Last updated: 2026-06-01
This policy is a standard template provided for reference only and should be reviewed by qualified legal counsel before use.
GRAGO (the “Company”) collects the minimum personal information necessary to provide business-travel and protocol services.
The information collected includes the following. Required: full name, organization and department, job title, contact details (telephone and email), and passport information (name in English, passport number and expiry date). Optional: seating, meal and accommodation preferences, frequent-flyer membership details, and emergency contacts.
In the course of providing services, the Company may additionally collect payment information, immigration records, itinerary and booking details, and the content of consultations and inquiries.
The Company uses the personal information it collects for the following purposes.
Delivering and fulfilling travel services, including flight and hotel reservations, airport protocol and meet-and-greet, and arranging vehicles and interpreters.
Operating the service and supporting clients, including notifications of booking changes or cancellations, itinerary confirmation, and responding to inquiries.
Performing and settling contracts, complying with statutory obligations, and improving service quality through analysis and statistics.
The Company destroys personal information without delay once the purpose of its collection and use has been achieved.
Where retention is required by applicable law, the information is kept for the relevant period. Records relating to contracts or withdrawal of subscription are retained for five years, records on payment and the supply of goods or services for five years, and records on consumer complaints or dispute resolution for three years.
Personal information whose statutory retention period has expired is securely destroyed using methods that prevent recovery.
The Company does not provide personal information to third parties without the data subject’s consent.
Where it is unavoidable for the provision of travel services, the Company may share the minimum information necessary with airlines, hotels and local partners that perform the service. In such cases, the recipient, the purpose, the items provided and the retention period are disclosed and consent is obtained in advance.
Where there is a specific provision of law or a lawful request from an investigative authority, information may be provided in accordance with the applicable procedures.
To deliver services smoothly, the Company may outsource certain tasks to external specialist providers.
Outsourced tasks may include payment processing, system operation and maintenance, and client consultation and notification delivery.
When entering into outsourcing agreements, the Company stipulates the matters required by applicable law to ensure that personal information is managed safely, and supervises the processor’s compliance.
Data subjects may at any time request access to, correction of, deletion of, or suspension of the processing of their personal information.
Such rights may be exercised in writing or by email, and the Company will act on the request without delay.
Where a data subject requests correction of an error in personal information, the Company will not use or provide the relevant information until the correction is complete.
The Company implements administrative, technical and physical safeguards for the secure handling of personal information.
Administrative measures include establishing and implementing an internal management plan and conducting regular staff training. Technical measures include access-rights management, access-control systems, encryption of personal information and operation of security software.
Physical measures include controlling access to server rooms, document storage and similar facilities.
The Company has designated a privacy officer who is responsible for overseeing the processing of personal information and for handling complaints and remedying harm to data subjects.
Inquiries regarding personal information, complaints and requests for remedy may be directed to the following contact. Email: privacy@grago.example, Telephone: +82-2-0000-0000.
For reports or consultations regarding infringement of personal information, you may also contact the relevant supervisory and dispute-mediation authorities.