
PRIVACY POLICY
PRIVACY POLICY
Effective Date: November 10, 2025
Last Updated: November 10, 2025
PEKI Co., Ltd. (hereinafter referred to as “PEKI,” “we,” “us,” or “our”), a corporation duly organized and existing under the laws of the Republic of Korea with its principal place of business in Seoul, operates the e-commerce platform accessible at www.peki.shop (the “Site”) and associated mobile applications (collectively, the “Platform”).
This Privacy Policy (the “Policy”) governs the collection, processing, use, disclosure, transfer, storage, and protection of personal data submitted by users (hereinafter “you,” “your,” or “Data Subject”) in connection with:
• Purchasing natural skincare products derived from Caryocar brasiliense (Pequi) oil;
• Participation in our Buy One, Give One Global Empathy Program;
• Account creation, newsletter subscription, customer support inquiries, or any other interaction with the Platform.
PEKI is committed to compliance with applicable data protection laws, including but not limited to:
• EU General Data Protection Regulation 2016/679 (GDPR);
• UK GDPR;
• California Consumer Privacy Act (CCPA), as amended by CPRA;
• Personal Information Protection Act of Korea (PIPA);
• Brazilian Lei Geral de Proteção de Dados (LGPD);
• Canadian Personal Information Protection and Electronic Documents Act (PIPEDA); and
• Other jurisdictional privacy frameworks.
By accessing the Platform or providing personal data, you expressly consent to the practices described herein. If you do not agree, immediately cease use of the Platform.
1. Definitions
Term Definition
Personal Data Any information relating to an identified or identifiable natural person.
Processing Any operation performed on Personal Data (collection, storage, use, disclosure, etc.).
Controller PEKI, which determines the purposes and means of Processing.
Processor Third-party service provider acting on PEKI’s documented instructions.
2. Categories of Personal Data Collected
Category Examples Legal Basis (GDPR Art. 6)
Identity Data Full name, date of birth, government ID (for customs) Contract fulfillment, Legal obligation
Contact Data Email, phone, shipping/billing address Contract fulfillment
Transaction Data Order history, payment method (tokenized), cart contents Contract fulfillment
Technical Data IP address, browser type, device ID, geolocation Legitimate interests (security, analytics)
Usage Data Pages viewed, clickstream, time spent Legitimate interests (service improvement)
Marketing Data Preferences, survey responses Consent (where required)
Sensitive Data Allergy information (voluntarily provided) Explicit consent
We do not actively collect Special Category Data under GDPR Art. 9 unless voluntarily disclosed (e.g., “I have eczema”).
3. Methods of Collection
1. Direct Interactions: Account registration, checkout, contact forms.
2. Automated Technologies: Cookies, pixels, server logs, Google Analytics 4 (anonymized IP), Meta Pixel.
3. Third-Party Sources: Payment gateways (Stripe, PayPal), shipping carriers (DHL, FedEx), social login (Google, Apple).
4. Purposes and Legal Bases for Processing
Purpose Legal Basis
Order fulfillment & shipping Performance of contract (Art. 6(1)(b))
Donation matching under Buy One, Give One Legitimate interests (Art. 6(1)(f)) – social impact
Fraud prevention & security Legitimate interests
Marketing communications Consent (Art. 6(1)(a)) or soft opt-in (GDPR Rec. 47)
Legal compliance (tax, customs) Legal obligation (Art. 6(1)(c))
Aggregate analytics Legitimate interests
5. International Data Transfers
PEKI operates globally. Personal Data may be transferred to:
• South Korea (adequacy decision pending; safeguarded via Binding Corporate Rules – BCRs);
• United States (Data Privacy Framework or Standard Contractual Clauses – SCCs);
• Brazil, EU, UK (local subsidiaries or SCCs).
We execute EU SCCs (2021/914) with all non-adequate recipients and conduct Transfer Impact Assessments (TIAs) per Schrems II.
6. Data Sharing and Disclosure
Recipient Purpose Safeguards
Payment Processors Transaction execution PCI-DSS compliance
Logistics Partners Global shipping DPA with SCCs
Non-Profit Partners Donation fulfillment Anonymized data only
Cloud Providers Data storage ISO 27001, SOC 2
Legal Authorities Compliance requests Only with valid legal process
We do not sell Personal Data (as defined under CCPA §1798.140(t)).
7. Data Subject Rights
You have the following rights (subject to local law):
Right Jurisdiction Exercise Method
Access Global hello@peki.shop
Rectification Global
Erasure (“Right to be Forgotten”) GDPR, CCPA
Restriction of Processing GDPR
Data Portability GDPR
Objection GDPR (Art. 21)
Withdraw Consent Where consent is basis
Non-Discrimination CCPA
Requests must include sufficient identity verification. We respond within:
• 30 days (GDPR, PIPA);
• 45 days (CCPA, extendable).
You may lodge a complaint with a supervisory authority (e.g., ICO, CNIL, KCC).
8. Data Security Measures
• Encryption: TLS 1.3 in transit; AES-256 at rest.
• Access Controls: Role-based access, 2FA, quarterly penetration testing.
• Incident Response: 72-hour breach notification (GDPR Art. 33).
• Vendor Audits: Annual SOC 2 reviews.
9. Data Retention Schedule
Data Type Retention Period Criteria
Order Data 7 years Tax compliance
Account Data Until deletion request + 30 days
Marketing Preferences Until opt-out
Logs 12 months Security
10. Cookies and Tracking
See our Cookie Policy (separate document). You may manage preferences via the Cookie Consent Banner (OneTrust-powered).
11. Children’s Privacy
The Platform is not directed to individuals under 16 (GDPR) or 13 (COPPA). We do not knowingly collect data from children. Verified parental consent required otherwise.
12. Changes to this Policy
Material changes will be notified via:
• Email (registered users);
• Prominent Site banner.
Continued use after 30 days constitutes acceptance.
13. Contact Information
Data Protection Officer (DPO):
Email: dpo@peki.shop
Postal: PEKI Privacy Office, c/o Lee Ha Jung, Gangnam-gu, Seoul, Republic of Korea
EU Representative (Art. 27 GDPR):
[To be appointed – placeholder]

.png)
