In accordance with Article 30 of the Personal Information Protection Act, the Company (hereinafter referred to as the “Company”) establishes and discloses the following personal information processing guidelines in order to protect the personal information of the information subject and to promptly and smoothly process complaints related thereto.

Article 1 (Purpose of processing personal information)
The Company processes personal information for the following purposes. The personal information being processed will not be used for purposes other than the following, and in the event that the purpose of use changes, necessary measures such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act will be implemented.

1. Website membership registration and management
Personal information is processed for the following purposes: confirmation of intent to register as a member, identification and authentication of the person in accordance with the provision of membership services, maintenance and management of membership qualifications, identity verification in accordance with the implementation of the limited identity verification system, prevention of unauthorized use of services, confirmation of consent of the legal representative when processing personal information of children under the age of 14, various notifications and notices, handling of complaints, etc.

2. Provision of goods or services Personal
information is processed for the following purposes: delivery of goods, provision of services, sending of contracts and invoices, provision of content, provision of customized services, identity verification, age verification, payment and settlement of fees, debt collection, etc.

3.
Personal information is processed for the purpose of verifying the identity of the complainant, verifying the complaint, contacting and notifying for fact-finding, and notifying the processing result.

Article 2 (Processing and retention period of personal information)
① The company processes and retains personal information within the retention and use period of personal information stipulated by law or within the retention and use period of personal information agreed upon by the information subject at the time of collection of personal information.
② The processing and retention period of each personal information is as follows.

1. Website membership registration and management: Until withdrawal from the business/organization website.
However, in the following cases, until the end of the relevant reason:
1) In the case of an investigation or inquiry due to a violation of relevant laws and regulations, until the end of the investigation or inquiry.
2) In the case of remaining creditors and debtors arising from the use of the website, until the settlement of the relevant creditors and debtors. 2. Provision of goods or services: Until the completion of the supply of goods and services and the completion of payment and settlement. However , in the following cases, until the end of the relevant period. 1) Records of transactions such as indications and advertisements, contract contents and performance, etc. in accordance with the Act on Consumer Protection in E-commerce, etc. - Records of indications and advertisements: 6 months - Records of contract or subscription withdrawal, payment, supply of goods, etc.: 5 years - Records of consumer complaints or dispute resolution: 3 years 2) Retention of communication fact confirmation data in accordance with Article 41 of the Protection of Communications Secrets Act - Subscriber telecommunication date and time, start and end time, other party subscriber number, frequency of use, and base station location tracking data: 1 year - Computer communications, Internet log records, access location tracking data: 3 months Article 3 (Provision of personal information to third parties) ① The company processes the personal information of the data subject only within the scope specified in Article 1 (Purpose of processing personal information), and provides personal information to third parties only in cases corresponding to Articles 17 and 18 of the Personal Information Protection Act, such as consent of the data subject or special provisions of laws. In other cases, the company does not provide personal information of the data subject to third parties. ② In order to provide smooth services, the company may provide personal information to third parties only to the minimum extent necessary with the consent of the data subject pursuant to Article 17, Paragraph 1, Subparagraph 1 of the Personal Information Protection Act in the following cases. - Recipient of personal information: <Example) OOO Card Co., Ltd.> - Purpose of use of personal information by recipient: <Example) Business partnership such as joint hosting of events and issuance of affiliated credit cards> - Personal information items provided: <Example) Name, address, phone number, email address, card payment account information> - Period of retention and use by recipient: <Example) During the transaction period pursuant to the credit card issuance contract> Article 4 (Entrustment of personal information processing) ① In order to smoothly process personal information, the company entrusts personal information processing as follows. - Entrusted work content - Trustee: Imweb Co., Ltd. - Entrusted work content: Provision of system for shopping mall hosting service, mobile app service, marketing service and additional, affiliate service provision, and notification talk, friend talk, text message sending agency service, etc. - Trustee: OOO PG - Entrusted work content: Payment and escrow work - Trustee: OOO Courier - Entrusted work content: Product delivery work - Trustee: OOO Customer Center - Entrusted work content: Customer consultation work - Trustee: OOO - Entrusted work content: Identity verification work - **Sub-entrustor** - **Sub-entrustee: Imweb Co., Ltd. → Infobib (Co., Ltd.)** - **Entrusted work content: Sending text messages, KakaoTalk notification talk (informational message) sending work** - **Sub-entrustee: Imweb Co., Ltd. → Lunasoft Co., Ltd.**






































- **Contents of entrusted work: Sending text messages, KakaoTalk notifications (informational messages), and Friend Talk messages**
② When concluding an entrustment contract, the company, in accordance with Article 25 of the Personal Information Protection Act, specifies in a contract or other document matters related to prohibition of processing personal information for purposes other than the performance of the entrusted work, technical and administrative protective measures, restrictions on re-entrustment, management and supervision of the trustee, compensation for damages, etc., and supervises whether the trustee safely processes personal information.
③ In the event that the content of the entrusted work or the trustee changes, we will disclose it without delay through this personal information processing policy.

Article 5 (Rights of the data subject and legal representative and methods of exercising such rights)

① The data subject may exercise the following rights related to personal information protection against the company at any time.
1. Request to view personal information
2. Request for correction in case of error, etc.
3. Request for deletion
4. Request for suspension of processing
② The rights under Paragraph 1 may be exercised against the company in writing, by phone, e-mail, facsimile (fax), etc., and the company will take action on this without delay.
③ If the data subject requests correction or deletion of personal information due to errors, etc., the company will not use or provide the personal information until the correction or deletion is completed.
④ The rights under Paragraph 1 may be exercised through an agent, such as the data subject's legal representative or an authorized person. In this case, a power of attorney in the format of Appendix 11 of the Enforcement Regulations of the Personal Information Protection Act must be submitted.
⑤ The data subject must not infringe upon the personal information or privacy of the data subject or others that the company is processing in violation of the Personal Information Protection Act or other related laws. Article 6 (Items of personal information processed) The company is processing the following items of personal information. 1. Website membership registration and management Required items: <Example) Name, date of birth, ID, password, address, phone number, gender, email address, i-PIN number> Optional items: <Example) Marital status, areas of interest> 2. Provision of goods or services Required items: <Example) Name, date of birth, ID, password, address, phone number, email address, i-PIN number, credit card number, bank account information, etc. payment information> Optional items: <Areas of interest, past purchase history> Article 7 (Destruction of personal information) ① When personal information becomes unnecessary due to the lapse of the personal information retention period, achievement of the processing purpose, etc., the company will destroy the relevant personal information without delay. ② When the personal information retention period agreed upon by the information subject has lapsed or the processing purpose has been achieved but the personal information must be retained in accordance with other laws and regulations, the personal information will be transferred to a separate database (DB) or stored in a different location. ③ The procedures and methods for destroying personal information are as follows. 1. Destruction procedure The company selects the personal information for which a reason for destruction has occurred and destroys the personal information with the approval of the company’s personal information protection officer. 2. Method of destruction The company destroys personal information recorded and stored in electronic file formats so that the records cannot be reproduced, and destroys personal information recorded and stored in paper documents by shredding or incineration. Article 8 (Measures to ensure the security of personal information) The company is taking the following measures to ensure the security of personal information. 1. Administrative measures: Establishment and implementation of an internal management plan, regular employee training, etc. 2. Technical measures: Management of access rights to personal information processing systems, installation of access control systems, encryption of unique identification information, installation of security programs 3. Physical measures: Access control to computer rooms, data storage rooms, etc. Article 9 (Matters regarding the installation, operation, and refusal of automatic personal information collection devices) ① The company uses 'cookies' to store and periodically retrieve usage information in order to provide customized services to users. ② Cookies are a small amount of information that the server (http) used to operate the website sends to the user's computer browser and are stored on the user's PC or mobile device. ③ The information subject can set the web browser options to allow or block cookies, etc. However, if you refuse to store cookies, you may experience difficulties in using customized services. ▶ Allow/block cookies in web browsers - Chrome: Web browser settings > Privacy and security > Delete internet usage history - Edge: Web browser settings > Cookies and site permissions > Manage and delete cookies and site data ▶ Allow/block cookies in mobile browsers - Chrome: Mobile browser settings > Privacy and security > Delete internet usage history - Safari: Mobile device settings > Safari > Advanced > Block all cookies - Samsung Internet: Mobile browser settings > Internet usage history > Delete internet usage history











































④ The company collects and uses the information to provide optimized information to users by identifying the visit and usage patterns, popular search terms, and secure access status of each service and website visited by the user during the service use process. Article 10 (Personal Information Protection Manager) ① The company is responsible for the overall management of personal information processing, and has designated the following Personal Information Protection Manager to handle complaints and provide remedies for damages from information subjects related to personal information processing. ▶ Personal Information Protection Manager Name: OOO Position: OOO Contact Information: <Phone Number>, <E-mail>, <Fax Number> ※ Connects to the Personal Information Protection Department. ▶ Personal Information Protection Department Name: OOO Team Contact Information: <Phone Number>, <E-mail>, <Fax Number> ② Information subjects may inquire about all personal information protection-related inquiries, complaint handling, and remedies that arise while using the company’s services (or business) to the Personal Information Protection Manager and the department in charge. The company will respond to and process inquiries from information subjects without delay. Article 11 (Request to view personal information) The data subject may request to view personal information in accordance with Article 35 of the Personal Information Protection Act to the department below. The company will endeavor to process the data subject's request to view personal information promptly. ▶ Department receiving and processing requests to view personal information Department name: OOO Contact information: <Phone number>, <E-mail>, <Fax number> Article 12 (Methods of redress for infringement of rights) The data subject may inquire about redress for damages and consultation regarding infringement of personal information to the institutions below. 1. Personal Information Dispute Mediation Committee: (without area code) 1833-6972 (www.kopico.go.kr) 2. Personal Information Infringement Report Center: (without area code) 118 (privacy.kisa.or.kr) 3. Supreme Prosecutors' Office: (without area code) 1301 (www.spo.go.kr) 4. National Police Agency: (without area code) 182 (ecrm.police.go.kr/minwon/main) Article 13 (Enforcement and Change of Personal Information Processing Policy) This personal information processing policy is effective from 20XX. XX.