Version 2026.06.11

Cosmain Privacy Policy

Effective 6/10/2026

Cosmain Privacy Policy

Effective date: June 11, 2026

This Privacy Policy explains how COSMAIN ("Cosmain", "we", "us", or "our") collects, uses, shares, and protects personal information when buyers, suppliers, account users, and website visitors use Cosmain websites, the Cosmain Console, catalog, order, payment, support, and related B2B services.

Cosmain is a Korean B2B cosmetics sourcing and wholesale platform. The service is intended for business users, not for personal household purchasing.

1. Who We Are

Controller / business operator:

코스메인(COSMAIN) / COSMAIN
Business Taxpayer ID Number: 462-56-00108
Representative: Kim Yulia
Business registration date: November 22, 2016
4193, 365 Incheon tower-daero, Yeonsu-gu, Incheon, Republic of Korea
Korean address: 인천광역시 연수구 인천타워대로 365, 103동 50층 5006호(송도동, 힐스테이트 송도 더스카이)
Email: info@cosmain.kr
Phone: +82-10-3907-7454

2. Scope

This Privacy Policy applies to personal information processed through:

Cosmain public websites and business inquiry forms;
Cosmain Console accounts;
catalog, cart, preorder, order, invoice, payment, shipment, and support functions;
account onboarding, access requests, buyer qualification, and admin-managed invitations;
cookies, analytics, and legal acceptance records connected with the service.

This Privacy Policy does not replace the privacy policies of third-party services that you choose to use, such as payment providers, messaging apps, or external websites linked from Cosmain.

3. Information We Collect

We collect personal information directly from you, from your company or account administrator, through your use of the service, and from service providers used to operate the platform.

Account and Contact Information

We may collect:

name;
business email address;
phone number;
company name;
job or business contact details;
account status, role, permissions, assigned account, and account manager;
preferred language, currency, country, and timezone;
password hash, authentication status, reset-token status, and login timestamps.

Business Qualification and Access Request Information

When you request access or complete buyer onboarding, we may collect:

business name and contact name;
work email, phone number, website, marketplace, social media, or other public business links;
country or target market;
company description and free-text messages;
business stage, business type, sales channels, current categories, current brands, portfolio size, target segment, launch timeline, first-order budget range, monthly turnover range, Korea sourcing experience, and support needs;
referral source or partner referral information;
review status, approval status, assigned manager, admin comments, and request history.

Catalog, Cart, Order, and Commercial Information

When you use the protected platform, we may collect:

catalog searches, selected products, cart lines, quantities, buying mode, pricing context, and product preferences;
order, preorder, invoice, payment, ledger, and shipment records;
billing and shipping addresses, country, region, city, postal code, address lines, address label, and phone number;
incoterm, currency, market country, shipping method, delivery instructions, and order notes;
payment method selection, payment status, payment messages, payment references, and payment review status;
generated commercial documents such as proforma invoices, sales invoices, packing lists, and shipping documents.

Payment and Payment Proof Information

Cosmain may process payment-related information needed to issue invoices, confirm payment, reconcile payments, and prevent payment errors or fraud.

Depending on the payment method, this may include:

invoice identifiers, order identifiers, payment method, payment amount, currency, exchange-rate snapshot, payment status, and payment timing;
PayPal order identifiers, capture identifiers, payment status, and provider response details needed to confirm payment;
Wise payment references, expected amount, Wise transaction identifiers, sender name when available from Wise, balance statement data relevant to reconciliation, and payment status;
uploaded payment proof files, including PDF, JPEG, PNG, or WebP files, file names, object keys, and related invoice information;
contact details submitted for manager-assisted payment methods, such as phone number, email, messaging handle, or other preferred contact channel.

We do not intentionally collect full card numbers through Cosmain. Card or wallet payment details entered through PayPal are processed by PayPal according to PayPal's own terms and privacy practices.

Support, Messaging, and Communications

When you contact Cosmain or use support functions, we may collect:

support messages and payment messages;
contact channel preferences, such as email, phone, WhatsApp, Telegram, or other contact method;
chat or manager communication records where a supported messaging integration is used;
notification records related to access requests, order events, payments, shipment updates, and account support.

Uploaded Files and Generated Documents

The service may store files and document metadata connected with:

payment proofs;
invoices and invoice exports;
shipment documents;
packing lists;
supplier or internal documents used by staff to support orders;
media or documents uploaded by administrators for business operations.

You should not upload unnecessary personal information or sensitive personal information unless it is needed for a business transaction, payment confirmation, shipping, customs, or support request.

Device, Usage, Security, and Log Information

We may collect:

IP address;
browser and device information;
user agent;
request path, timestamps, and request metadata;
authentication, password reset, invitation, and magic-link events;
rate-limit and abuse-prevention logs;
performance and diagnostic events;
legal document acceptance records, including document version, content hash, acceptance time, IP address, user agent, locale, and acceptance surface.

Cookies, Local Storage, and Similar Technologies

Cosmain uses essential cookies and browser storage to operate the service. These may include session cookies, language preferences, currency preferences, cookie preference records, and other settings required for authentication, navigation, account preferences, cart behavior, and security.

If you allow analytics cookies, Cosmain may use analytics tools such as Google Analytics and Yandex Metrica to understand website and platform usage. Analytics cookies are optional where consent is required. You can manage analytics preferences through the cookie preference controls.

4. How We Use Personal Information

We use personal information to:

provide, operate, and secure Cosmain websites and the Cosmain Console;
review access requests and verify whether a company is suitable for B2B wholesale access;
create and manage user accounts, roles, authentication, invitations, and password resets;
provide catalog access, product review, cart, preorder, order, invoice, payment, and shipment functions;
prepare pricing, MOQ, documentation, order, and support context for your company;
process payment method selection, payment confirmation, reconciliation, and payment support;
generate commercial documents, invoices, packing lists, and shipment documents;
communicate with you about access requests, account status, orders, invoices, payments, shipments, and support;
prevent abuse, fraud, unauthorized access, payment errors, and security incidents;
maintain audit logs for legal document versions, consent choices, payment review, order status, and staff actions;
improve service performance, buyer experience, catalog usability, and business operations;
comply with legal, tax, accounting, trade, customs, sanctions, payment, and regulatory obligations;
establish, exercise, or defend legal claims.

Summary of Collection, Use, Sharing, and Retention

The table below summarizes the main categories of personal information processed by Cosmain. Retention periods may be longer where required for tax, accounting, trade, customs, payment, dispute, security, fraud-prevention, or legal reasons.

Data category	Main purpose	Legal basis where required	Shared with	General retention
Account and contact information, including name, business email, phone number, company, role, account status, language, currency, and login history	Create and manage accounts, authenticate users, provide account support, assign account access, and communicate service updates	Contract, legitimate interests, legal obligation	Hosting and database providers, email provider, CRM or account-management systems, internal staff and assigned managers	While the account is active, then generally up to 6 years after closure or last business transaction, unless a longer period is required
Access request and buyer qualification information, including company profile, public business links, sales channels, budget range, launch timeline, support needs, market, referral source, and review status	Review company suitability for B2B access, prepare sourcing support, prevent abuse, and maintain account history	Legitimate interests, pre-contract steps, consent where required	Internal staff, assigned managers, CRM systems, email provider, referral or partner systems where applicable	Generally up to 3 years after rejection, withdrawal, or last interaction; converted account records may be retained with the account
Catalog, cart, preorder, and order information, including product selections, quantities, pricing context, currency, incoterm, order notes, and order status	Provide catalog, cart, order, preorder, fulfillment, and buyer-support functions	Contract, legitimate interests, legal obligation	Internal staff, suppliers, warehouses, logistics providers, CRM systems, hosting and database providers	Generally up to 6 years after the related transaction, or longer if required for tax, accounting, trade, or dispute records
Billing and shipping information, including address, country, city, region, postal code, phone number, delivery notes, and contact details	Prepare invoices, arrange delivery, support customs/logistics, and complete order fulfillment	Contract, legal obligation, legitimate interests	Suppliers, warehouses, carriers, logistics providers, customs brokers, payment-support partners, internal staff	Generally up to 6 years after the related transaction, or longer if legally required
Invoice, payment, and reconciliation information, including invoice identifiers, payment method, payment amount, currency, exchange-rate snapshot, payment references, PayPal order/capture identifiers, Wise references, transaction identifiers, sender name when available, and payment status	Issue invoices, process or confirm payment, reconcile payments, prevent errors or fraud, and maintain accounting records	Contract, legal obligation, legitimate interests	PayPal, Wise, banks, accountants, auditors, payment-support partners, internal staff, hosting and database providers	Generally up to 7 years after the financial record is created, or longer if required by law or dispute handling
Payment proof files and related metadata, including uploaded PDF/image proofs, file name, file type, object key, invoice, and payment method	Verify payment, support accounting review, prevent payment disputes, and handle order conversion or release	Contract, legal obligation, legitimate interests	File storage provider, internal staff, accountants, auditors, payment-support partners where needed	Generally retained with the related payment or invoice record, usually up to 7 years unless earlier deletion is appropriate and lawful
Support, payment, and manager communication records, including messages, contact preferences, contact handles, and support history	Respond to buyer questions, coordinate payment or shipment issues, and maintain service history	Contract, legitimate interests, consent where required	Email provider, WhatsApp/Telegram/Matrix or other chosen channel providers, notification providers, internal staff and assigned managers	Generally up to 3 years after the support issue or relationship ends, unless linked to an order, payment, or legal record
Uploaded business, shipment, supplier, or internal documents and generated commercial documents	Prepare and manage invoices, shipment documentation, packing lists, order records, supplier review, and trade support	Contract, legal obligation, legitimate interests	File storage provider, suppliers, warehouses, logistics providers, customs brokers, accountants, auditors, internal staff	Generally retained with the related transaction or business record, usually up to 6-7 years depending on document type
Device, log, security, and diagnostic information, including IP address, user agent, timestamps, request metadata, rate-limit events, and performance logs	Secure the service, prevent abuse, diagnose errors, operate infrastructure, and investigate incidents	Legitimate interests, legal obligation	Hosting and infrastructure providers, security/logging systems, internal technical staff	Usually retained for a limited operational period, commonly 12-24 months, unless needed for security investigation or legal reasons
Cookie preferences and analytics information, including local cookie preference records, analytics consent status, browser identifiers, and usage events when analytics is enabled	Remember preferences, operate the site, understand usage, and improve service performance	Consent for optional analytics where required; legitimate interests for essential cookies	Analytics providers such as Google Analytics and Yandex Metrica where enabled, hosting providers	Essential preference records are kept until changed, deleted, or expired; analytics retention depends on provider settings and consent status
Legal acceptance and consent records, including document type, version, content hash, acceptance or withdrawal status, timestamp, IP address, user agent, locale, and acceptance surface	Prove which legal document version or consent choice applied to a user and manage revised-document acceptance	Legal obligation, legitimate interests, consent where applicable	Hosting and database providers, internal staff, legal advisors where needed	Generally retained for the life of the account and as long as needed for legal, audit, or dispute purposes

5. Legal Bases Where Applicable

Where data protection law requires a legal basis, we rely on one or more of the following:

Contract: to provide account access, catalog access, orders, invoices, payment support, and related services requested by you or your company.
Legitimate interests: to operate and secure a B2B sourcing platform, verify business users, prevent abuse, support orders, improve service performance, and maintain business records.
Consent: for optional analytics cookies, certain marketing communications, or other processing where consent is required.
Legal obligation: for tax, accounting, payment, customs, export, compliance, recordkeeping, and regulatory requirements.
Legal claims: where processing is necessary to establish, exercise, or defend legal rights.

You may withdraw consent where processing is based on consent. Withdrawal does not affect processing that occurred before withdrawal.

6. How We Share Personal Information

We share personal information only where needed for the purposes described in this Privacy Policy.

Service Providers

We may share information with service providers that help us operate the platform, including providers for:

hosting, database, infrastructure, and application operations;
file storage and signed upload/download links;
email delivery;
analytics, where analytics is enabled;
payment processing and payment reconciliation;
messaging, notifications, and support communications;
CRM, business operations, and account management;
security, logging, diagnostics, backup, and system administration.

Payment Providers

When you use PayPal or Wise-related payment functions, information needed to create, confirm, reconcile, or support the payment may be processed by PayPal, Wise, and related infrastructure providers.

Suppliers, Logistics Providers, and Trade Support

For orders and shipments, we may share necessary business, order, product, invoice, address, and contact details with suppliers, warehouses, logistics providers, customs brokers, carriers, inspection partners, and other parties involved in sourcing, documentation, payment, fulfillment, and delivery.

Messaging and Contact Channels

If you choose to communicate through WhatsApp, Telegram, email, phone, or another channel, the relevant channel provider may process your information according to its own terms and privacy practices.

Professional, Legal, and Compliance Recipients

We may share information with accountants, banks, auditors, legal advisors, insurers, public authorities, regulators, courts, law enforcement, or other parties where needed for compliance, legal claims, risk management, or business administration.

Business Transfers

If Cosmain is involved in a merger, acquisition, restructuring, financing, sale of assets, or similar business transaction, personal information may be disclosed or transferred as part of that transaction, subject to appropriate safeguards.

7. International Transfers

Cosmain is based in the Republic of Korea and works with international buyers, suppliers, and service providers. Your information may be processed in Korea and in other countries where our service providers, payment providers, analytics providers, messaging providers, suppliers, logistics partners, or business systems operate.

Where required by applicable law, we use appropriate safeguards for international transfers, such as contractual protections or other lawful transfer mechanisms.

8. Retention

We keep personal information for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide services, support orders, maintain business records, comply with law, resolve disputes, prevent fraud, and enforce agreements.

Retention periods vary by data type. For example:

account records are generally kept while the account remains active and for a reasonable period after closure;
access request and buyer qualification records are kept as needed for account review, fraud prevention, business history, and compliance;
order, invoice, payment, shipping, tax, accounting, and trade records may be kept for the period required by applicable law and business recordkeeping needs;
payment proof files are kept as needed for payment review, accounting, dispute handling, and legal compliance;
security logs, rate-limit logs, and diagnostic records are kept for a limited period unless needed for investigation or legal compliance;
legal acceptance and consent records may be kept as long as needed to prove which document version or consent choice applied.

When information is no longer needed, we delete it, anonymize it, or retain it only in a restricted form where lawful and appropriate.

9. Security

We use administrative, technical, and organizational measures designed to protect personal information. These measures include access controls, authentication controls, signed file upload and download links, role-based admin access, audit records, and operational safeguards.

No online service can guarantee absolute security. You are responsible for keeping account credentials confidential, using secure devices and networks, and promptly telling us if you believe your account or company information has been misused.

10. Your Choices and Rights

Depending on your location and applicable law, you may have rights to:

request access to personal information we hold about you;
request correction of inaccurate or incomplete information;
request deletion of personal information;
request restriction of processing;
object to certain processing;
withdraw consent where processing is based on consent;
request portability of information you provided to us;
opt out of certain analytics or marketing processing;
lodge a complaint with a data protection authority.

To make a request, contact us at info@cosmain.kr. We may need to verify your identity, account, company relationship, or authority before responding.

We may retain or continue processing certain information where permitted or required by law, including for order records, invoices, payment records, tax records, fraud prevention, security, dispute resolution, legal claims, or compliance obligations.

11. California Privacy Notice

This section applies to California residents where the California Consumer Privacy Act, as amended, applies to Cosmain.

Categories of Personal Information

Depending on how you use the service, we may collect the following categories of personal information:

identifiers, such as name, email address, phone number, account identifier, IP address, and online identifiers;
customer records information, such as billing and shipping address, company contact information, and payment-related records;
commercial information, such as catalog activity, cart contents, orders, invoices, payment status, and product selections;
internet or electronic network activity, such as device, browser, log, cookie, analytics, and usage information;
geolocation information at an approximate level inferred from IP address or country information you provide;
professional or employment-related information, such as company name, business role, business type, channels, and buyer qualification information;
inferences drawn from business qualification answers and platform activity to support account review, sourcing support, and order management;
sensitive personal information only if it appears in uploaded documents or free-text fields that you provide. Cosmain does not request sensitive personal information for ordinary account use.

Sources

We collect information from you, your company, account administrators, your use of the platform, service providers, payment providers, messaging providers, logistics and trade partners, and publicly available business information you provide for verification.

Purposes

We use the categories above for the business and commercial purposes described in this Privacy Policy, including account review, service operation, order fulfillment, payment support, security, analytics where enabled, compliance, and business communications.

Sharing, Sale, and Targeted Advertising

Cosmain does not sell personal information for money. Cosmain does not knowingly sell or share personal information of individuals under 16.

If analytics or advertising technologies are later configured in a way that constitutes "sharing" under California law, we will provide the required notice and opt-out controls. At present, analytics cookies are controlled through cookie preferences where required.

California Rights

California residents may have the right to know, access, correct, delete, opt out of sale or sharing, limit use of sensitive personal information, and not be discriminated against for exercising privacy rights. To submit a request, contact info@cosmain.kr.

12. Korea Privacy Rights

Where the Personal Information Protection Act of Korea applies, you may have rights to request access, correction, deletion, suspension of processing, and withdrawal of consent as provided by applicable law.

Requests may be sent to info@cosmain.kr. We may ask for information needed to verify the request and protect account security.

13. EU/UK and Other International Users

Where the GDPR, UK GDPR, or similar laws apply, you may have rights to access, rectification, erasure, restriction, objection, portability, withdrawal of consent, and complaint to a supervisory authority.

Cosmain may process information as a controller for account, buyer, order, payment, support, analytics, and legal compliance purposes. In limited cases, Cosmain may process information on behalf of a company account, supplier, logistics provider, or business partner according to the relevant commercial arrangement.

14. Marketing Communications

We may send service communications related to access requests, accounts, orders, invoices, payments, shipments, and support. These are not optional marketing messages.

If we send optional marketing communications, you may opt out using the unsubscribe method in the message or by contacting info@cosmain.kr. We may still send service, transactional, account, legal, or security messages.

15. Children

Cosmain is a B2B service and is not intended for children. We do not knowingly collect personal information from children. If you believe a child has provided personal information to Cosmain, contact info@cosmain.kr.

16. Third-Party Links and Services

The service may link to third-party websites, payment pages, messaging apps, social media, supplier materials, or external resources. Third-party services are responsible for their own privacy practices. You should review their privacy policies before using them.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we may provide notice through the service, by email, or by requiring users to accept the updated version before continuing to use protected account features.

We maintain version records for legal documents and may record the document version, content hash, timestamp, IP address, user agent, locale, and acceptance surface when a user accepts a revised policy.

18. Contact Us

For privacy questions or requests, contact:

COSMAIN
Email: info@cosmain.kr
Phone: +82-10-3907-7454
Address: 4193, 365 Incheon tower-daero, Yeonsu-gu, Incheon, Republic of Korea