KG Inicis, and Paymentwall under the Payment Service Terms ('Payment Terms'). When using payment services, users provide their personal information to those payment service providers, and each provider is generally responsible for users' payment-related information based on the user's country of residence.
Each payment service provider may process users' payment-related information as an independent data controller (or joint data controller) in accordance with applicable laws and their own privacy policies. Please refer to each payment service provider's privacy policy for details.
Each payment service provider may process users' payment-related information as an independent data controller (or joint data controller) in accordance with applicable laws and their own privacy policies. Please refer to each payment service provider's privacy policy for details.
2. Personal Information Collected and Methods of Collection
2.1 Information Required to Use the Service
The Company collects users' personal information when they use the service. Without this information, the Company may be unable to provide the requested services. This includes the following.
2.1.1 Contact, Account, and Profile Information
User's name, phone number, mailing address, email address, date of birth, and profile photo. Some of this information may vary depending on the features used. The Company strives to collect only the minimum personal information necessary for service provision.
2.1.2 Identity Information
Where appropriate, the Company may request images from government-issued identification documents (such as a national ID, passport, or driver's license) or other verification information such as date of birth, address, email address, phone number, digital identity data, and/or a selfie photo (subject to consent as required by applicable law). Where copies of identification documents are submitted, the Company extracts the relevant information from such documents. Original passport image and selfie photo files submitted are deleted from the server immediately upon completion of verification; only the verification status and timestamp are retained. Please refer to Section 9.8 for details. Where the Company collects and uses unique identification information such as resident registration numbers or alien registration numbers, it follows the separate notice and consent procedures required under Article 24-2 of the Personal Information Protection Act, and processes such information only within the scope permitted by law.
2.1.3 Payment Transaction Information
Payment account details, credit card information, bank account information, payment method used, payment date and time, transaction amount, payment method expiration date, billing ZIP code, PayPal email address, IBAN information, user's address, and other transaction-related details.
2.2 Information Voluntarily Provided by Users
Users may voluntarily provide the following additional personal information to the Company.
2.2.1 Additional Profile Information
Gender, preferred language, city, personal details, and other additional profile information.
2.2.2 Information About Others
Payment method or contact information belonging to another person, or information about accompanying travelers. By providing personal information about another person, the user confirms that they have the authority to provide such information to the Company for the purposes described in this Privacy Policy and that they have shared this Privacy Policy with that person.
2.2.3 Biometric Information (Sensitive Information)
If a user submits photos and identity documents for verification, facial recognition data extracted from those photos and documents may be collected (after obtaining separate explicit consent from the user as required by applicable law). For more information on identity verification using facial recognition, please see the Help Center. Because facial recognition data constitutes sensitive information (biometric information), separate explicit consent is obtained at the time of collection. Consent is optional and may be withdrawn at any time.
The above facial recognition data constitutes sensitive personal information under the Personal Information Protection Act and 'special categories of personal data' under Article 9 of the GDPR. The Company processes such information only within the scope permitted by applicable law and only on the basis of the user's explicit consent.
The Company does not disclose or provide such biometric information to third parties, except in the following circumstances:
• Where a lawful request is made by an investigative agency or administrative authority pursuant to applicable law
• Where explicit consent has been obtained from the user
If a user does not wish to have their biometric information disclosed, they may choose non-disclosure or withdraw consent by the following methods:
• Withdrawal of consent: The user may contact the customer service center (privacy@wecostay.com or telephone (+82) 2-2274-0337) to withdraw consent for biometric information processing at any time. Biometric information already processed will be destroyed immediately upon withdrawal of consent.
• Non-use of facial recognition authentication: If the user does not consent to facial recognition-based identity verification, they may choose not to use that feature. However, certain services may be restricted in that case.
Health information processed by the Company (such as information related to infectious diseases) is processed solely for the purpose of service provision and safety protection, and is not disclosed without the user's consent. If a user does not consent to the processing of health information or does not wish it to be disclosed, they may request non-disclosure through the customer service center (privacy@wecostay.com).
The above facial recognition data constitutes sensitive personal information under the Personal Information Protection Act and 'special categories of personal data' under Article 9 of the GDPR. The Company processes such information only within the scope permitted by applicable law and only on the basis of the user's explicit consent.
The Company does not disclose or provide such biometric information to third parties, except in the following circumstances:
• Where a lawful request is made by an investigative agency or administrative authority pursuant to applicable law
• Where explicit consent has been obtained from the user
If a user does not wish to have their biometric information disclosed, they may choose non-disclosure or withdraw consent by the following methods:
• Withdrawal of consent: The user may contact the customer service center (privacy@wecostay.com or telephone (+82) 2-2274-0337) to withdraw consent for biometric information processing at any time. Biometric information already processed will be destroyed immediately upon withdrawal of consent.
• Non-use of facial recognition authentication: If the user does not consent to facial recognition-based identity verification, they may choose not to use that feature. However, certain services may be restricted in that case.
Health information processed by the Company (such as information related to infectious diseases) is processed solely for the purpose of service provision and safety protection, and is not disclosed without the user's consent. If a user does not consent to the processing of health information or does not wish it to be disclosed, they may request non-disclosure through the customer service center (privacy@wecostay.com).
| Category | Details |
|---|---|
| Items Collected | Facial recognition data extracted from identity document (e.g., passport) images |
| Purpose of Processing | Identity verification |
| Retention Period | Destroyed immediately upon completion of verification (Original files — passport images and selfie photos — are deleted from the server immediately upon verification; only verification status and timestamp are recorded) |
| Consent Method | Separate explicit consent is obtained on the consent screen after clearly displaying: ① items collected ② purpose of collection/use ③ retention/use period ④ right to refuse consent and any disadvantages |
| Refusal of Consent | Optional and refusable. Certain services based on identity verification may be restricted if refused |
2.2.4 Communication Information
Emails, phone calls, messages, text messages, and other communications sent via or through the Site. Communication information may also include call recordings and transcripts, phone numbers, caller IDs, recipient numbers, account names, email addresses, forwarding numbers, communication dates and times, duration of communications, routing information, communication types, and other log information as required by applicable law.
2.2.5 User-Generated Content
Photos, videos, and other content that the user chooses to provide.
2.2.6 Customer Support Information
Call recordings and transcripts, chat information, and messages collected for the purpose of providing customer support services (including investigating and responding to user concerns and monitoring and improving customer support processes), as required by applicable law.
2.2.7 Other Information
Information provided when filling out forms, adding information to accounts, responding to surveys, participating in research, posting in community forums, participating in promotions, importing or manually entering address book contacts, providing addresses and/or locations, providing business information, or sharing experiences with the Company. This may also include health information that the user voluntarily shares with the Company. Such health information is processed solely for the purposes of service provision and safety protection, based on the user's consent, within the scope permitted by the Personal Information Protection Act and, where applicable, Article 9 of the GDPR, and is not disclosed without the user's consent.
2.3 Information Automatically Collected When Using the Site and Company Payment Services
The Company automatically collects personal information when users use the Site and payment services. This may include the following.
2.3.1 Location Information
Depending on the user's device settings, precise or approximate location determined using IP addresses, GPS from mobile or other devices, or other information provided by the user to the Company. If this feature is enabled through settings or device permissions, the Site may collect this information even when the app is not in use.
2.3.2 Site Usage Information
Listing searches, reservations made by the user, add-on services selected, access dates and times, pages viewed or used before or after using the Site, pages or content viewed or clicked, and other actions performed on the WECO STAY platform such as links to third-party applications. The Company may collect this information even if the user has not created a Site account or is not logged in.
2.3.3 Device Information
IP address, hardware and software information, device information, device event information, unique identifiers, crash data, and message confirmation status. The Company may collect this information even if the user has not created a Site account or is not logged in.
2.3.4 Cookies and Similar Technologies
The Company uses cookies and similar technologies for website operation, service improvement, user behavior analysis, and advertising performance measurement. Cookies collected are classified as: essential cookies necessary for service operation, analytics/statistics cookies for visitor statistics and usage behavior analysis, and marketing cookies for personalized advertising. Cookies other than essential cookies are only collected with the user's prior consent. Please refer to Article 15 'Cookie Policy and Consent Management' for details.
2.4 Personal Information Collected by the Company from Third Parties
The Company may collect personal information from the following other sources.
2.4.1 Third-Party Applications
If the user chooses to connect, access, or log in to the Site using third-party services such as Google, Facebook, or WeChat, they are directing those services to send to the Site information managed by those services or authorized by the user through their privacy settings (such as registration information, friend lists, and profile information). If a smart door lock is connected to the Site account, the Company may collect information about the smart device, such as log or event information and device information.
2.4.2 Corporate Product Invitations and Account Management
Organizations using the Company's corporate products may submit personal information to facilitate invitations for account management and use of corporate products.
2.4.3 Referrals and Accompanying Travelers
If the user has been invited to the Site as an accompanying traveler or otherwise, the person who extended the invitation may submit the user's personal information.
2.4.4 Complainants
If a guest or third party files a complaint about the user, the Company may receive information related to the specific complaint in order to understand the complaint and, where relevant, address it.
2.4.5 Financial Institutions
If the user chooses to make a payment by bank account transfer, the Company may receive certain information such as bank account details and account balance from the user's financial institution.
2.4.6 Installment Payment and Financing Service Providers
If the user purchases a reservation and chooses an installment payment method, the Company may receive certain information such as the actual payment amounts in accordance with the payment schedule and approved payment plan from the third-party provider.
2.4.7 Other Sources
To the extent permitted by applicable law, the Company may obtain additional information about the user — such as identity information, demographic data, or information helpful in detecting fraud and safety issues — from (i) third-party service providers, other third parties, and/or partners, or (ii) members and other individuals, organizations, and authorities, and may combine such information with information the Company already holds about the user. For example, the Company may obtain identity verification results or fraud alerts from identity verification service providers to use in fraud prevention, security investigations, and risk assessment activities. The Company may receive information about the user and the user's activities on and off the Site from Site users, the general public, government agencies, public institutions, or tax authorities; certain public information such as social media posts or profiles; or information from partners about the user's experience and interactions. The Company may receive health information such as information related to infectious diseases. Such indirect collection occurs only within the scope permitted by applicable law, and where GDPR applies, the Company fulfills its notification obligations under Article 14 of the GDPR.
3. Purposes of Use of Personal Information
The Company uses personal information as described in this Privacy Policy.
3.1 Provision of the Site
The Company may process this information for the following purposes:
• Enabling users to access the Site and make reservations and payments or receive payments
• Enabling users to communicate and interact with others
• Responding to and processing user requests
• Providing customer support services
• Sending messages, updates, security alerts, account notifications, and similar communications
• Supporting users' use of Company products and accommodation services
• Enabling users to access the Site and make reservations and payments or receive payments
• Enabling users to communicate and interact with others
• Responding to and processing user requests
• Providing customer support services
• Sending messages, updates, security alerts, account notifications, and similar communications
• Supporting users' use of Company products and accommodation services
3.2 Improvement and Development of the Site
The Company may process this information for the following purposes:
• Conducting analytics, debugging, and research
• Developing and improving products and services
• Providing customer service training
• Conducting analytics, debugging, and research
• Developing and improving products and services
• Providing customer service training
3.3 Personalization of the Site
The Company may process this information for the following purposes:
• Personalizing the user experience based on interactions with the WECO STAY platform, search and reservation history, profile information and preferences, and other information the user chooses to provide
• Customizing the user's experience when using the Site
• Personalizing the user experience based on interactions with the WECO STAY platform, search and reservation history, profile information and preferences, and other information the user chooses to provide
• Customizing the user's experience when using the Site
3.4 Protecting the Site and Community
The Company may process this information for the following purposes:
• Conducting research on and combating discrimination in accordance with the Site's anti-discrimination policy
• Detecting, preventing, assessing, and resolving fraud and security risks
• Protecting the community from illegal activities or other conduct described on the Site's safety policy page, including policies on illegal and prohibited activities
• Verifying or authenticating information provided by users (including identity information)
• Conducting checks using databases and other information sources such as identity verification services
• Complying with legal obligations, and promoting the health and safety of guests and the general public
• Complying with laws, responding to legal requests, preventing harm, and protecting the Company's rights
• Enforcing the Site's Terms and Conditions, anti-discrimination policy, and other applicable policies
• Conducting research on and combating discrimination in accordance with the Site's anti-discrimination policy
• Detecting, preventing, assessing, and resolving fraud and security risks
• Protecting the community from illegal activities or other conduct described on the Site's safety policy page, including policies on illegal and prohibited activities
• Verifying or authenticating information provided by users (including identity information)
• Conducting checks using databases and other information sources such as identity verification services
• Complying with legal obligations, and promoting the health and safety of guests and the general public
• Complying with laws, responding to legal requests, preventing harm, and protecting the Company's rights
• Enforcing the Site's Terms and Conditions, anti-discrimination policy, and other applicable policies
3.5 Provision, Personalization, Performance Measurement, and Improvement of Advertising and Marketing
The Company may process this information for the following purposes:
• Sending promotions, advertisements, marketing messages, and other information
• Posting Company/Site advertisements on advertising platforms, personalizing them, measuring their performance, and improving them
• Managing referral programs, rewards programs, surveys, prize events, contests, and other promotional activities or events sponsored or conducted by the Company or third-party partners
• Analyzing characteristics and preferences to send promotional messages, marketing materials, advertisements, and other information that may be of interest to users
• Inviting users to events and related opportunities
• Sending promotions, advertisements, marketing messages, and other information
• Posting Company/Site advertisements on advertising platforms, personalizing them, measuring their performance, and improving them
• Managing referral programs, rewards programs, surveys, prize events, contests, and other promotional activities or events sponsored or conducted by the Company or third-party partners
• Analyzing characteristics and preferences to send promotional messages, marketing materials, advertisements, and other information that may be of interest to users
• Inviting users to events and related opportunities
3.6 Communication Analysis
3.6.1 Purpose
The Company may review, scan, or analyze communications made on or through the Site for purposes including safety, support, product improvement, and other reasons described in this Privacy Policy and the 'Reasons the Site Reviews Messages' section.
3.6.2 Method
Where reasonably possible, the Company uses automated methods. In some cases, communications may need to be manually reviewed for investigative and customer support purposes.
3.6.3 Non-Sale
The Company does not sell the results of its review and analysis of such communications.
3.7 Provision of Payment Services
Personal information is used for the following purposes to enable or authorize third parties to use payment services:
• Processing payments
• Performing contracts with users
• Conducting user identity verification
• Detecting and preventing money laundering, fraud, misuse, and security incidents
• Conducting security investigations and risk assessments
• Complying with applicable legal and regulatory obligations (including anti-money laundering regulations and sanctions compliance)
• Enforcing the Payment Terms and other payment policies
• Providing and improving payment services
• Processing payments
• Performing contracts with users
• Conducting user identity verification
• Detecting and preventing money laundering, fraud, misuse, and security incidents
• Conducting security investigations and risk assessments
• Complying with applicable legal and regulatory obligations (including anti-money laundering regulations and sanctions compliance)
• Enforcing the Payment Terms and other payment policies
• Providing and improving payment services
4. Third-Party Sharing and Disclosure of Personal Information
4.1 Sharing Based on User Consent or Instructions
Where the user consents to or instructs the Company to share personal information — such as by authorizing a third-party application or website to access their Site account, filing an insurance claim, applying for installment payment or financing services, or participating in promotional activities of the Company's partners or third parties — the Company will share the user's information in the manner described at the time of the user's consent or selection.
4.2 Recipients of Shared Information
4.2.1 Other Members
The Company may share certain information with other members to facilitate reservations, interactions, or other exchanges between members.
4.2.2 Company Business Program Partners
If a reservation is designated for business or work purposes and is made by a guest affiliated with a company enrolled in the Company's Business Program, the Company may disclose information related to that reservation to the company to the extent necessary for proper fulfillment of the contract with that company and for service provision. If requested by the company or the guest, the Company may also share such information with third parties hired by the company to provide support services.
4.2.3 Service Providers
The Company shares personal information with affiliated and non-affiliated service providers (including their service providers) to support the Company's business operations and to enable those providers to comply with applicable laws. This includes providers that support: (i) identity verification or credential validation; (ii) information checks through public databases; (iii) background checks, fraud prevention, security investigations, and risk assessments; (iv) product development, maintenance, and debugging; (v) provision of WECO STAY services through third-party platforms and software tools; (vi) customer service, advertising, or payment services; (vii) provision of additional services selected by the user; and (viii) processing of insurance claims or similar claims.
4.2.4 Corporate Affiliates
To support, integrate, promote, or improve the Site, payment services, and services of Company affiliates, the Company may share personal information with WECO STAY's headquarters (House Sarah Co., Ltd.) and group affiliates.
4.3 Reasons the Company Shares User Information
4.3.1 Creating Public Profiles
Information shared publicly on the Site may be indexed by third-party search engines. In some cases, users may disable this sharing feature in their account settings.
4.3.2 Legal Compliance, Responding to Legal Requests, Preventing Harm, and Protecting the Company's Rights
Where the Company reasonably determines it appropriate, it may disclose users' information or communication records to courts, law enforcement agencies, government authorities, tax authorities, authorized third parties, or other members, to the extent required or permitted by law, or for the following purposes: (i) to comply with legal obligations; (ii) to respond to valid legal requests; (iii) to respond to or resolve valid legal requests related to criminal investigations into allegations or suspicions of unlawful conduct; (iv) to enforce and administer contracts between the Company and members, such as Terms and Conditions; (v) to investigate potential violations of applicable law, including emergency situations; or (vi) in connection with actual or potential legal claims or proceedings involving the Company and/or third parties, to respond to requests under applicable law.
4.3.3 Business Transfers
If the Company initiates or is involved in a merger, acquisition, restructuring, asset sale, bankruptcy, or insolvency proceeding, the Company may sell, transfer, or share some or all of its assets, including user information, in connection with such a transaction. In such cases, the Company will notify users before their personal information is transferred and becomes subject to a different Privacy Policy.
5. Third-Party Partners and Linked Services
5.1 Connecting to Third-Party Services
Users may connect their Site account to certain third-party services such as social networks. If the user instructs data sharing through such a connection, the following applies:
• Some information provided to the Site from the connected account may be posted on the user's public profile.
• Information provided to the Company through account connections may be stored, processed, and transmitted for fraud prevention, security investigations, and risk assessment purposes.
• The Company will share information related to the user's reservations with third-party travel partners and rewards programs.
• Third-party service providers may process members' information as independent data controllers or joint data controllers in accordance with their own privacy policies; please refer to each provider's policy for details.
• Some information provided to the Site from the connected account may be posted on the user's public profile.
• Information provided to the Company through account connections may be stored, processed, and transmitted for fraud prevention, security investigations, and risk assessment purposes.
• The Company will share information related to the user's reservations with third-party travel partners and rewards programs.
• Third-party service providers may process members' information as independent data controllers or joint data controllers in accordance with their own privacy policies; please refer to each provider's policy for details.
5.2 Third-Party Service Terms
The Site may be partially connected to third-party services. The use of such services is subject to those providers' privacy policies, including the Google Maps/Earth Additional Terms and Conditions and the Google Privacy Policy.
6. Outsourcing of Personal Information Processing (Domestic and International)
6.1 Outsourcing Overview
For smooth service provision, the Company outsources personal information processing tasks as follows.
| Processor | Processing Task | Information Transferred | Retention Period |
|---|---|---|---|
| Danal, KG Inicis, Paymentwall | Payment processing | Payment-related information (card info, account info, etc.) | Until termination of outsourcing contract or membership withdrawal |
| NICE Information Service Co., Ltd. | Identity verification (SMS authentication) | Name, mobile phone number, date of birth | Destroyed immediately upon completion of verification |
| Channel Corporation and other messaging providers | Sending KakaoTalk notifications, SMS, LMS, and emails | Name, mobile phone number, email | Destroyed immediately after sending |
| Amazon Web Services (AWS) | Cloud server infrastructure operation | All information collected during service use | Until termination of outsourcing contract |
| Hanwha General Insurance (Commercial Liability Insurance) | Insurance claim processing |
6.2 Cross-Border Data Processing
The Company may outsource some personal information processing tasks to overseas processors for service provision purposes. In the case of overseas outsourcing, the Company notifies users in advance and obtains consent in accordance with Article 28-8 of the Personal Information Protection Act, disclosing the processor, the content of the outsourced tasks, the country of transfer, the date and method of transfer, the categories of personal information transferred, and the processor's purposes of use and retention period. The table below summarizes the main overseas outsourcing arrangements currently in effect. If overseas processors or outsourcing details change, the Company will notify users promptly through this Privacy Policy.
| Processor | Transfer Country | Processing Task | Categories of Personal Data Transferred | Retention Period |
|---|---|---|---|---|
| Google LLC | United States | Analysis of user service usage records, provision of personalized advertising and performance measurement, processing of service usage analytics cookie data | Cookie data (usage behavior information, etc.) | Until the purpose of outsourcing is achieved |
| HOUSE SARAH JAPAN | Japan | Same as above | Identity, payment transactions, communications, user-generated content, customer support, and information automatically collected during use of the WECO STAY platform and Company payment services | Same as above |
6.3 Management of Outsourcing Contracts
When entering into outsourcing contracts, the Company specifies in the contract documents in accordance with Article 26 of the Personal Information Protection Act: prohibition on processing personal information beyond the scope of the outsourced tasks, technical and administrative protection measures, restrictions on re-outsourcing, management and supervision of processors, and liability including indemnification. The Company supervises processors to ensure they handle personal information safely.
6.4 Changes to Outsourcing Status
If the content of outsourced tasks or the processor changes, the Company will promptly disclose such changes through this Privacy Policy.
7. Security Measures for Personal Information
In accordance with Article 29 of the Personal Information Protection Act, the Company implements the following security measures. Where GDPR applies, the Company implements appropriate technical and organizational protection measures at the level required by Article 32 of the GDPR.
※ The Company continuously implements and improves administrative, technical, and physical security measures to protect information from unlawful or unauthorized access, loss, destruction, and alteration.
| Category | Measures |
|---|---|
| Administrative Measures | Establishment and implementation of internal management plans, minimization of handling personnel and regular training, security pledges from processing personnel |
| Technical Measures | Access rights management and minimization, encryption of passwords and payment information, installation and regular updates of security programs, preservation of access records and prevention of falsification/alteration, vulnerability checks and remediation |
| Physical Measures | Access control for server rooms and data storage rooms, operation of locks to prevent unauthorized entry |
※ The Company continuously implements and improves administrative, technical, and physical security measures to protect information from unlawful or unauthorized access, loss, destruction, and alteration.
8. Change of Country of Residence (Controller Transfer Structure)
8.1 Applicable Data Controller
If the user changes their country of residence (or state, for U.S. residents), the Data Controller, Payment Data Controller, and/or Insurance Data Controller will be determined based on the new country of residence as of the date of the change, as described above.
8.2 Transfer Between Data Controllers
To facilitate this, the Data Controller that originally collected the user's personal information must transfer it to the newly determined Data Controller. The new Data Controller will continue to process personal information as described in this Privacy Policy.
8.3 Applicable Rights
The user's country (or state) of residence under applicable law may affect the rights available to the user.
9. User Rights and Methods of Exercise (Including GDPR Rights)
9.1 Rights (Access · Portability · Rectification · Erasure · Restriction · Withdrawal of Consent · Automated Decision-Making · Remedies)
Users may exercise the following rights against the Company at any time:
① Right of access: Users may request access to their personal information processed by the Company.
② Right to data portability: Users may request to receive their personal information held by the Company in a structured, commonly used, and machine-readable format, or, where technically feasible, to have it directly transferred to another data controller. This right applies where (i) the processing is based on consent or contract, and (ii) the processing is carried out by automated means. (Where GDPR applies, this corresponds to the right to data portability under Article 20 of the GDPR.)
③ Right to rectification or erasure: Users may request rectification or erasure of their personal information if it is inaccurate or incomplete. However, erasure may not be requested if the relevant personal information is specified as a subject of collection under other laws.
④ Right to restriction of processing: Users may request restriction of processing if they do not consent to the processing of their personal information or wish to stop processing. However, such requests may be refused where there is a special legal provision or where it is unavoidably necessary for contract performance.
⑤ Right to withdraw consent: Users may withdraw consent to the processing of their personal information at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
⑥ Right to object to automated decision-making and right to explanation: Where a decision made solely by automated processing has a significant impact on the user's rights or obligations, the user may object to such a decision or request an explanation. This includes, where applicable, the right regarding automated individual decision-making under Article 22 of the GDPR.
⑦ Right to remedies: Users have the right to obtain prompt and fair remedies for harm arising from the processing of their personal information.
① Right of access: Users may request access to their personal information processed by the Company.
② Right to data portability: Users may request to receive their personal information held by the Company in a structured, commonly used, and machine-readable format, or, where technically feasible, to have it directly transferred to another data controller. This right applies where (i) the processing is based on consent or contract, and (ii) the processing is carried out by automated means. (Where GDPR applies, this corresponds to the right to data portability under Article 20 of the GDPR.)
③ Right to rectification or erasure: Users may request rectification or erasure of their personal information if it is inaccurate or incomplete. However, erasure may not be requested if the relevant personal information is specified as a subject of collection under other laws.
④ Right to restriction of processing: Users may request restriction of processing if they do not consent to the processing of their personal information or wish to stop processing. However, such requests may be refused where there is a special legal provision or where it is unavoidably necessary for contract performance.
⑤ Right to withdraw consent: Users may withdraw consent to the processing of their personal information at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
⑥ Right to object to automated decision-making and right to explanation: Where a decision made solely by automated processing has a significant impact on the user's rights or obligations, the user may object to such a decision or request an explanation. This includes, where applicable, the right regarding automated individual decision-making under Article 22 of the GDPR.
⑦ Right to remedies: Users have the right to obtain prompt and fair remedies for harm arising from the processing of their personal information.
9.2 Managing Information
Users may access and update some of their personal information through their account settings. It is the user's responsibility to keep their information up to date.
9.3 Methods and Procedures for Exercising Rights
The above rights may be exercised by the following methods, and the Company will respond with the results of its actions without delay (in principle, within 10 days of receiving the request). Rights may be exercised by the data subject themselves or by their representative (legal representative or authorized agent). Where a representative exercises rights, documents proving the authority of representation (such as a power of attorney) must be submitted.
• Email: privacy@wecostay.com
• Phone: (+82) 2-2274-0337
• Mail: #206, 14 Changgyeonggung-ro 1-gil, Jung-gu, Seoul (House Sarah Co., Ltd.)
• Email: privacy@wecostay.com
• Phone: (+82) 2-2274-0337
• Mail: #206, 14 Changgyeonggung-ro 1-gil, Jung-gu, Seoul (House Sarah Co., Ltd.)
9.4 Rights of Legal Representatives
Where the Company processes the personal information of children under the age of 14, it obtains consent from the child's legal representative. Legal representatives may exercise all rights under Section 9.1 (access, portability, rectification/erasure, restriction of processing, withdrawal of consent, etc.) on behalf of children under 14. Where a legal representative exercises rights, documents proving their status as legal representative (such as a certificate of family relationships) must be submitted.
9.5 Right to Object to Automated Decision-Making
In some cases, users' access to the Site may be restricted through automated processing (see Section 3.4 of this policy). Users have the right to object to processing based solely on such automated decisions, and to request human intervention by a Company representative or to express their own views. To object, please contact privacy@wecostay.com or call (+82) 2-2274-0337. The Company will respond with the results of its review within 30 days of receiving the request. However, where there is a legitimate reason, this period may be extended by up to 30 days, up to two times, in which case the user will be notified in advance of the reason.
9.6 Legal Bases for Processing by Purpose
The Company processes users' personal information on the following legal bases:
① Performance of a contract: Processing necessary for service provision including reservations, payments, and customer support.
② Consent: Optional processing such as marketing, advertising, and biometric information (facial recognition).
③ Compliance with legal obligations: Fulfillment of statutory obligations such as anti-money laundering and tax requirements.
④ Legitimate interests: Processing for legitimate interests of the Company or third parties, such as fraud prevention, security, and service improvement, carried out only to the extent that it does not override the user's interests.
Each of the above legal bases is assessed in accordance with standards corresponding to those in the Personal Information Protection Act (Article 15, etc.) and the GDPR (Article 6). In particular, processing based on 'legitimate interests' is carried out only after a reasonable balancing test evaluating the impact on members' rights and freedoms.
① Performance of a contract: Processing necessary for service provision including reservations, payments, and customer support.
② Consent: Optional processing such as marketing, advertising, and biometric information (facial recognition).
③ Compliance with legal obligations: Fulfillment of statutory obligations such as anti-money laundering and tax requirements.
④ Legitimate interests: Processing for legitimate interests of the Company or third parties, such as fraud prevention, security, and service improvement, carried out only to the extent that it does not override the user's interests.
Each of the above legal bases is assessed in accordance with standards corresponding to those in the Personal Information Protection Act (Article 15, etc.) and the GDPR (Article 6). In particular, processing based on 'legitimate interests' is carried out only after a reasonable balancing test evaluating the impact on members' rights and freedoms.
9.7 Safeguards for International Data Transfers
The Republic of Korea received an adequacy decision from the European Union (EU) under Article 45 of the GDPR on December 17, 2021. Accordingly, the Company's transfer of personal information of EU/EEA users to servers located in Korea is in principle lawful without the need for separate Standard Contractual Clauses (SCCs). Where personal information is transferred to third-party service providers located outside Korea for service provision purposes, the Company uses appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46 of the GDPR.
9.8 Processing and Destruction of Passport and Selfie Photo Files
Original passport image and selfie photo files submitted for identity verification are deleted from the Company's servers immediately upon completion of the verification process. The Company does not retain original files and retains only a record of the verification completion status and timestamp. However, where a separate retention obligation is prescribed by applicable law, such information is retained for the period specified by that law. Biometric information (facial recognition data) is processed solely for verification purposes and is destroyed immediately upon completion of verification. Consent to the identity verification method is optional, and certain services may be restricted if consent is not given.
10. Retention Period and Criteria for Personal Information
10.1 Retention Period
The Company retains personal information for the period necessary or permitted under applicable law in light of the purposes for which it was originally collected and subsequently processed. The criteria for determining retention periods include the following:
• The duration during which the Company maintains an ongoing relationship with the user and provides services through the Site (e.g., while the user holds an account with the Company or continues to use the Site), and any period thereafter during which there is a legitimate need to retain the user's personal information
• Where the Company is subject to applicable legal, tax, or reporting or audit obligations — such as where the Company is required under anti-money laundering requirements to retain transaction records for a certain period before deletion
• Where retention of information is advisable in light of the Company's legal position, such as in relation to applicable statutes of limitations, litigation, or regulatory investigations
Based on the above criteria, the retention periods for each category of personal information processed by the Company are as follows. Personal information that must be retained under other laws shall be retained for the period prescribed by such laws before destruction, and in such cases, the relevant personal information or personal information files shall be stored and managed separately from other personal information. Where GDPR applies, the Company does not retain personal information beyond the period necessary for the purposes specified above, in accordance with Article 5(1)(e) of the GDPR (storage limitation principle).
• The duration during which the Company maintains an ongoing relationship with the user and provides services through the Site (e.g., while the user holds an account with the Company or continues to use the Site), and any period thereafter during which there is a legitimate need to retain the user's personal information
• Where the Company is subject to applicable legal, tax, or reporting or audit obligations — such as where the Company is required under anti-money laundering requirements to retain transaction records for a certain period before deletion
• Where retention of information is advisable in light of the Company's legal position, such as in relation to applicable statutes of limitations, litigation, or regulatory investigations
Based on the above criteria, the retention periods for each category of personal information processed by the Company are as follows. Personal information that must be retained under other laws shall be retained for the period prescribed by such laws before destruction, and in such cases, the relevant personal information or personal information files shall be stored and managed separately from other personal information. Where GDPR applies, the Company does not retain personal information beyond the period necessary for the purposes specified above, in accordance with Article 5(1)(e) of the GDPR (storage limitation principle).
| Processing Purpose | Personal Information Items | Retention Period |
|---|---|---|
| Membership registration and service provision | Name, email, phone number, date of birth, profile photo | Until membership withdrawal (destroyed immediately after withdrawal) |
| Identity verification | Passport image, selfie photo, facial recognition data | Destroyed immediately upon completion of verification (verification status and timestamp retained until membership withdrawal) |
| Location information | GPS and IP address-based location information | Until end of service use |
| Cookie and usage behavior analysis | Analytics and marketing cookie data | Upon withdrawal of consent or within 24 months of collection |
10.2 Shared Information
Information shared by users with other members (e.g., reviews, forum posts) may continue to be publicly posted on the Site even after the user's Site account has been deactivated.
10.3 Residual Copies
As part of the Company's measures against accidental or malicious loss and destruction of data, residual copies of users' personal information may not be deleted for a limited period and may remain in the Company's backup systems.
11. Procedures and Methods for Destruction of Personal Information
11.1 Principles of Destruction
The Company destroys personal information without delay when the retention period has elapsed or the purpose of processing has been achieved. However, where retention is required under other laws, the information is retained for the period prescribed by such laws before destruction.
11.2 Destruction Procedure
The Company selects personal information for which a reason for destruction has arisen and destroys it with the approval of the Company's Privacy Protection Officer.
11.3 Destruction Methods
The Company destroys personal information by the following methods:
• Personal information stored in electronic file formats: Permanently deleted using technical methods that make recovery impossible (e.g., complete deletion, overwriting). However, where permanent deletion is extremely difficult due to technical characteristics, the information is treated as information falling under Article 58-2 of the Personal Information Protection Act and rendered unrecoverable.
• Personal information stored on non-electronic recording media such as paper documents and printouts: Destroyed by shredding or incineration.
• Personal information stored in electronic file formats: Permanently deleted using technical methods that make recovery impossible (e.g., complete deletion, overwriting). However, where permanent deletion is extremely difficult due to technical characteristics, the information is treated as information falling under Article 58-2 of the Personal Information Protection Act and rendered unrecoverable.
• Personal information stored on non-electronic recording media such as paper documents and printouts: Destroyed by shredding or incineration.
11.4 Personal Information Items Retained Under Applicable Laws
The items of personal information that must be retained under other laws and the legal bases for such retention are as follows.
| Applicable Law | Information Retained | Retention Period |
|---|---|---|
| Act on the Consumer Protection in Electronic Commerce, etc. (Article 6 – Preservation of Transaction Records; Enforcement Decree Article 6 – Scope of Transaction Records to be Preserved by Businesses) | Records relating to display and advertising | 6 months |
| Records relating to contracts or withdrawal of offer | 5 years | |
| Records relating to payment and supply of goods or services | 5 years | |
| Records relating to consumer complaints or dispute resolution | 3 years | |
| Framework Act on Electronic Documents and Electronic Transactions (Article 18-5 – Creation and Issuance of Distribution Certificates; Enforcement Decree Article 2-4) | Records relating to distribution of electronic documents via official electronic addresses | 10 years |
| Framework Act on National Taxes (Article 85-3 – Keeping and Preservation of Books, etc.) | Books and supporting documents for all transactions prescribed under tax laws | 5 years |
| Protection of Communications Secrets Act (Article 15-2 – Obligations of Telecommunications Carriers to Cooperate; Enforcement Decree Article 41) | Login records | 3 months |
12. Legal Retention Obligations
While no organization can guarantee perfect security, the Company continuously implements and updates administrative, technical, and physical security measures to protect users' information from unlawful or unauthorized access, loss, destruction, or alteration. Where GDPR applies, the Company implements appropriate technical and organizational protection measures at the level required by Article 32 of the GDPR.
13. Changes to This Privacy Policy
The Company reserves the right to modify this Privacy Policy at any time in accordance with applicable law. When the policy is modified, the Company will post the revised Privacy Policy and update the 'Last Modified Date' at the top of the document. In the case of material changes, the Company will notify users by email at least thirty (30) days before the changes take effect. If users do not agree with the revised Privacy Policy, they may terminate their account. If a user does not terminate their account before the effective date of the revised Privacy Policy and continues to access or use services on the Site after the effective date, the user will be deemed to have agreed to the revised Privacy Policy and will be subject to it.
14. Privacy Protection Officer and Remedies
14.1 General Inquiries
If you have any questions or complaints about this Privacy Policy or the Company's handling of personal information, please contact us by email (privacy@wecostay.com) or by phone ((+82) 2-2274-0337). For payment-related matters, please use the contact information provided in the Payment Terms.
14.2 Privacy Protection Officer
The Company has designated a Privacy Protection Officer to oversee personal information processing operations and to handle complaints and provide remedies for data subjects in connection with personal information processing. For inquiries, complaints, remedies, and other matters related to personal information protection, please contact the Privacy Protection Officer below. Where GDPR applies, the Privacy Protection Officer also serves as the Company's Data Protection Officer (DPO).
• Name: Moon Cheol-young
• Title: COO / Chief Operating Officer
• Phone: (+82) 2-2274-0337
• Email: privacy@wecostay.com
• Name: Moon Cheol-young
• Title: COO / Chief Operating Officer
• Phone: (+82) 2-2274-0337
• Email: privacy@wecostay.com
14.3 Methods of Seeking Remedies
Data subjects may apply for dispute resolution or consultation to the Personal Information Dispute Mediation Committee, the Korea Internet & Security Agency Personal Information Infringement Report Center, or other bodies to obtain remedies for infringement of personal information.
• Personal Information Dispute Mediation Committee: www.kopico.go.kr / 1833-6972
• Personal Information Infringement Report Center: privacy.kisa.or.kr / (without area code) 118
• Supreme Prosecutors' Office Cyber Investigation Division: www.spo.go.kr / (without area code) 1301
• National Police Agency Cyber Investigation Bureau: ecrm.cyber.go.kr / (without area code) 182
• Personal Information Dispute Mediation Committee: www.kopico.go.kr / 1833-6972
• Personal Information Infringement Report Center: privacy.kisa.or.kr / (without area code) 118
• Supreme Prosecutors' Office Cyber Investigation Division: www.spo.go.kr / (without area code) 1301
• National Police Agency Cyber Investigation Bureau: ecrm.cyber.go.kr / (without area code) 182
15. Cookie Policy and Consent Management
15.1 What Are Cookies?
A cookie is a small piece of information that a website server sends to a user's browser and stores on their device. The Company uses cookies for purposes such as maintaining login status, collecting visitor statistics, and measuring advertising performance. Cookies are automatically generated when users use the Site and may be collected even if users have not created a Site account or are not logged in.
15.2 Types of Cookies and Purposes of Collection
The cookies used by the Company fall into three categories:
• Essential Cookies: Cookies essential for operating basic functions such as maintaining service login status and managing security sessions. These are used without separate user consent as they are technically necessary for service provision; disabling them may prevent some service features from functioning normally.
• Analytics/Statistics Cookies: Cookies used to analyze usage patterns such as visitor count, page views, click paths, and time spent, in order to improve service quality. These are only collected with user consent.
• Marketing Cookies: Cookies used to measure advertising performance and deliver personalized advertising based on user interests. These are only collected with user consent.
• Essential Cookies: Cookies essential for operating basic functions such as maintaining service login status and managing security sessions. These are used without separate user consent as they are technically necessary for service provision; disabling them may prevent some service features from functioning normally.
• Analytics/Statistics Cookies: Cookies used to analyze usage patterns such as visitor count, page views, click paths, and time spent, in order to improve service quality. These are only collected with user consent.
• Marketing Cookies: Cookies used to measure advertising performance and deliver personalized advertising based on user interests. These are only collected with user consent.
15.3 Processing Outsourcing
If consent is given for analytics and marketing cookies, some processing of the collected data may be outsourced to domestic and overseas analytics and advertising service providers (such as Google LLC). Outsourced providers process such data only within the scope of the outsourced purposes.
15.4 Principles of Consent-Based Cookie Collection
The Company starts with all cookies other than essential cookies disabled when a page loads. The relevant type of cookies is activated from the time the user selects consent on the cookie consent banner. Users may individually choose whether to consent to each type of cookie, and declining consent will not affect use of the basic services of the Site.
15.5 How to Refuse Cookie Collection and Withdraw Consent
Users may withdraw or refuse consent for cookie collection at any time by the following methods:
• Browser settings: Users may block or delete cookie storage in the privacy and security settings of each browser. However, if essential cookies are also blocked, some service features may not function normally.
ㅇ Web browsers: Chrome – Privacy and Security > Settings / Edge – Privacy, Search, and Services > Settingsㅇ Mobile browsers: Chrome – Settings > Site Settings > Cookies / Safari – Safari > Settings > Advanced > Block All Cookies / Samsung Internet – Menu or Tabs icon > Settings > Privacy
• Individual service opt-out: Users may individually opt out of data collection by specific analytics and advertising service providers through those providers' privacy policies or opt-out pages.
Users may withdraw cookie consent at any time through the cookie consent banner or through account/browser settings, and withdrawal of consent affects only future processing based on that consent.
• Browser settings: Users may block or delete cookie storage in the privacy and security settings of each browser. However, if essential cookies are also blocked, some service features may not function normally.
ㅇ Web browsers: Chrome – Privacy and Security > Settings / Edge – Privacy, Search, and Services > Settingsㅇ Mobile browsers: Chrome – Settings > Site Settings > Cookies / Safari – Safari > Settings > Advanced > Block All Cookies / Samsung Internet – Menu or Tabs icon > Settings > Privacy
• Individual service opt-out: Users may individually opt out of data collection by specific analytics and advertising service providers through those providers' privacy policies or opt-out pages.
Users may withdraw cookie consent at any time through the cookie consent banner or through account/browser settings, and withdrawal of consent affects only future processing based on that consent.