Privacy Policy and Cookies

Latest version:

MANGO KOREA LTD. Privacy Policy

Mango Korea Ltd. (hereinafter the "Company") processes personal information in compliance with the Personal Information Protection Act ("PIPA") and all other applicable laws and regulations of the Republic of Korea, in order to protect the rights and interests of data subjects. In accordance with Article 30 of PIPA, the Company establishes and publicly discloses this Privacy Policy to inform data subjects of the procedures and standards governing the processing of their personal information and to ensure that any related grievances are handled promptly and effectively.

This Privacy Policy applies to personal information processed by the Company through its online shopping platform (https://shop.mango.com) and mobile application (collectively, the "Platform").

Article 1. Purposes of Processing, Items Collected, and Retention Periods

The Company processes only the minimum personal information necessary for the purposes set out below, and does not use personal information for any purpose other than those described herein. Where the purpose of processing changes, the Company will take all necessary measures in accordance with Article 18 of PIPA, including obtaining separate consent where required.

1-1. Personal Information Collected and Processed Without Consent

Legal basis: PIPA Art. 15(1)(iv)—performance of a contract.

PurposeDescriptionItems ProcessedRetention Period
Membership registration and account management
  • Confirming intent to register; identity verification; managing membership status.
  • Preventing unauthorized or fraudulent use; restricting members who breach the Terms of Use.
  • Sending transactional notifications (e.g. order confirmation, delivery status).
Email address, password, mobile phone number, date of birth

Until membership withdrawal

Online sales—order processing, payment, and delivery
  • Processing purchase orders, payments, cancellations, returns, and exchanges.
  • Transmitting delivery information to logistics providers.
Name, mobile phone number, delivery address, email address, order details, payment method (credit card number processed under PCI DSS; bank account number for refunds)Until completion of supply of goods/services and full settlement of payment (mandatory statutory periods apply—see Article 3)
Customer service—handling of inquiries and complaints
  • Receiving and responding to queries, requests, and complaints.
  • Verifying the identity of the data subject and confirming the facts of any complaint.
  • Sending post-purchase quality surveys.
Name, mobile phone number, email address, order number, order details, payment details, content of inquiry/complaint3 years (records of consumer complaints/ disputes)
Automatic collection during service use
  • Automatically generated data collected during use of the Platform.
Cookie information, device information, browser informationUntil membership withdrawal

1-2. Personal Information Collected and Processed With Consent

Legal basis: PIPA Art. 15(1)(i)—data subject’s consent.

PurposeDescriptionItems ProcessedRetention Period
Marketing communications
  • Providing personalized commercial communications—new products, promotions, special offers, newsletters—via email, SMS, and post, based on purchase history and Platform browsing behavior.
  • Sending post-purchase surveys to gather feedback on product and service quality.
  • Statistical analysis and improvement of Platform services.
  • Users may withdraw consent at any time via My Account > Subscriptions or the unsubscribe link in any commercial email.
Name, email address, mobile phone number, gender, date of birth, purchase history, Platform browsing behaviorUntil unsubscription or withdrawal of consent

Data subjects who decline to consent to marketing communications will NOT be restricted in their use of the Company’s core services (purchase, delivery, customer service, etc.).

Article 2. Mandatory Statutory Retention Periods

Notwithstanding the retention periods set out in Article 1, the Company retains the following categories of personal information for the periods required by applicable law. Such information is stored separately from active data and is not used for any other purpose:

Record TypePeriodLegal Basis
Records on marks and advertisements6 monthsEnforcement Decree of the Act on Consumer Protection in Electronic Commerce, Art. 6(1)(i)
Records on contract conclusion or cancellation of subscription5 yearsEnforcement Decree of the Act on Consumer Protection in Electronic Commerce, Art. 6(1)(ii)
Records on payment and supply of goods/services5 yearsEnforcement Decree of the Act on Consumer Protection in Electronic Commerce, Art. 6(1)(iii)
Records on consumer complaints and dispute resolution3 yearsEnforcement Decree of the Act on Consumer Protection in Electronic Commerce, Art. 6(1)(iv)
Computer/internet log records; access location tracking data3 monthsEnforcement Decree of the Protection of Communications Secrets Act, Art. 41(2)(ii)
Telecommunications date, start/end time, and duration12 monthsEnforcement Decree of the Protection of Communications Secrets Act, Art. 41(2)(i)

Article 3. Destruction of Personal Information

The Company destroys personal information without delay once it has become unnecessary—whether due to expiry of the retention period, achievement of the processing purpose, or any other reason.

Exception: Where continued retention is required by applicable law, the relevant personal information is transferred to a separate database or retained at a separate location. Such information is not used for any purpose other than compliance with the applicable legal requirement.

The Company’s procedure and method of discarding personal information is as follows:

Destruction procedurePersonal information subject to destruction is identified and destroyed following approval by the Company’s Chief Privacy Officer.
Destruction method
  • Electronic files: destroyed using a technical method that makes recovery impossible.
  • Paper documents: shredded or incinerated.

Article 4. Provision of Personal Information to Third Parties

The Company processes personal information only within the scope of the purposes set out in Article 1, and provides personal information to third parties only where the data subject has consented or where otherwise permitted under Articles 17 and 18 of PIPA. The Company does not otherwise provide personal information to any third party.

Article 5. Outsourcing of Personal Information Processing

The Company outsources certain personal information processing activities to the processors listed below. In all outsourcing agreements, the Company includes provisions pursuant to Article 26 of PIPA prohibiting processing outside the scope of the outsourced task, requiring the implementation of technical and managerial protective measures, restricting sub-processing, providing for supervision and audit rights, and establishing liability for damages. The Company supervises all processors to ensure the safe handling of personal information. Any change to the scope of outsourced tasks or the identity of processors will be disclosed through this Privacy Policy without delay.

5-1. Domestic Processors

ProcessorOutsourced Task
NHN KCP Co., Ltd.Payment processing service provider, including payment gateway and associated transaction assurance services.
Global Blue Korea Co., Ltd.Provider of tax-free and VAT refund services for international customers.

Article 6. Overseas Transfer of Personal Information

The Company transfers personal information overseas as set out below, pursuant to Article 28-8 of PIPA. Transfers to EU/EEA member states are made on the basis of the equivalency recognition notified by the PIPC in September 2025 pursuant to Article 28-8(1) of PIPA, recognizing that the level of personal information protection in the EU/EEA is equivalent to that provided under Korean law.

How to refuse overseas transfer: Data subjects may refuse the overseas transfer of their personal information. However, because the transfers described below are necessary for the operation of the Platform and the provision of services, refusal may result in the restriction of or inability to use some or all services.

Data subjects who do not wish to have their personal information transferred overseas may withdraw from membership via Platform > Account > delete account or by contacting the Company by phone at 00-7983218084, by email at personaldata@mango.com, or by post at: Atención al Cliente, Via Augusta, 10 (Polígono Industrial Riera Caldes), 08184 Palau-solità i Plegamans, Barcelona, Spain. Data subjects may also exercise their rights under Article 8 of this Privacy Policy.

Recipient (Contact)Items TransferredCountryLegal BasisTiming and MethodPurpose and Retention
MANGO MNG, S.A. (personaldata@mango.com)Identification and contact data; account and membership data; order and purchase history; information on deliveries, returns and exchanges; customer service, query and complaint records; marketing preferences and subscription data; quality and satisfaction survey results; browsing and cookie-related dataSpain (EU/EEA)Art. 28-8(1): Equivalency recognitionContinuously as part of platform operation and as needed for marketing and compliance purposes; via encrypted networkWeb/app platform operation and support; centralised CRM, newsletter and marketing management; personalisation of communications, products and offers; analytics and improvement of customer experience; group-level reporting, compliance and governance support; technical maintenance, support and security monitoring; coordination with central service providers engaged by the group—retention per Article 2.
Salesforce.com EMEA Limited (privacy@salesforce.com)Name, email address, mobile phone numberGermany, France (EU/EEA); United StatesEU/EEA: Art. 28-8(1)(v)—Equivalency recognition / United States: Art. 28-8(1)(i)—separate consent of data subjectEach time a newsletter or commercial communication is sent; via encrypted networkNewsletter and commercial communications management—retention per Article 2

TWW - SERVIÇOS DE HELPLINE E DE ATENDIMENTO TELEFÓNICO LDA

(dpo@transcom.com)

Name, surname, email address, postal address, mobile phone number, preferred language, country, customer number (if applicable), order number, item reference, date of purchase, amount, delivery method, shipping status, associated store (if applicable), reason for return, reason for claim, history of incidents, communications with customer service, documentation provided such as receipts, delivery address, billing address, postal code, and shipment tracking data.Portugal (EU/EEA)Art. 28-8(1): Equivalency recognitionEach time an enquiry or complaint is submitted to Customer ServiceCustomer Service

Maersk E-commerce Spain SL ("MAERSK").

(dataprivacy@maersk.com)

Name, email, address, postal address, mobile phone numberSpain (EU/EEA)Art. 28-8(1): Equivalency recognitionWhenever the shipment of an order is arrangedLogistics service provider supporting the shipment and delivery of customer orders

Processout SAS

(privacy@processout.com)

Name, postal address, phone number, Credit card number.IrelandArt. 28-8(1): Equivalency recognition

Every payment transaction. Personal information is transferred via secured IP Networks

Payment processing service provider

Article 7. Security Measures for the Protection of Personal Information

The Company implements the following technical, managerial, and physical measures pursuant to Article 29 of PIPA and the Enforcement Decree thereunder, to ensure the security and integrity of personal information and to prevent loss, theft, unauthorized disclosure, alteration, or damage:

CategoryMeasures
Managerial
  • Establishment and implementation of an internal personal information management plan.
  • Minimization of personnel with access to personal information.
  • Regular employee training on personal information protection.
  • Operation of a dedicated privacy compliance team.
Technical
  • Management of access rights to personal information processing systems with regular credential renewal.
  • Installation and operation of access control systems and firewalls.
  • Network segmentation.
  • Encryption of personal information (SSL applied across all online transactions).
  • Maintenance and inspection of access logs.
  • Installation, operation, and regular updating of security programs.
  • Periodic vulnerability assessment and remediation.
Physical
  • Access controls for server rooms and data storage facilities.
  • Secure storage of documents and removable media in locked facilities.
  • Controls on the introduction and removal of removable storage media.

Article 8. Rights and Obligations of Data Subjects and Legal Guardians

8-1. Rights of Data Subjects

Data subjects may exercise the following rights against the Company at any time:

  • Right to request access
  • Right to request correction of errors
  • Right to request deletion
  • Right to request suspension of processing
  • Right to withdraw consent

Rights of access and suspension of processing may be restricted pursuant to Articles 35(4) and 37(2) of PIPA.

8-2. How to Exercise Rights

Data subjects may submit requests to exercise their rights by email to the Chief Privacy Officer at the address below. The Company will respond within 10 days of receipt in accordance with Article 35(3) of PIPA.

  • Chief Privacy Officer: Margarita Salvans Puigbo,
  • Title: DPO
  • Email: personaldata@mango.com

Article 9. Automatic Collection of Personal Information (Cookies)

The Company uses cookies and similar automatic collection tools (collectively, "Cookies") on the Platform to store and retrieve usage information in order to provide individually tailored services. Cookies are files sent by the Platform's server to the user's browser and stored on the user's device. They are automatically transmitted to the server each time the Platform is accessed. The Company does not store sensitive personal identification information such as passwords or financial account details in Cookies.

9-1. Types of Cookies Used

TypePurpose
Strictly Necessary CookiesEssential for the operation and security of the Platform. Enable core functions including purchase processing, access to restricted areas, security features, and content delivery. These Cookies cannot be disabled.
Functional CookiesRemember user preferences such as language, country, and browser settings to provide a consistent experience across visits.
Performance CookiesMeasure visit frequency and traffic sources; count the number of users; support statistical analysis of Platform usage to improve the service.
Targeted CookiesRecord browsing behavior on the Platform to deliver personalized advertising relevant to the user's interests.
Social Media CookiesEnable users to share Platform content with friends and networks via social media platforms. Details are available in the Platform's cookie settings panel.

Cookies on the Platform are managed as follows:

  • First-party Cookies: Created and managed by the Company in its capacity as operator of the Platform.
  • Third-party Cookies: Managed by external service providers. Third parties whose Cookies are in use are listed in the cookie settings panel on the Platform.

9-2. Cookie Retention

Personal information collected through Cookies is retained only for the period reasonably necessary to respond to user inquiries, resolve issues, improve the service, and comply with applicable law. Upon expiry of the applicable retention period, such information will be blocked across all Company systems.

The validity period of consent given for non-essential Cookies does not exceed 13 months. Upon expiry, the Company will request fresh consent when the user next visits the Platform.

9-3. Overseas Transfer of Cookie Data

Cookie data may be transferred to service providers located outside the Republic of Korea. Such transfers are made only where a lawful basis exists under Article 28-8(1) of PIPA, including where the destination country has been recognized as providing an equivalent level of personal information protection, or where the data subject has given separate consent. The Company does not sell Cookie data to any third party.

The third countries to which Cookie data may be transferred are as follows: the United States, Canada, and EU/EEA nations.

9-4. Managing Cookie Settings

Users may allow, restrict, or delete Cookies at any time through the Platform's cookie settings menu or through their browser or device settings. Refusing certain Cookies may limit access to some features of the Platform.

The button to access the cookie settings panel is available at the bottom of the page.

For guidance on managing cookie preferences, please refer to the help section of the following browsers:

  • Internet Explorer
  • Google Chrome
  • Mozilla Firefox
  • Safari
  • Opera

For Internet Explorer, cookie settings may be configured as follows:

Click "Internet Options" in the "Tools" menu

Click the "Privacy" tab

Set the desired "Privacy Level"

For further information on how third-party service providers handle personal information collected through their cookies, users are encouraged to consult the respective privacy policies available on each provider's platform.

Article 10. Chief Privacy Officer and Responsible Department

The Company designates the following Chief Privacy Officer (CPO), who has overall responsibility for personal information processing and for the handling of data subject complaints and requests for remedies:

Chief Privacy OfficerMargarita Salvans Puigbo
DepartmentPrivacy Office
Email

dpo@mango.com

Telephone00-7983218084

Data subjects may direct all personal information-related inquiries, complaints, and requests for remedies to the Chief Privacy Officer or the responsible department. The Company will respond without delay.

Article 11. Remedies for Infringement of Privacy Rights

Data subjects may seek relief or consultation in connection with personal information infringement through the following institutions. The Company is committed to protecting the personal information rights of data subjects and to providing prompt consultation and remedies in the event of any infringement.

InstitutionContactWebsite
Personal Information Dispute Mediation Committee1833-6972 (no area code)

www.kopico.go.kr

Personal Information Infringement Report Center (KISA)118 (no area code)privacy.kisa.or.kr
Cyber Investigation Division, Supreme Prosecutors’ Office1301(no area code), 02-3480-2190

www.spo.go.kr

Electronic Cybercrime Report & Management System, National Police Agency 182 (no area code)ecrm.cyber.go.kr

Article 12. Changes to This Privacy Policy

This Privacy Policy is effective from 01/07/2026.

In the event of any addition, deletion, or revision to this Privacy Policy, the Company will provide notice through the Platform.

Previous versions of this Privacy Policy are available here.

Cookies enhance your shopping experience

We use our own and third-party cookies for analytical purposes and to show you personalised advertising and content based on a profile prepared from your browsing habits. You can accept all the cookies or manage your preferences in the settings panel. For more information, please consult the Cookies Policy.