Privacy Policy <h1 style="text-align:center;">Privacy Policy</h1><p style="text-align:center;"> </p><h2><strong>1. Introduction</strong></h2><p style="margin-left:0px;">ARPI Inc. (hereinafter "the Company") processes personal data lawfully and manages it safely in compliance with the Personal Information Protection Act ("PIPA") of the Republic of Korea and related laws and regulations, for the purpose of protecting the freedoms and rights of data subjects. In accordance with Article 30 of the PIPA, the Company establishes and discloses this Privacy Policy to inform data subjects of the matters concerning the processing and protection of personal data and the procedures for exercising their rights, and to handle related grievances promptly and smoothly.</p><p style="margin-left:0px;">This service is provided in countries including the United States and Europe, and the Company complies with the personal data protection laws of each respective country. Matters commonly applicable to data subjects in all countries — including the purposes of processing, items collected, retention periods, third-party provision, and security measures — are set forth in this Privacy Policy. Additional rights of data subjects, consent requirements, and legal bases that apply on a country-specific basis may be found in the "Country-Specific Supplemental Notices" section.</p><p style="margin-left:0px;"> </p><h2><strong>2. Purposes of Processing, Items, Retention Periods, and Legal Basis</strong></h2><p style="margin-left:0px;">The Company processes personal data for the following purposes. Personal data being processed shall not be used for any purpose other than those listed below, and if the purpose of use changes, the Company will implement necessary measures such as obtaining separate consent in accordance with Article 18 of the PIPA.</p><p style="margin-left:0px;">The personal data items processed for data subjects in order to provide the service are as follows:</p><figure class="table" style="width:759px;"><table><thead><tr><th style="background-color:rgb(240, 240, 240);border-color:rgb(204, 204, 204);padding:10px 8px;text-align:center;"><strong>Category</strong></th><th style="background-color:rgb(240, 240, 240);border-color:rgb(204, 204, 204);padding:10px 8px;text-align:center;"><strong>Processing Purpose</strong></th><th style="background-color:rgb(240, 240, 240);border-color:rgb(204, 204, 204);padding:10px 8px;text-align:center;"><strong>Personal Data Items</strong></th><th style="background-color:rgb(240, 240, 240);border-color:rgb(204, 204, 204);padding:10px 8px;text-align:center;"><strong>Retention Period</strong></th><th style="background-color:rgb(240, 240, 240);border-color:rgb(204, 204, 204);padding:10px 8px;text-align:center;"><strong>Legal Basis</strong></th></tr></thead><tbody><tr><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;" rowspan="3">Membership Registration & Management</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Member Registration</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Email address, password</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Until account withdrawal</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Personal Information Protection Act Art. 15(1)(iv) (contract conclusion)</td></tr><tr><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Verification of Healthcare Professional Status</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Affiliated institution, institution type, position, department</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Until account withdrawal</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Personal Information Protection Act Art. 15(1)(iv) (contract conclusion)</td></tr><tr><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Medical Device Act Compliance & User Safety Management</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Email address, affiliated institution, institution type, position, department</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Until account withdrawal</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Personal Information Protection Act Art. 15(1)(iv) (contract conclusion) and Medical Device Act</td></tr><tr><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;" rowspan="2">Provision of Goods or Services</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">ECG Analysis Service</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">ECG data</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">6 hours after analysis completion</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Personal Information Protection Act Art. 15(1)(iv) (contract conclusion)</td></tr><tr><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Service Use & Payment</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Subscription info: license type, payment status, etc. Payment info: order number, payment amount, etc.<br><span style="color:rgb(85,85,85);font-size:13px;">(Note: Financial info such as credit card numbers is processed directly by the PG company; the Company does not store such data.)</span></td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">5 years</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Act on Consumer Protection in E-Commerce, Enforcement Decree Art. 6(1)(iii)</td></tr><tr><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Customer Inquiries</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Customer Support</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Email address, name, region, hospital/company name/affiliation, phone number, inquiry content</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">3 years</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Act on Consumer Protection in E-Commerce, Enforcement Decree Art. 6(1)(iv)</td></tr><tr><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Marketing & Advertising</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">New product launch notifications, promotions, and other marketing purposes</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Email address</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Until consent withdrawal or account withdrawal</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Personal Information Protection Act Art. 15(1)(i) (data subject's consent)</td></tr></tbody></table></figure><p style="margin-left:0px;">Additional details:</p><ul><li><p style="margin-left:20px;"><strong>Membership Registration & Management:</strong> Professional healthcare personnel must complete the membership registration process to use the medical device software provided by the Company. Upon registration, the user's email address is designated as their user ID, and a separate email verification process is carried out. Passwords are set by users in accordance with prescribed password rules. Where necessary, information such as affiliated medical institution, institution type, position, and department may be collected to verify healthcare professional status.</p></li><li><p style="margin-left:20px;"><strong>Provision of Goods or Services:</strong> The Company provides analysis reports of ECG images to assist physicians in making diagnoses. The payment method required for service use may change in accordance with the Company's internal policies, and additional personal data may be required for payment processing.</p></li><li><p style="margin-left:20px;"><strong>De-identification:</strong> Patient ECG data is de-identified within the hospital's internal network before being processed in pseudonymized or anonymized form only; the Company cannot identify any individual from such data. Additionally, de-identified (pseudonymized or anonymized) ECG data is deleted within 6 hours of analysis completion and is not stored in a separate location.</p></li><li><p style="margin-left:20px;">The Company, in principle, retains and uses personal data provided by users at the time of registration until the user requests service termination by terminating the End User License Agreement (EULA).</p></li><li><p style="margin-left:20px;">Information that must be retained pursuant to applicable laws is preserved for the corresponding periods as follows:</p></li></ul><figure class="table" style="width:759px;"><table><thead><tr><th style="background-color:rgb(240, 240, 240);border-color:rgb(204, 204, 204);padding:10px 8px;text-align:center;"><strong>Information to be Retained</strong></th><th style="background-color:rgb(240, 240, 240);border-color:rgb(204, 204, 204);padding:10px 8px;text-align:center;"><strong>Legal Basis</strong></th><th style="background-color:rgb(240, 240, 240);border-color:rgb(204, 204, 204);padding:10px 8px;text-align:center;"><strong>Retention Period</strong></th></tr></thead><tbody><tr><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Records on contracts or withdrawal of subscription</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Act on Consumer Protection in Electronic Commerce</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">5 years</td></tr><tr><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Records on payment and supply of goods/services</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Act on Consumer Protection in Electronic Commerce</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">5 years</td></tr><tr><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Records on consumer complaints or dispute resolution</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Act on Consumer Protection in Electronic Commerce</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">3 years</td></tr><tr><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Service visit logs</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Protection of Communications Secrets Act</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">3 months</td></tr></tbody></table></figure><h2> </h2><h2><strong>3. Processing of Children's Personal Data</strong></h2><p style="margin-left:0px;">The services operated by the Company are not directed at children (persons under the age of 14 for Korean nationals; as defined under applicable laws for foreign nationals).</p><h2> </h2><h2><strong>4. Procedures and Methods for Disposal of Personal Data</strong></h2><p style="margin-left:0px;">When personal data is no longer necessary — due to the expiration of the retention period, achievement of the processing purpose, or any other reason — the Company destroys such personal data without delay. The procedures and methods for disposal are as follows:</p><p style="margin-left:0px;"><strong>4.1 Disposal Procedure</strong></p><p style="margin-left:0px;">The Company selects personal data subject to disposal and destroys it with the approval of the Company's Chief Privacy Officer (CPO).</p><p style="margin-left:0px;"><strong>4.2 Disposal Method</strong></p><ul><li><p style="margin-left:20px;">Personal data in electronic file format is destroyed in a manner that prevents recovery of the records.</p></li><li><p style="margin-left:20px;">Personal data recorded in paper documents is destroyed by shredding or incineration.</p></li></ul><p style="margin-left:0px;"><strong>4.3 Timing of Disposal</strong></p><ul><li><p style="margin-left:20px;">Personal data in electronic file format: Personal data for which the retention period has expired is destroyed without delay from the expiration date.</p></li><li><p style="margin-left:20px;">Personal data recorded in paper documents: Personal data for which the retention period has expired is destroyed without delay from the expiration date.</p></li></ul><p style="margin-left:0px;"><strong>4.4 Separate Management of Legally Required Retained Data</strong></p><p style="margin-left:0px;">If personal data must continue to be retained pursuant to other laws despite the expiration of the retention period, such personal data is transferred to a separate database (DB) or stored in a different location. Such cases are specified in Section 2 (Purposes of Processing, Items, Retention Periods, and Legal Basis).</p><h2> </h2><h2><strong>5. Provision of Personal Data to Third Parties</strong></h2><p style="margin-left:0px;">The Company, in principle, does not provide personal data of users to third parties. However, exceptions may apply in the following cases:</p><ul><li><p style="margin-left:20px;">Where the user has given explicit prior consent to the provision of personal data to a third party</p></li><li><p style="margin-left:20px;">Where there is a legal basis, or where a request is made through lawful procedures by an investigative authority</p></li><li><p style="margin-left:20px;">Where provision is unavoidably necessary for the provision of services, and the procedures under Article 17 of the PIPA have been followed</p></li></ul><h2> </h2><h2><strong>6. Consignment of Personal Data Processing and Overseas Transfer</strong></h2><p style="margin-left:0px;">The Company entrusts certain personal data processing tasks to external specialized firms to provide smooth and stable services. The following consignees are currently processing personal data overseas in the course of performing their duties, and the Company notifies data subjects of relevant details in accordance with Article 28-8 of the PIPA.</p><p style="margin-left:0px;"><strong>6.1 Status of Consigned Platform Providers</strong></p><figure class="table" style="width:759px;"><table><thead><tr><th style="background-color:rgb(240, 240, 240);border-color:rgb(204, 204, 204);padding:10px 8px;text-align:center;"><strong>Recipient</strong></th><th style="background-color:rgb(240, 240, 240);border-color:rgb(204, 204, 204);padding:10px 8px;text-align:center;"><strong>Country</strong></th><th style="background-color:rgb(240, 240, 240);border-color:rgb(204, 204, 204);padding:10px 8px;text-align:center;"><strong>Transfer Timing & Method</strong></th><th style="background-color:rgb(240, 240, 240);border-color:rgb(204, 204, 204);padding:10px 8px;text-align:center;"><strong>Recipient's Purpose of Use</strong></th><th style="background-color:rgb(240, 240, 240);border-color:rgb(204, 204, 204);padding:10px 8px;text-align:center;"><strong>Items Transferred</strong></th><th style="background-color:rgb(240, 240, 240);border-color:rgb(204, 204, 204);padding:10px 8px;text-align:center;"><strong>Recipient's Retention Period</strong></th></tr></thead><tbody><tr><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">AWS</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">USA</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Online transfer at the time of personal data collection</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Transmission and storage in cloud environment</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">All personal data collected from data subjects</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Upon contract termination or purpose achievement</td></tr><tr><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Twilio</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">USA</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Online transfer via web service API</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Sending email verification codes</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Email address</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Upon account withdrawal or contract termination</td></tr><tr><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">RevenueCat</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">USA</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Online transfer via web service API</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">In-app payment and subscription management</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">License type, payment status, etc.</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Upon account withdrawal or contract termination</td></tr><tr><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">HubSpot</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">USA</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Transfer via network upon customer inquiry</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Processing data subject inquiries and customer support</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Email address, name, region, hospital/company name/affiliation, phone number, inquiry content</td><td style="border-color:rgb(204, 204, 204);padding:9px 8px;vertical-align:top;">Upon account withdrawal or contract termination</td></tr></tbody></table></figure><p style="margin-left:0px;">Data subjects may refuse the overseas transfer of their personal data. In such cases, use of services that require overseas transfer will be restricted. Data subjects who do not wish to have their personal data transferred overseas may withdraw from membership or request the suspension of personal data processing via email at [email protected] .</p><p style="margin-left:0px;">Should any overseas transfer matters change, the Company will disclose such changes through this Privacy Policy without delay.</p><h2> </h2><h2><strong>7. Security Measures for Personal Data</strong></h2><p style="margin-left:0px;">The Company takes the following measures to ensure the security of personal data:</p><ul><li><p style="margin-left:20px;"><strong>Administrative measures:</strong> Establishment and implementation of internal management plans, regular employee training, etc.</p></li><li><p style="margin-left:20px;"><strong>Technical measures:</strong> Access control management for personal data processing systems, installation of access control systems and other related protective measures, encryption of personal data, retention and inspection of access logs, vulnerability assessment and remediation of personal data processing systems</p></li><li><p style="margin-left:20px;"><strong>Physical measures:</strong> Personal data is securely stored and managed in data centers with physical security measures provided by cloud service providers; internally, physical access controls such as access control to office spaces and terminals, and secure document storage are implemented</p></li></ul><h2> </h2><h2><strong>8. Processing of Pseudonymized Information</strong></h2><p style="margin-left:0px;">The Company may process pseudonymized information for the following purposes. Pseudonymized information refers to personal data that has been processed in a way that prevents identification of a specific individual without the use of additional information.</p><p style="margin-left:0px;"><strong>8.1 Purposes of Processing Pseudonymized Data</strong></p><p style="margin-left:0px;">Where necessary for statistical compilation, scientific research, archiving in the public interest, etc., pseudonymized information may be used to compile various statistical data or to analyze data for research purposes. In this process, all information that could identify an individual is removed, and the Company complies with the technical and administrative safeguards required for the safe processing of pseudonymized information.</p><p style="margin-left:0px;"><strong>8.2 Processing and Protective Measures for Pseudonymized Data</strong></p><p style="margin-left:0px;">When processing pseudonymized information, the Company complies with the PIPA and related laws and regulations, and implements technical and administrative measures to prevent re-identification of pseudonymized information. To ensure the security of pseudonymized information, the Company implements measures such as access control, encryption, and retention and management of access records.</p><p style="margin-left:0px;">However, the Company does not perform the combination or export of pseudonymized information, and does not hold the status of a specialized institution for data combination under Article 28-3 of the PIPA and related notices. The generation of pseudonymized information is performed within the hospital's internal network, and the Company does not retain any identifying information or additional information.</p><h2> </h2><h2><strong>9. Installation, Operation, and Opt-Out of Automatic Data Collection Devices</strong></h2><p style="margin-left:0px;">The Company uses 'cookies' that store usage information and retrieve it as needed, in order to provide personalized services and convenience to users.</p><p style="margin-left:0px;">Cookies are small pieces of information sent by the server (http) used to operate a website to the user's browser, and are stored on the user's PC or mobile device.</p><p style="margin-left:0px;">Users may configure cookie settings (allow or block) through their web browser options. However, refusing to store cookies may cause difficulties in using personalized services.</p><p style="margin-left:0px;"><strong>9.1 Allowing/Blocking Cookies on Web Browsers</strong></p><ul><li><p style="margin-left:20px;">Chrome: Web browser settings > Privacy and security > Clear browsing data</p></li><li><p style="margin-left:20px;">Edge: Web browser settings > Cookies and site permissions > Manage and delete cookies and site data</p></li></ul><p style="margin-left:0px;"><strong>9.2 Allowing/Blocking Cookies on Mobile Browsers</strong></p><ul><li><p style="margin-left:20px;">Chrome: Mobile browser settings > Privacy and security > Clear browsing data</p></li><li><p style="margin-left:20px;">Safari: Device settings > Safari > Advanced > Block All Cookies</p></li><li><p style="margin-left:20px;">Samsung Internet: Mobile browser settings > Browsing history > Delete browsing data</p></li></ul><h2> </h2><h2><strong>10. Rights of Data Subjects and How to Exercise Them</strong></h2><p style="margin-left:0px;">Data subjects may exercise the following personal data protection rights against the Company at any time:</p><ul><li><p style="margin-left:20px;"><strong>Right of Access:</strong> Data subjects may request access to their personal data being processed by the Company.</p></li><li><p style="margin-left:20px;"><strong>Right to Rectification:</strong> If there is an error in personal data, data subjects may request correction of such errors.</p></li><li><p style="margin-left:20px;"><strong>Right to Erasure:</strong> Data subjects may request deletion of their personal data where applicable grounds exist.</p></li><li><p style="margin-left:20px;"><strong>Right to Restriction of Processing:</strong> Data subjects may request restriction of processing of their personal data where applicable grounds exist.</p></li></ul><p style="margin-left:0px;">Data subjects may exercise the above rights in accordance with the Enforcement Decree of the PIPA of the Republic of Korea, and the Company will take action without delay. Rights may be exercised by contacting the Company via written correspondence or email, and the Company will respond promptly.</p><h2> </h2><h2><strong>11. Automated Decision-Making</strong></h2><p style="margin-left:0px;">The ECG analysis service provides a function that analyzes ECG images and waveform data for signs of abnormality; however, such analysis results are used as reference information to assist medical professionals in making diagnoses, and do not constitute automated decision-making that produces legal effects on data subjects or has a similarly significant impact on them.</p><h2> </h2><h2><strong>12. Chief Privacy Officer (CPO)</strong></h2><p style="margin-left:0px;">The Company has designated the following officer to be responsible for the processing of personal data and to handle related grievances:</p><ul><li><p style="margin-left:20px;"><strong>Chief Privacy Officer (CPO):</strong> Head of Security Team</p></li><li><p style="margin-left:20px;"><strong>Department:</strong> Security Team</p></li><li><p style="margin-left:20px;"><strong>Phone:</strong> +82-31-738-0110</p></li><li><p style="margin-left:20px;"><strong>Email:</strong> [email protected] </p></li></ul><p style="margin-left:0px;">Data subjects may contact the Chief Privacy Officer regarding any and all inquiries, complaints, and requests for remediation related to personal data protection arising from their use of the Company's services. The Company undertakes to respond to and address data subjects' inquiries without delay.</p><h2> </h2><h2><strong>13. Remedies for Infringement of Rights</strong></h2><p style="margin-left:0px;">Data subjects may apply for consultation or remedies regarding personal data infringement to the following authorities:</p><ul><li><p style="margin-left:20px;">Personal Information Infringement Report Center (Korea Internet & Security Agency, KISA): kisa.or.kr / 118 (no area code required)</p></li><li><p style="margin-left:20px;">Personal Information Dispute Mediation Committee: kopico.go.kr / 1833-6972 (no area code required)</p></li><li><p style="margin-left:20px;">Supreme Prosecutors' Office, Cyber Investigation Division: cyber.spo.go.kr / 1301</p></li><li><p style="margin-left:20px;">National Police Agency, Cyber Investigation Bureau: cyberbureau.police.go.kr / 182</p></li></ul><h2> </h2><h2><strong>14. Changes to the Privacy Policy</strong></h2><p style="margin-left:0px;">This Privacy Policy is effective as of March 16, 2026. Previous versions of the Privacy Policy are available on the website.</p><h2> </h2><h2><strong>15. Country-Specific Supplemental Notices</strong></h2><h3><strong>EU — General Data Protection Regulation (GDPR)</strong></h3><p style="margin-left:0px;">This Privacy Policy is drafted based on the laws of the Republic of Korea. For users in the European Union (EU), the following provisions apply additionally under the EU General Data Protection Regulation (GDPR).</p><p style="margin-left:0px;"><strong>Articles 1–3 (Purposes of Processing, Items, Third-Party Provision)</strong></p><ol><li><p style="margin-left:20px;"><strong>Lawful Processing Without Consent (GDPR Article 6(1)(b)):</strong> Pursuant to GDPR Article 6(1)(b), personal data may be processed for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.</p></li><li><p style="margin-left:20px;"><strong>Cases Requiring Consent (GDPR Article 6(1)(a)):</strong> Pursuant to GDPR Article 6(1)(a), explicit consent is required for the processing of sensitive data or for purposes such as marketing or profiling.</p></li><li><p style="margin-left:20px;"><strong>Third-Party Provision:</strong> The 'recipients' referred to in Section 3 are third parties and qualify as independent data controllers. The provision of personal data is processed on the basis of a lawful legal ground (e.g., consent, performance of a contract) pursuant to GDPR Article 6, and data subjects' consent is obtained where necessary.</p></li></ol><p style="margin-left:0px;"><strong>Article 4 (Consignment)</strong></p><p style="margin-left:0px;">When personal data processing is consigned, the consignee processes personal data on behalf of the data controller and is a processor within the meaning of GDPR Article 28. Processing is carried out after entering into a lawful data processing agreement in accordance with GDPR Article 28.</p><p style="margin-left:0px;"><strong>Article 5 (Overseas Transfer)</strong></p><p style="margin-left:0px;">Where personal data is transferred to a country outside the EU, appropriate safeguards pursuant to GDPR Articles 44–46 are applied, such as an adequacy decision, Standard Contractual Clauses (SCCs), or the explicit consent of the data subject.</p><ul><li><p style="margin-left:20px;">Republic of Korea: EU Adequacy Decision (Article 45) applies</p></li><li><p style="margin-left:20px;">United States (Twilio, RevenueCat, HubSpot, AWS, etc.): EU Standard Contractual Clauses (SCCs) included in each company's Data Processing Addendum (DPA), or the EU-US Data Privacy Framework (DPF) applies</p></li></ul><p style="margin-left:0px;"><strong>Article 6 (Children's Personal Data)</strong></p><p style="margin-left:0px;">The Company complies with the definition of a child as defined under the laws of the country in which the service is provided, and does not collect personal data of children under the age of 17.</p><p style="margin-left:0px;"><strong>Article 7 (User Rights)</strong></p><p style="margin-left:0px;">Users may exercise the following rights pursuant to GDPR Articles 15–22:</p><ul><li><p style="margin-left:20px;">Access, rectification, erasure, restriction of processing, data portability, right to object, and the right to lodge a complaint regarding processing</p></li><li><p style="margin-left:20px;">The right to request an explanation of, object to, or request human intervention in automated decision-making (including profiling)</p></li></ul><p style="margin-left:0px;">The Company does not automatically process personal data for the purpose of evaluating aspects relating to users' professional performance, economic situation, health, personal preferences or interests, reliability, behavior, location, or movements based on automated decision-making (including profiling). If such processing becomes necessary in the future, it will be carried out lawfully in accordance with GDPR Article 22.</p><p style="margin-left:0px;"><strong>Articles 8–13 (Retention Periods, Disposal, Security Measures, Cookies, etc.)</strong></p><ul><li><p style="margin-left:20px;">Pursuant to GDPR Article 5(1)(e), personal data is retained only for the minimum period necessary to achieve the processing purpose, and thereafter safely deleted or anonymized.</p></li><li><p style="margin-left:20px;">Prior consent of the data subject is obtained when collecting behavioral data through cookies and similar technologies.</p></li></ul><p style="margin-left:0px;"><strong>Article 14 (Remedies)</strong></p><p style="margin-left:0px;">Users have the right to lodge a complaint with a supervisory authority regarding the processing of their personal data.</p><p style="margin-left:0px;">Spanish Supervisory Authority: Agencia Española de Protección de Datos (AEPD)</p><ul><li><p style="margin-left:20px;">Address: Calle Jorge Juan, 6, 28001 Madrid, Spain</p></li><li><p style="margin-left:20px;">Phone: +34 91 266 35 17</p></li><li><p style="margin-left:20px;">Fax: +34 91 455 56 99</p></li><li><p style="margin-left:20px;">Email: [email protected] </p></li><li><p style="margin-left:20px;">Website: https://www.aepd.es/</p></li></ul><h3> </h3><h3><strong>United States — California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)</strong></h3><p style="margin-left:0px;">This Privacy Policy is drafted based on the laws of the Republic of Korea. For users in the United States, including California, the following additional provisions apply under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).</p><p style="margin-left:0px;"><strong>Articles 1–3 (Purposes of Processing, Items, Third-Party Provision)</strong></p><ul><li><p style="margin-left:20px;">At or before the time of collection, the Company clearly discloses the purposes of processing, items collected, and categories of use.</p></li><li><p style="margin-left:20px;">If personal data is sold or shared with a third party, the Company notifies users in advance and provides the option to opt out via a 'Do Not Sell or Share My Personal Information' link.</p></li><li><p style="margin-left:20px;">If Sensitive Personal Information is collected, the Company clearly discloses the purpose of use and limits its use to a restricted scope in accordance with CPRA §1798.121.</p></li></ul><p style="margin-left:0px;"><strong>Article 4 (Consignment)</strong></p><p style="margin-left:0px;">When personal data processing is consigned, the consignee is classified as a Service Provider under the CCPA/CPRA standards. Relevant matters — including prohibition of processing for purposes beyond the consigned purpose, technical and administrative safeguards, access controls, and restrictions on sub-consignment — are specified in the contract and other documents, and the Company supervises the consignee's safe processing of personal data.</p><p style="margin-left:0px;"><strong>Article 5 (Overseas Transfer)</strong></p><p style="margin-left:0px;">Storage or transfer of data within the United States is generally not considered an overseas transfer; however, for global services, such information is clearly disclosed.</p><p style="margin-left:0px;"><strong>Article 6 (Children's Personal Data)</strong></p><p style="margin-left:0px;">The Company does not collect personal data of children under the age of 13, and requires prior opt-in consent for the sale or sharing of personal data of children under the age of 16.</p><p style="margin-left:0px;"><strong>Article 7 (User Rights)</strong></p><p style="margin-left:0px;">California consumers may exercise the following rights under the CCPA/CPRA:</p><ul><li><p style="margin-left:20px;">Right of Access</p></li><li><p style="margin-left:20px;">Right to Delete</p></li><li><p style="margin-left:20px;">Right to Correct</p></li><li><p style="margin-left:20px;">Right to Limit Use of Sensitive Personal Information</p></li><li><p style="margin-left:20px;">Right to Opt-Out of Sale or Sharing</p></li></ul><p style="margin-left:0px;">※ California residents may once per year request a list of third parties to whom the Company has disclosed personal data for direct marketing purposes in the prior year, and the categories of personal data disclosed (California Civil Code §1798.83, Shine the Light). To make this request, send an email with "California Privacy Rights" in the subject line to [email protected] .</p><p style="margin-left:0px;"><strong>Articles 8–13 (Retention Periods, Disposal, Security Measures, Cookies, etc.)</strong></p><ul><li><p style="margin-left:20px;">Personal data is retained until the collection purpose is achieved, and deleted without delay when no longer necessary.</p></li><li><p style="margin-left:20px;">Cookies and similar technologies may be used to deliver personalized advertising, and an opt-out option is provided.</p></li><li><p style="margin-left:20px;">Users may control the external provision of their personal data through the 'Do Not Sell or Share My Personal Information' link.</p></li></ul><p style="margin-left:0px;"><strong>Article 14 (Remedies)</strong></p><p style="margin-left:0px;">California consumers may file a complaint regarding CCPA violations with the California Attorney General or the California Privacy Protection Agency:</p><ul><li><p style="margin-left:20px;">California Office of the Attorney General: https://oag.ca.gov/privacy</p></li><li><p style="margin-left:20px;">Email: [email protected] </p></li></ul>
Published: 2026-04-06 Read more