Privacy Policy

EZL Corp (“The Company” hereinafter) complies with related laws and regulations including the Act on the Promotion of Information and Communications Network Utilization and Information Protection, etc. and the Personal Information Protection Act. Toward this end, it established privacy policy (“The Privacy Policy” hereinafter) and complies with it.
The company discloses Privacy Policy on the first screen of Bus Tago Homepage (www.bustago.or.kr) (“Homepage” hereinafter) enabling users to inquire about the pertinent information at any time.
Privacy Policy may change according to revision of related laws and regulations, guidelines and internal policy and for other reasonable reasons, and the reasons and contents of the change will be disclosed in accordance with procedures as designated by related laws and regulations at a time of revision.

The Privacy Policy contains the followings.

  • 1. Items of Collected Personal Information and a Method of Collection
  • 2. Purpose of Collection and Use of Personal Information
  • 3. Providing and Sharing Personal Information to a Third Party
  • 4. Entrustment of Collected Personal Information
  • 5. The Period of Ownership and Use of Personal Information
  • 6. Deletion of Unused Customer Accounts
  • 7. Procedures for Destruction of Personal Information and Pertinent Methods
  • 8. Rights of Users and Their Legal Representatives and a Method of Exercise
  • 9. Matters on Installation/Operation and Rejection of Automatic Collection Equipment for Personal Information
  • 10. Technological/Administrative Measures for Protection of Personal Information and Notification on Leakage
  • 11. Contact Information on Privacy Supervisor and Related Personnel
  • 12. Other Matters
  • 13. Revision of Privacy Policy and Notification
1. Items of Collected Personal Information and a Method of Collection

The company deals with the following items of personal information.

1) Homepage Membership and Management
① Necessary items: ID, password, name, date of birth, email & mobile phone number, Personally Identifiable Number(CI), Gender
2) Tagless Member Management : Items collected when using the tag-less service
① Necessary items : Mobile Phone Number
3) Ticket Reservation, Issuing, Viewing Service,: Items collected when using the ticket service
① Reservation information : [Mandatory items] Departure , Destination, Departure time
② Credit card information : [Mandatory items] Credit card number, Date of birth
③ Frequently Used Card information : [Mandatory items] Credit card number, Date of birth
④ Issuing the ticket for the reservation : [Mandatory items] Date of birth, Mobile Phone Number
4) The following items of personal information can be automatically generated and collected in the course of use of the Internet service
① IP address

The company collects personal information in following ways.
1) Collected from users
2) Collected through personal authentication system (Mandatory : Name, Date of birth, Personally Identifiable Number (CI), Gender)
3) Collected from information automatically generated at a time of use of the Internet
4) Collected from credit card information earned at a time of a reservation and cancellation

2. Purpose of Collection and Use of Personal Information

The company collects personal information for following purposes and uses collected personal information only for pertinent purposes.
1) Implementation of the contract on provision of services and calculation of service fees
Provision of contents and specific customized services, delivery of goods, transmission of bills, personal authentication, purchase and calculation and collection of service fees
2) Membership management
Identification according to usage of membership service and limited identification system, individual identification, prevention of fraudulent use by illegitimate members, prohibition of unauthorized use, confirmation on membership intention, preservation of records for adjustment of disputes, handling of civil applications including complaints, the latest information including announcement, information on change in services, channels of communications with customers including results of consultations and inactivation of customer accounts that have not been used for a long time and etc.
3) Service Management
Service quality management through the monitoring system
4) Tagless Member Management
Personal verification, individual identification, preventing illegal use of faulty members and preventing unauthorized use, verification of membership subscription, retention of records for dispute resolution, processing of complaints, providing latest information, information on changes to the service, communication with customers, processing of dormant account for long-term inactive members, transmission of telephone numbers to HCE service to identify the passenger as related to the operation of the tag-less service

* Purpose of Collecting and Using Optional Items

1. Purpose of Collecting and Using Gender Information
Personal verification for the service usage
2. Purpose of Collecting and Using E-Mail Address
Personal verification, delivery of notices and processing of complaints for the service usage

3. Providing and Sharing Personal Information to a Third Party

The Company uses the personal information of clients within the scope notified in [2. Purpose of Collecting and Using Personal Information], will not use beyond the said scope without a prior consent of the clients, and as a rule, the personal information of a client will not be disclosed to the outside.
1) In case the user consents to providing to a third party
The Company may provide the personal information of a client to an affiliated company or share with an affiliated company in order to provide a better service. In case the Company provides or shares the personal information, the Company will obtain a prior consent, and in such a case, the Company will request a consent of the members by stipulating the purpose of using the personal information by the persons provided with the information, items of personal information provided, the retention and use period of personal information by the person provided with the personal information, the fact the users have the right to refuse to provide the consent on the information provision and any disadvantages from refusing to provide the consent, etc.

Providing and Sharing Personal Information to a Third Party
Person provided with the information TubeBox Co.
Purpose of provision and use In order to identify the individual discount coupon list and the discount coupon box
Items of personal information provided The encrypted user number randomly created upon individual membership registration
The period of retention and use of the personal information by the person provided with the information Upon membership withdrawal or upon close of the partnership
Providing and Sharing Personal Information to a Third Party
Person provided with the information Lotte Card Co., Ltd.
Purpose of provision and use Verification of subjects of affiliated promotions and processing of promotion-related duties
Items of personal information provided Personally identifiable number (CI), Client identifiable serial number, name (only when participating in events)
The period of retention and use of the personal information by the person provided with the information During the user’s use of the Mobile Bus Tago application
4. Entrustment of Collected Personal Information

The company uses outside services in charge of customers’ personal information in order to provide services and designates provisions on safe management of personal information at a time of entrustment contract in accordance with related laws and regulations.
The present personal information processing entrustment institution and its obligations are as follows.

Entrustment of collected personal information
Entrustment institution Entrusted obligations
Lotte Data Communication Company Homepage management & comprehensive management of information system
Booil Information Link Corp. Operation of Customer Service Center for improved efficiency in consulting

If it is entrusted with sending gifts to customers after an event, it is handled based on prior approval from pertinent customers.

5. The Period of Ownership and Use of Personal Information

Personal information on customers shall be immediately destroyed once it fulfills the purpose of collection and use of personal information in principle, provided that the following information shall be preserved for a specified period of time for reasons specified as below.
1) Preservation of information in accordance with related laws and regulations
① Records on contracts and revocation: Five (5) years (Act on the Consumer Protection in the Electronic Transactions, etc.)
② Records on payment and supply of goods: Five (5) years (Act on the Consumer Protection in the Electronic Transactions, etc.)
③ Records on handling of consumer complaints and resolution to disputes: Three (3) years Act on the Consumer Protection in the Electronic Transactions, etc.)
④ Records on identification: Six (6) months (Act on the Promotion of Information and Communications Network Utilization and Information Protection, etc.)
⑤ Records on visits to websites: Three (3) months (Protection of Communications Secrets Act)
⑥ Until members are withdrawn

6. Deletion of Unused Customer Accounts

The company divides membership accounts into active accounts and inactive ones in order to protect personal information on customers. If there is no record on login or usage of homepage for one year, it shall be classified into an inactive account in order to protect personal information on customers, and customers’ personal information shall not be used and offered to partner companies (third party-agreed partner companies).

(The effective date: August 18, 2015)

7. Procedures for Destruction of Personal Information and Pertinent Methods

Personal information on customers shall be immediately destroyed once it fulfills the purpose of collection and use of personal information in principle. Procedures for destruction of personal information by the company and its method shall be as follows.
1) Procedures for destruction
Information that users entered to subscribe to membership shall be immediately destroyed in accordance with reasons (refer to the period of ownership and usage) for information protection specified in internal principles and other related laws and regulations once it fulfills intended purposes.
- Processing of destroying the dormant account of long-term inactive clients: We destroy the dormant accounts, without use records with a 30-day prior notice, in cases of no access or use for 1 year or longer (Refer to the Article 6 Dormant Account of Long-Term Inactive Members).
- Procedure of Destroying the Membership Withdrawal (Account Withdrawal): upon implementing 'Change My Info' > 'Withdrawal,' the use and provision to a third party is suspended immediately, and the personal information of the client is destroyed within 5 days (Refer to Article 8 Rights of the Users and Legal Representatives and the Exercise Thereof).
- Procedure for Destruction Upon Withdrawal of Consent to an Event: A client may make a request for withdrawal from an event or use by contacting the customer center (+82-2-585-0966, +82-1644-0006) by referring the “Article 8 Rights of the Users and Legal Representatives and the Exercise Thereof,” and the withdrawal and destruction will be implemented pursuant to the internal policy and guidelines (The information on the outcome of the withdrawal can be provided by the customer center).
2) Methods of destruction
① Printed personal information shall be shredded or incinerated.
② Personal information saved in electronic files shall be deleted through the use of irrevocable technical methods.

8. Rights of Users and Their Legal Representatives and a Method of Exercise

Customers may exercise the following rights related to protection of personal information at any time.

1) Request for view on personal information
2) Request for correction at a time of errors
3) Request for deletion
4) Request for suspension of handling

As for methods of exercise of rights, make sure to view personal information offered in Correct My Information Menu in the homepage and revise contact information, address and email information. In addition, one can proceed with withdrawal through ‘Withdraw from Membership.’

If it is impossible to exercise rights on the homepage, make sure to contact personnel in charge of protecting personal information in writing or via phone or email. Then, the company will take necessary measures immediately. If users made a request to correct errors in personal information, the pertinent personal information shall not be used or provided until correction is completed. In addition, if incorrect personal information was already provided to a third party, the result of correction shall be immediately notified to rectify situation.

The company shall deal with personal information cancelled or deleted as per requests made by a user or a legal representative in accordance with "5. Period of Ownership and Usage of Personal Information" and ensure that it shall not be viewed or used for other purposes.

9. Matters on Installation/Operation and Rejection of Automatic Collection Equipment for Personal Information

The company shall not use cookie that frequently saves and detects information on customers.

10. Technological/Administrative Measures for Protection of Personal Information and Notification on Leakage

The company shall take the following technological/administrative measures in order to secure stability so that personal information on customers cannot be lost, stolen, leaked, altered or damaged.

1) Technological measures
① Encryption of personal information
Personal information on customers shall be encrypted at a time of storage and transmission, and important data shall be protected through separate security functions.
② Technological measures against hacking
The company takes measures to prevent damage caused by computer viruses through the use of vaccine programs. The vaccine programs are regularly updated, and if viruses suddenly appear, the company provides vaccine programs as soon as they are released to prevent personal information from being violated. In the meantime, the company adopts security system that enables users to transmit personal information on the network through the use of encryption algorithm. In addition, it installs a firewall against such outside invasion as hacking and does whatever it can to enhance security through the use of intrusion prevention system and vulnerability detection system installed in each server.
③ Restriction in access to personal information processing system
The company does not combine personal information with general information for the purpose of storage. It also designates a computer room and a data storage room as a special protection area to control access.
The company has only the pertinent personnel deal with personal information on customers and grant a separate password to update it on a regular basis. It provides education to personnel in charge on a frequent basis in order to emphasis the importance of compliance with Privacy Policy all the time. It is making efforts to check out implementation of policy on protection of personal information and compliance with a person in charge through an in-house administrative organization so that detected problems can be instantly corrected.
Personal information on customers shall be thoroughly protected through the use of a password. Only the customers know their ID password, and they shall confirm and change their personal information because they are the only ones who know their password. Accordingly, customers are advised not to disclose their password. Toward this end, customers are advised to log out online and finish a web browser after using a PC in principle. In particular, if they share a PC with others or use a PC in a public place (a company, a school, a library, an Internet game room and etc.), the above-mentioned procedures are more required to prevent personal information from being disclosed to others.

2) Administrative measures
① Control and education for personal information handlers
The company shall minimize the number of persons authorized to access personal information on customers as follows.
i. Those who conduct direct marketing activities toward users
ii. Those who manage personal information including Privacy Supervisor and Privacy Personnel
iii. Those who are obligated to handle personal information due to business
The company also provides regular in-house education and external entrusted training to employees in charge of handling personal information with regard to acquisition of new security technologies and obligation to protect personal information. It also prevents information from being leaked through security pledge written by all employee at a time of employment and establishes internal procedures for inspection on implementation of policy on protection of personal information and compliance with employees. Transfer of business by personal information handlers shall be thoroughly conducted under tight security, and the company clearly defines responsibilities for accidents caused by personal information after employment and retirement.
The company shall not take responsibility for losses caused by accidents occurring due to users’ carelessness or in areas uncontrolled by the company despite the fact that the company fulfilled its responsibility as a personal information handler.
If personal information was lost, leaked, altered and damaged due to internal administrator’s mistakes or administrative and technological accidents, the company shall make a notification to customers and take appropriate measures to come up with compensation plans.
② The company acquired Information Security Management System (ISMS) from KISA for the purpose of protection of information on users before operating it.

3) Notification on leakage of personal information
The company is doing its utmost to protect personal information on its members by taking technological and administrative measures to protect personal information, but if it finds out that personal information was leaked for such unexpected reasons as hacking, it would immediately notify the situation to its members in writing or via email, FAX, phone, mobile phone or text messages or in other similar ways.
① Items of leaked personal information
② The time of leakage and details
③ Information on what members can do to minimize damage caused by leakage
④ Responses and remedial procedures followed by the company
⑤ The company will disclose a department in charge of accepting complaints and related contact information in case of occurrence of losses caused to its members,
and if personal information was leaked, related matters will be disclosed in detail on the first screen of the homepage along with notification to its members.

11. Contact Information on Privacy Supervisor and Related Personnel

Customers may report all complaints related to protection of personal information by using corporate service to Privacy Supervisor. The company shall provide prompt and detailed responses to complaints lodged by users.

Contact information on Privacy Supervisor and Privacy Personnel
  National Bus Transportation Association
Privacy Supervisor Privacy Manager
Name of Department Computer Business Team Computer Business Team
Name Hae-gwon Jeong Beom-yong Kim
Position Section Chief Employee
Telephone 02)585-0966 02)585-0966
Email jhkdoublez@naver.com kimbeomyong@gmail.com
개인정보보호책임 및 담당자 연락처
  EZL Corp
Privacy Supervisor Privacy Manager
Name of Department IT Division IT Division
Name Yeon-woo Lee Cheon-ju Yun
Position Division Head Team Leader
Telephone 1644-0006 1644-0006
Email c-privacy@myezl.com c-privacy@myezl.com

1) Remedial measures taken at a time of violation of rights and interests
The main agent of information may file an application for resolution to disputes or consultations with KOPICO and KISA Personal Information Invasion Report Center.
If you have any inquiries about complaints about invasion of personal information and counseling, make sure to contact the following institutions.


- The Police Headquarters Cyber Security Bureau
  ([Without a telephone exchange number] 182, http://www.cyber.go.kr)
- The Supreme Public Prosecutors Office Cyber Criminal Investigation Division
  ([Local number]+1301, http://www.spo.go.kr)
- Personal Information Invasion Report Center (Operated by Korea Internet & Security Agency)
  ([Without a telephone exchange number] 118, http://privacy.kisa.or.kr)
- Personal Information Dispute Mediation Committee (Operated by Korea Internet & Security Agency)
  ([Without a telephone exchange number] 118, https://kopico.go.kr)
12. Other Matters

1) Operation of Customer Service Center
The company operates Customer Service Center in order to facilitate communications with customers.
[Customer Service Center] 1644-2992
The company can provide customers with links to websites and data operated by other companies. In that case, the company does not have any control over external websites and data, so it will not be responsible for usefulness of offered services or data. If you move to another website by clicking a link introduced by the company, Privacy Policy of the pertinent website has nothing to do with the company, so it is advised to review policy of the new website.
3) Transmission of advertising information
The company shall not transmit advertising information for profit against customers’ will. If customers agree to send electronic mails including newsletters or transmit advertising information on products for online marketing via emails, the company shall take appropriate measures to help customers easily find out what they are about by using titles and the texts of emails. If the company sends advertising information for profit via other text messages including fax and mobile text messages than emails, the company shall indicate “(Advertising)” in the beginning of the transmission in addition to sender’s contact information.

13. Revision of Privacy Policy and Notification

If the present Privacy Policy is added, deleted or revised, it shall be notified on the homepage or via email 7 days earlier, and if it is difficult to make a prior notification, it shall be immediately notified. The policy shall take effect for the date of notification.

- Date of public notification: January 20, 2022
- Date of implementation: January 20, 2022