Privacy Policy

Applicable Region — This Privacy Policy applies to users residing in the European Economic Area (EEA), the United Kingdom, and other jurisdictions outside South Korea and Japan. Residents of Korea should refer to the Korean version. Residents of Japan should refer to the Japanese version when published.

Roovook Inc. (the "Company", "we", "us", or "our") protects the personal data of its users in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the ePrivacy Directive (2002/58/EC), the UK GDPR and Data Protection Act 2018, and other applicable data-protection laws. We provide this Privacy Policy to explain clearly how we process personal data and how data subjects can exercise their rights.

This Policy governs the personal data of general users (event organisers, prospective guests, and inquirers) that we collect and process through the Sales-Engine (lead-capture pages embedded within EMS), Venue Network, and Group Bookings pages operated directly by Roovook. Personal data collected and processed independently inside EMS by our Service Providers (hotels and venues that subscribe to our SaaS product) is handled by those Service Providers as separate, independent controllers and is not covered by this Policy.

Article 1 (Purposes and Lawful Bases of Processing)

We process personal data for the purposes set out below. Each purpose is tied to one or more lawful bases under Article 6 GDPR. Personal data will not be used beyond these purposes; where purposes change materially, we will obtain fresh consent or rely on another appropriate lawful basis, with prior notice.

#	Purpose	Lawful basis (GDPR Art. 6)
1	User identification and account management — authentication, prevention of fraudulent service use, handling of inquiries and disputes	Art. 6(1)(b) Contract; Art. 6(1)(f) Legitimate interests (fraud prevention)
2	Inquiry and reservation routing — receiving and forwarding a user's inquiry or reservation request (for event/banquet spaces, group rooms, group catering, group tickets/events) to the relevant Service Provider, including identity confirmation and mediation of the response	Art. 6(1)(b) Contract (performance of the user-requested service)
3	Consultation quality control and dispute response — recording and retaining phone/chat consultations to enable fact-finding in the event of complaint or dispute	Art. 6(1)(f) Legitimate interests (dispute prevention, balanced against user expectations)
4	Service improvement and statistical analysis — analysing service usage, developing new features, producing non-identifying statistics	Art. 6(1)(f) Legitimate interests
5	Marketing communications — announcements regarding Venue Network and Group Bookings events, promotions, and new features	Art. 6(1)(a) Consent (separately obtained; withdrawable at any time)
6	Cross-border transfer to non-adequacy countries — transfer of personal data to the United States and other jurisdictions lacking an EU adequacy decision, where required to deliver the purposes above	Art. 6(1)(a) Consent

Note: Cross-border transfers additionally rely on Chapter V safeguards (Standard Contractual Clauses) as detailed in Article 8.

Article 2 (Categories of Personal Data Collected)

(1) Data provided directly by the user

Category	Items
Required	Name, phone number, company name, email address, inquiry/reservation details
Optional	Event/booking date and time, number of attendees, budget, desired service options, other inquiry content

(2) Data collected automatically during service use

IP address, access timestamps, access logs, and page-use records
Device information (model, operating-system version), browser information
Information collected via cookies and similar tracking technologies

(3) Data collected during consultation

Voice-call recordings from phone consultations
Chat-consultation transcripts

(4) Data collected during payment

As applicable (see Article 7 and Article 8 for details)

We do not collect national-identification numbers, passport numbers, driving-licence numbers, or other unique government-issued identifiers.

Article 3 (Call Recording — Legitimate Interest)

When a user speaks with us by telephone, we record the call as set out below. This processing is based on our legitimate interests under Art. 6(1)(f) GDPR (dispute prevention and consultation quality assurance); we have carried out a balancing test and concluded that these interests are not overridden by the interests or fundamental rights of the data subject, given the prior notice, limited retention, and ability to decline recording.

Notice of recording: An automated voice notice at the start of the call informs the user that the call is recorded.
Purposes: (i) consultation quality management, (ii) accurate confirmation of order/reservation details, and (iii) evidentiary record where a dispute arises between the user and a Service Provider.
Retention: Recording files are erased without delay once the purpose is achieved. Where applicable law imposes a longer retention obligation (for example, records of consumer complaints/disputes), we retain recordings only for that legal period.
Disclosure: Recording files may be disclosed to the Service Provider with whom the user made the inquiry, for dispute-prevention purposes. See the Third-Party Disclosure Consent for details.
Right to refuse: A user may decline call recording. In that case, email (support@roovook.com), the web inquiry form, and chat remain available as non-voice alternatives.

Article 4 (Special Categories of Data — Art. 9 GDPR)

Roovook is a quote-stage B2B sales platform. Final contracts (and any special-category data such as dietary-restriction or allergy information that the Service Provider may separately collect for catering or operations purposes) are concluded directly between the Service Provider and the end guest, outside Roovook's systems. Accordingly:

Roovook does not intentionally collect or process special categories of personal data as defined in Article 9(1) GDPR (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, health data, or data concerning a natural person's sex life or sexual orientation).
Where such data is inadvertently provided (for example, in a free-text inquiry field), we delete it promptly upon becoming aware, unless an Article 9(2) derogation applies.

Article 5 (Retention Periods)

We retain personal data only for as long as necessary to achieve the processing purpose, or for the period required by applicable law, whichever is longer.

Default: Personal data is deleted without undue delay once the purpose is achieved.
Legal-retention obligations (where Korean export / consumer-protection records are involved for cross-border transactions):
- Contract and order-withdrawal records — 5 years
- Payment and supply records — 5 years
- Consumer complaints and dispute records — 3 years
- Advertising/marketing records — 6 months
- Website and app access logs — 3 months
These Korean statutory periods apply because Roovook Inc. is incorporated in the Republic of Korea; Korean retention obligations run in parallel with our GDPR-mandated data minimisation duties, and we retain such data in segregated storage with restricted access.
User account information: Retained until the user requests deletion; any records subject to a statutory retention obligation are stored separately until that obligation expires.
Marketing-consent records: Retained for 2 years from the date of consent unless withdrawn earlier.

Article 6 (Disclosure to Third Parties)

We process personal data solely for the purposes set out in Article 1 and do not disclose personal data to third parties without a lawful basis. The central disclosure is to the Service Provider the user has chosen to contact. The full consent procedure is in our separate Third-Party Disclosure Consent; the summary is below.

Item	Content
Recipient	The Service Provider to whom the user directed the inquiry/reservation
Data disclosed	Name, phone number, company name, email address, inquiry content, and (where applicable) call recordings
Purpose	Service Provider's response, reservation processing, quote preparation, and dispute handling
Retention by recipient	Managed by the recipient Service Provider as an independent controller, until purpose achieved or statutory period expires
Lawful basis	Art. 6(1)(a) GDPR (consent collected at the point of inquiry submission)

Article 7 (Processors — Art. 28 GDPR)

We engage the following processors under Article 28 GDPR. Each processor is bound by a written agreement that requires (i) processing only on our documented instructions, (ii) confidentiality commitments for authorised personnel, (iii) appropriate technical and organisational security measures, (iv) engagement of sub-processors only with prior authorisation, (v) assistance with data-subject rights and breach response, and (vi) deletion or return of personal data at the end of the engagement.

Processor	Service provided
Payple Co., Ltd. (Korea)	Payment authentication and encrypted transmission for deposits/guarantees paid by users on Sales-Engine, Venue Network, and Group Bookings pages. Settlement/receipt of funds is performed directly by the Service Provider; Roovook is not involved.
Dawoo Technology Co., Ltd. (Korea)	Transactional and notification messages (SMS, LMS, email, KakaoTalk AlimTalk)
Korea Cable Telecom Co., Ltd. (Korea)	Phone-consultation recording and safety-number (masked number) service
Return Zero, Inc. (Korea)	Speech-to-text conversion of call recordings (VITO API). Transcripts are used solely for consultation review and summarisation.
Google LLC — Japan (Tokyo region data centre, asia-northeast1); operating entity: Google LLC (United States)	Google Cloud Platform infrastructure (hosting, data storage, network). All Roovook GCP workloads (Cloud Run, App Engine, Cloud SQL, Cloud Storage) run in the Tokyo region; user data is physically stored in Japan.
Anthropic, PBC (United States)	Automated summarisation / classification of user inquiries for internal workflow (Claude API). User data is not used for model training.
OpenAI, L.L.C. (United States)	Automated summarisation / classification of user inquiries for internal workflow (GPT API). User data is not used for model training.
Google LLC (United States)	Automated summarisation / classification of user inquiries for internal workflow (Gemini API). User data is not used for model training.

Where we add or replace a processor, we will update this Policy and give advance notice before the change takes effect.

Article 8 (International Transfers — Art. 44–49 GDPR)

To operate the service we rely on cloud and AI services located outside the EEA and the United Kingdom. The following transfers take place:

Roovook's core Google Cloud Platform infrastructure (Cloud Run, App Engine, Cloud SQL, Cloud Storage, and related services) operates in the asia-northeast1 (Tokyo) region. User data stored on this infrastructure physically resides in Japan. Transfers from the EEA or United Kingdom to Japan are covered by the European Commission's adequacy decision for Japan (Commission Implementing Decision (EU) 2019/419, and the analogous UK adequacy regulations); no further supplementary safeguards (such as Standard Contractual Clauses) are required for this data location. The transfers listed in the table below apply only to data shared with providers or entrustees outside Japan.

Recipient	Country	Data transferred	Purpose	Transfer mechanism	Country's protection framework	Safeguards applied
Anthropic, PBC	United States	Inquiry content and minimum data required for processing	Internal summarisation / classification (Claude API)	Standard Contractual Clauses (Art. 46(2)(c))	Sectoral privacy laws; the EU–US DPF provides adequacy for certified recipients; additional supplementary measures applied	Encrypted API calls; data not retained beyond request processing; not used for model training
OpenAI, L.L.C.	United States	Inquiry content and minimum data required for processing	Internal summarisation / classification (GPT API)	Standard Contractual Clauses (Art. 46(2)(c))	Same as above	Encrypted API calls; data not retained beyond request processing; not used for model training
Google LLC	United States (Vertex AI, us-central1)	Inquiry content and minimum data required for processing	Internal summarisation / classification (Gemini API)	Standard Contractual Clauses (Art. 46(2)(c)) + EU–US DPF where applicable	Same as above	Encrypted API calls; data not retained beyond request processing; not used for model training
Payple Corp.	Korea	Payment authentication, deposit/security data (Sales Engine · Venue Network · Group Bookings)	Payment-tech processing (authorisation, encrypted transmission)	Adequacy Decision — Korea (Commission Implementing Decision (EU) 2022/254)	Korea PIPA; independent supervisory authority PIPC; adequacy-decision country	Contractual DPA; encrypted channel
Dawoo Technology Co., Ltd.	Korea	Recipient contact identifiers (email, phone, KakaoTalk ID)	SMS/LMS/email/KakaoTalk AlimTalk delivery	Adequacy Decision — Korea	Same as above	Contractual DPA; scoped access
Korea Cable Telecom, Inc.	Korea	Call-recording audio, caller phone number	Call recording and safe-number service	Adequacy Decision — Korea	Same as above	Contractual DPA; encryption at rest
Return Zero, Inc.	Korea	Call-recording audio file	Speech-to-text conversion (VITO API)	Adequacy Decision — Korea	Same as above	Contractual DPA; processing only; no training use
Hotjar Ltd.	Malta (EU, Hotjar Ltd. headquarters) and United States (Contentsquare sub-processing following acquisition)	Cookie identifiers, IP address, behavioural signals	Behavioural analytics (opt-in cookie only)	Intra-EEA for Malta; SCCs for US sub-processing	EU GDPR (Malta); sectoral laws (US)	Consent-gated; IP anonymisation; data minimisation
Microsoft Corporation	United States	Cookie identifiers, IP address, behavioural signals	Microsoft Clarity behavioural analytics (loaded via Google Tag Manager container)	Standard Contractual Clauses + EU–US Data Privacy Framework where applicable	Sectoral privacy laws (no omnibus federal framework); EU–US DPF provides adequacy for certified recipients	Consent-gated (analytics cookies); data minimisation; IP anonymisation

Note: The Google LLC GCP infrastructure transfer previously listed in this table is covered by the Japan adequacy decision and is no longer enumerated separately. It is disclosed in Article 7 (Processors).

Adequacy references: Japan benefits from an EU adequacy decision under Article 45 GDPR (Commission Implementing Decision (EU) 2019/419), so transfers from the EEA to Japanese recipients do not require additional safeguards. The Republic of Korea similarly benefits from an EU adequacy decision (Commission Implementing Decision (EU) 2022/254) of 17 December 2021.

Users have the right to object to cross-border transfers that rely on consent. Objecting may limit the availability of some features; we will explain the impact before processing the objection.

Article 9 (Cookies and Automatic Collection — ePrivacy + Art. 7 GDPR)

(1) What cookies are

Cookies are small files that a website transmits to the user's browser and which may be stored on the user's device. We use cookies and similar tracking technologies to operate the service and to provide certain features.

(2) Consent model — prior opt-in with reject-all parity

Strictly-necessary cookies (login session, security, CSRF protection): set on service use; no consent is required pursuant to Article 5(3) of the ePrivacy Directive.
Functional, analytics, and marketing cookies: set only after the user has given prior, informed, freely given, specific, and unambiguous opt-in via our cookie banner. The banner provides "Accept all" and "Reject all" with equivalent visual prominence. Consent is recorded, revocable at any time, and can be adjusted via the "Cookie Preferences" link in the site footer.

(3) Third-party tools (loaded only with the relevant consent)

Cookie / Tool	Provider	Purpose	Category	Lifetime	Transfer country
Google Analytics (`_ga`, `_ga_<stream-id>`, `_gat_<property>`)	Google LLC	Visit statistics, page-dwell time, traffic-source analysis	Analytics	`_ga` 2 years · `_ga_` 2 years · `_gat_` 1 minute	United States
Google Tag Manager	Google LLC	Tag management (does not set its own cookies; cookies are set by the tools loaded through it)	Functional	—	United States
Hotjar (`_hjSessionUser_<site>`, `_hjSession_<site>`, `_hjAbsoluteSessionInProgress`, `_hjFirstSeen`)	Hotjar Ltd.	User-behaviour (scroll/click/heatmap) analysis and UX improvement	Analytics	User cookies 365 days · Session cookies 30 minutes	Malta (EU, Hotjar Ltd. headquarters) and United States (Contentsquare sub-processing following acquisition)
Microsoft Clarity (`_clck`, `_clsk`, `MUID`, `ANONCHK`)	Microsoft Corporation (loaded via Google Tag Manager container)	User behavioural analytics (clicks, scrolls, session replay)	Analytics	`_clck` 1 year · `_clsk` 1 day · `MUID` 13 months · `ANONCHK` 10 minutes	United States
Naver Premium Log (`NNB`, `_npcmp`)	NAVER Corp.	Naver-referral visit statistics	Analytics	1 year	Korea
Kakao SDK	Kakao Corp.	Kakao-account social-login authentication (session-based)	Essential (at login)	Session	Korea
Facebook SDK (`fr`)	Meta Platforms, Inc.	Facebook-account social-login authentication	Essential (at login)	90 days	United States
Firebase Authentication	Google LLC	Phone/email/social-account authentication (not cookie-based; uses IndexedDB / session storage)	Essential	IndexedDB / session storage	United States

Roovook does not use marketing pixels such as Meta Pixel or TikTok Pixel. The Facebook SDK is used exclusively for social login authentication and is distinct from the behavioural-tracking Meta Pixel.

Information collected by these tools includes cookie identifiers, IP address, device/browser metadata, and page-use records. Social-login SDKs process only the minimum data needed for authentication (account identifier, authentication token); names, phone numbers, and other identifiers are not passed to analytics tools.

(4) Rejecting cookies

A user may decline cookies at any time via (i) the cookie banner (available on first visit and re-invocable from the "Cookie Preferences" link), or (ii) browser settings. Rejecting strictly-necessary cookies may impair core service functionality.

Article 10 (Security Measures — Art. 32 GDPR)

Taking into account the state of the art, implementation cost, and the nature, scope, context, and purposes of processing, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk:

Organisational measures: written internal security plan; periodic data-protection training for staff and processors; role-based access-control procedures; documented incident-response playbook.
Technical measures: access control to personal-data processing systems; encryption of passwords and key personal data at rest (AES-256) and in transit (TLS 1.2+); intrusion-detection and intrusion-prevention systems; log retention and periodic log review; anti-malware controls.
Physical measures: controlled access to server rooms and document-storage facilities.
Resilience: Systems are designed to maintain confidentiality, integrity, availability and resilience of processing, including redundancy, failover, and load balancing across multiple Google Cloud zones (Art. 32(1)(b)).
Restoration: We maintain daily encrypted backups with documented restoration procedures, tested quarterly, to ensure timely recovery from incidents (Art. 32(1)(c)).
Testing: Security controls are subject to regular testing, assessment and evaluation, including annual penetration tests and ongoing vulnerability scans (Art. 32(1)(d)).

Article 11 (Personal Data Breach Response — Art. 33–34 GDPR)

Supervisory authority notification (Art. 33): On becoming aware of a personal-data breach, we notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after awareness, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where notification is not made within 72 hours, we accompany the delayed notification with reasons for the delay.
Data-subject notification (Art. 34): Where a breach is likely to result in a high risk to the rights and freedoms of natural persons, we communicate the breach to affected data subjects without undue delay, in clear and plain language, describing the nature of the breach, the likely consequences, and the measures taken or proposed.
Internal logging: We document all breaches, their effects, and the remedial action taken, in a breach register made available to the supervisory authority on request.

Article 12 (Data-Subject Rights — Art. 15–22 GDPR)

Subject to the conditions in the GDPR, you have the following rights with respect to your personal data:

Right	GDPR Article	Description
Right of access	Art. 15	Confirm whether we process your personal data and obtain a copy
Right to rectification	Art. 16	Correct inaccurate personal data or have incomplete personal data completed
Right to erasure ("right to be forgotten")	Art. 17	Request deletion where grounds apply (e.g., purpose achieved, consent withdrawn)
Right to restriction of processing	Art. 18	Pause processing under specified conditions
Right to be informed of recipients	Art. 19	Obtain information on recipients to whom your personal data has been disclosed, where a rectification, erasure or restriction request has been made.
Right to data portability	Art. 20	Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller
Right to object	Art. 21	Object to processing based on legitimate interests (Art. 6(1)(f)) or to direct marketing
Rights related to automated decision-making	Art. 22	Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects. Roovook does not currently perform such automated decision-making; any change will be communicated in advance.
Right to lodge a complaint	Art. 77	Lodge a complaint with a supervisory authority (see Article 14)

How to exercise: Contact us by email (support@roovook.com) or via the in-product support form. We will respond within one month (30 days) of receipt pursuant to Art. 12(3) GDPR; this period may be extended by up to two further months for complex or numerous requests, in which case we will notify you of the extension and the reasons within the first month. No fee is charged unless the request is manifestly unfounded or excessive.

Verification: We may ask for information reasonably necessary to confirm your identity. A data subject may also act through an authorised representative on presentation of valid authority.

Freeze during rectification: While a rectification or erasure request is being processed, we will not use or disclose the contested data beyond what is necessary to process the request.

Article 13 (Consent Withdrawal — Art. 7(3) GDPR)

Where processing is based on consent, you have the right to withdraw your consent at any time, as easily as you gave it, without affecting the lawfulness of processing based on consent before its withdrawal.

Concrete withdrawal paths:

Marketing communications: unsubscribe link at the foot of every marketing email, or in account settings under "Communication preferences".
Non-essential cookies: the "Cookie Preferences" link in the site footer (re-invokes the cookie banner with Reject-all parity).
Cross-border transfer consent: by emailing support@roovook.com. We will confirm the scope of service that can still be provided without the transfer.
Account and all consent-based processing: by closing your account via account settings, or by emailing support@roovook.com.

Withdrawing consent does not affect other lawful bases that may still apply to the same data (for example, statutory retention or contract performance).

Article 14 (Data Protection Officer and Supervisory Authorities)

Data Protection Officer (DPO) / Privacy Contact

Name: Sungmo Kim
Email: support@roovook.com
Company: Roovook Inc.
Japan-market alternative contact: support@roovook.com

EU Representative (Art. 27 GDPR)

Roovook has not appointed an EU representative under Article 27 at this time; our processing of EEA residents' data presently occurs on an occasional, low-risk basis. On formal EU market expansion we will appoint and publish an Article 27 representative, with designated contact details, by updating this Policy prior to launch.

Supervisory authorities

Data subjects in the EEA have the right to lodge a complaint with the data protection authority in their EU member state. The directory of supervisory authorities is maintained by the European Data Protection Board at edpb.europa.eu. UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk.

Article 15 (Revision History and Notice)

This Policy takes effect on its effective date. Where we make additions, deletions, or corrections driven by law or policy changes, we will publish the amended Policy via in-service notice at least 7 days before effect; for changes that are materially adverse to data subjects, we will give at least 30 days' prior notice and, where required, obtain fresh consent.

Version	Effective	Summary of changes
1.0	2019-03-11	Initial publication
2.0	2025-09-18	Korean/English/Japanese multilingual expansion; service scope redefined
3.0	2026-04-17	Full restructure: scope, call recording, retention/erasure procedure, security measures, cookies, minors, automated decision-making, and international transfer sections strengthened. Joy Corporation engagement removed.
3.5	2026-04-17	English version synchronised with Korean 3.5; email integration clauses separated to B2B Policy.

Last updated: 22 April 2026