PRIVACY POLICY

Koylabs (the “Company”) values the protection of personal information of its end-users who use KOKIRI services (the “Member(s)”) and always strives to protect the Members’ personal information.

The Company complies with all domestic laws and regulations and any notices, ordinances and guidelines published by any government agency related to the protection of personal information, including the Personal Information Protection Act (“PIPA”) and the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (the “Communications Network Act”).

The Company protects personal information of data subjects, and, to handle related grievances promptly and smoothly, establishes and discloses the Company’s privacy policy (this “Privacy Policy”) pursuant to Article 30 of PIPA, as follows:

Article 1. Collection of Personal Information and Purpose of Use

The Company processes the collected personal information for the following purposes. The personal information processed by the Company is not used for any purpose other than the purposes specified in the following. When any change occurs in the purposes of use, the Company, in accordance with Article 18 of PIPA, will take necessary measures, such as obtaining additional consent.

1. Performance Pursuant to the the Service Agreement; Calculation of Charges for Providing Paid Services

Charging for paid services; purchases and payments for charges; identity verification; collecting charges for provision of contents and use of paid services

2. Management of Members

Identity verification for using membership services; distinguishing personal identities; preventing misbehaving Members’ misuse or unauthorized use; monitoring overlapping application; confirming a Member’s intention to sign up; confirming the age; preventing the sign-up of those under the age of fourteen (14); preserving records for dispute resolution; handling complaints; sending out notices

3. Marketing and Advertisements

Development of new services and provision of customized services; provision of services and placement of advertisements in accordance with statistical analysis; analysis of the effectiveness of services; analysis of access frequency; statistics on Members’ use of services; providing event information, advertisement information, and opportunities for participation

Article 2. Processing and Retaining Personal Information

①   The Company processes and retains personal information for the duration provided by the relevant laws and regulations, or the period to which each data subject consented at the time when the data subject’s personal information was collected.

②   The Company collects, through legal and proper means, the minimum personal information necessary to enter into a service agreement with the Member and provide the Company’s services. To collect personally identifiable information of the Members, the Company provides information on the consent to the collection and use of personal information when the Members sign up, and once the Members click the “I Agree” button, the Member is deemed to have consented to the collection and use of its/his/her personal information. The Company, however, does not request personal information that may infringe on fundamental human rights (e.g., race, ethnicity, belief, place of origin, political belief, criminal record, health, sexual activity).

③ The period for processing and retaining each category of personal information is as follows:

1. Performance of the Service Agreement & Settlement of Charges for Providing Paid Services: upon the provision of the services or upon the completion of the settlement of the charges

Notwithstanding the foregoing, for the following cases, personal information is processed and retained for the following specified periods:

1) Records on marks and advertisements & records on transactions under the “Act on the Consumer Protection, in Electronic Commerce, Etc.”

- Records on marks and advertisements: 6 months

- Records on the contract, subscription withdrawal, payment and supply of goods: 5 years

- Records on customer complaints or dispute settlements: 3 years

2) Storage of communication confirmation data under the “Protection of Communications Secrets Act”

- the date of telecommunications by subscribers; the time that the telecommunications commence and end; the subscriber number of the other party; the frequency of use; the data on tracing a location of information communications apparatus connecting to the information communications networks: 1 year

- computer communications, Internet log records, the data on tracing a location of connectors: 3 months

2. Management of Members: until deletion of a relevant Member’s account

Notwithstanding the foregoing, for the following cases, personal information is processed and retained for the following specified periods:

1)Where an investigation is pending due to a violation of a relevant law or regulation: until the conclusion of such investigation

2) Where a debtor-creditor relationship arising from use of KOKIRI services remains: until such debtor-creditor relationship is settled

3. Marketing and Advertisements: until deletion of a relevant Member’s account

Notwithstanding the foregoing, for the following cases, personal information is processed and retained for the specified periods:

1) Records on marks and advertisements & records on transactions under “Act on the Consumer Protection, in Electronic Commerce, Etc.”

- contract, subscription withdrawal, payment and supply of goods: 5 years

- Records on customer complaints or dispute settlements: 3 years

2) Storage of communication confirmation data under the “Protection of Communications Secrets Act”

- the date of telecommunications by subscribers, the time that the telecommunications commence and end, the subscriber number of the other party, the frequency of use, the data on tracing a location of information communications apparatus connecting to the information communications networks: 1 year

- computer communications, Internet log records, the data on tracing a location of connectors: 3 months

Article 3. Provision of Personal Information to Third Parties

① The Company processes Members’ personal information only within the scope prescribed in Article 1 of this Privacy Policy, and provides Members’ personal information to third parties only under the circumstances provided for in Article 17 and Article 18 of PIPA (e.g., consent of a Member, special provisions under the relevant laws); provided, however, that an exception is made where a Member consents to providing its/his/her personal information to third parties or where any of the following cases apply:

② The Company provides personal information to the following third parties with prior consent from the Members.

1. Amazon Web Services Inc. (https://aws.amazon.com/compliance/contact/)

2. Firebase (https://firebase.google.com/support/)

3. Google Cloud Platform  (https://cloud.google.com/support-hub)

4. Google Analytics (https://support.google.com/analytics/)

5. Revenue Cat (https://community.revenuecat.com/)

6. Appsflyer (https://www.appsflyer.com/hc/)

③ In the event the Company assigns all or part of its business or succeeds the rights and obligations of the service provider due to merger or inheritance, the Company, in order to protect the relevant Members’ privacy rights under Article 27 of PIPA, shall give notice to each Member in writing, or by posting on the Company’s website or through other methods for at least thirty (30) days.

④ If it is necessary for the Company to provide the Members’ personal information to a third party to provide better service, the Company will inform Members of the name of the third-party recipient, the purposes for providing personal information, the period during which the personal information is provided, and the measures to protect the personal information, and will take steps to obtain the Members’ consent. Without obtaining the relevant Members’ consent, the Company does not provide personal information to any third party. The Company notifies its Members and obtains consent of the Members by posting a notice on the Company’s website at least a seven (7) days prior to the date of providing the personal information to a third party and sending emails to each Member at the same time to obtain individual consent. Under exceptional circumstances, however, where giving a prior notice is impossible due to time constraints, the Company may provide personal information to a third party and simultaneously notify the Members of such provision. The Company will endeavor to do its best to not provide the Members’ personal information against the purposes stipulated in this Privacy Policy.

Article 4. Entrustment of Personal Information

①    The  Company entrusts personal information to the following third-party companies to improve the Company’s services.

[Entrusted Companies and Outsourced Operations]

1. System Operation

2. Statistics and Data Analysis

3. Payment Processing

② When entering an entrustment agreement, the Company, in accordance with Article 26 of PIPA, stipulates in contracts or other documents its obligations, such as prevention of personal information processing for purposes other than the outsourced purpose, technical and managerial safeguards of personal information, restriction on further outsourcing of personal information processing by the entrusted companies, management and supervision of the entrusted companies, and responsibility of compensation of damages. Moreover, pursuant to PIPA, the Company stipulates the requirements for the entrusted companies to safely process personal information under relevant laws and regulations, and carries out management and supervision of the entrusted companies. When the Company no longer outsources the processing of personal information to the entrusted companies, the Company discontinues providing the Members’ personal information to such companies.

③ If there is a change in the entrusted operations or companies, the Company will disclose it through this Privacy Policy.

Article 5. Rights and Obligations of Members; Exercise of the Rights

①    A Member is liable for any accident caused by the Member’s entry of inaccurate information. If a Member provides false information (e.g., stealing another person’s personal information), the Member’s use of its/his/her account may be restricted.

② At any time, Members may view or edit their personal information registered in their accounts, or request deletion of their accounts together with their personal information.

③    Members may view or edit their personal information by first clicking “edit my personal information” and then completing the identity verification process. Members may also delete their accounts by first clicking “delete my account” and then verifying their identity. Members may submit requests to the Company’s Chief Privacy Officer by post, fax, phone, or email. Upon receiving the requests, the Chief Privacy Officer will handle them without undue delay.

④ Where a Member requests the correction of its/his/her personal information, the Company does not use or provide the relevant information until the correction is made. In the event the Company has already provided such incorrect information to a third party, the Company will promptly notify the third party of the corrected information to ensure that the third party makes a correction accordingly. Notwithstanding the foregoing, the Company may restrict a Member’s access or correction of his or her personal information in the following cases:

⑤ If the Company learns that a Member stole another person’s personal information when signing up, the Company will take necessary measures against such Member (e.g., suspension of the Services, deletion of the account). The Company will also immediately take action when a Member who learns about his or her identity theft requests that the Company suspend the Services or delete the account of the Member who committed the identity theft.

⑥ Members using the Company’s services have privacy rights, along with obligations to protect their own personal information and to not violate others’. Members should be careful not to disclose their personal information including their email addresses and dates of birth, and not to damage others’ personal information including their postings. If a Member fails to meet such obligations and damages others’ information or dignity, such Member may be punished under the Communication Network Act or other relevant laws or regulations.



Article 6. Items of Personal Information to be Processed

The Company processes the following items of personal information:

1. Provision of Service and Performance of Service Agreement (e.g., sign-up, consultation, application for services)

2. Payment and Provision of Paid Services

2. Provision of Opportunities to Participate in Events or Promotions

3. Provision of Recommendation Service Customized to Each Member

4. Customer Center Access

5. The following information may also be generated and collected while a Member uses the services:

Article 7. Destruction of Personal Information

①    The Company immediately destroys personal information when the information is no longer needed for reasons such as achieving the purpose for which the information is processed and expiration of the retention period. Where a Member deletes its/his/her account or the Company deletes the account of a Member who provided false personal information, the personal information of such Member collected by the Company is completely destroyed in a way that it cannot serve any purpose. Notwithstanding the foregoing, to minimize potential harm such as unwanted deletion of a Member’s account resulting from identity theft, when a Member requests to delete its/his/her account, the Company temporarily stores the personal information of such Member for seven (7) days and notifies such Member of the grace period at the time of the request. After the seven (7) days period expires, the personal information of such Member is completely destroyed from the Company’s information database of Members.

②    In the event of an identity theft dispute where the Company receives a copy of the identification card of a Member to verify its/his/her identity, the Company destroys such copy immediately after verifying the identity of the Member. With respect to information of a legal representative of a Member under the age of 18, the Company destroys such information when such Member reaches the legal age or when personal information of such Member is destroyed as a result of the deletion of the Member’s account.

③  Members’ personal information is destroyed immediately after it fully serves the purpose of collection and use. Notwithstanding the foregoing, if the personal information falls within one of the following cases, such information is stored for the specified period and used only for the stated purpose:

A. Records on the contract or subscription withdrawal: 5 years (Article 6(3) and Enforcement Decree 6(1)(2) of the “Act on the Consumer Protection, in Electronic Commerce, Etc.”)

B. Records on the payment and supply of goods: 5 years (Article 6(3) and Enforcement Decree 6(1)(3) of the “Act on the Consumer Protection, in Electronic Commerce, Etc.”)

C. Records on the consumer complaints or dispute settlement: 3 years (Article 6(3) and Enforcement Decree 6(1)(4) of the “Act on the Consumer Protection, in Electronic Commerce, Etc.”)

D. Records on marks and advertisements: 6 months (Article 6(3) and Enforcement Decree 6(1)(1) of the “Act on the Consumer Protection, in Electronic Commerce, Etc.”)

E. Records on website visitors: 3 months (Article 15(2) and Enforcement Decree 31(2)(2) of the “Protection of Communications Secrets Act”)

④ The procedures and methods for destruction of personal information is as follows:

1. Procedures for destruction

2. Methods for Destruction

Article 8. Measures for Ensuring Safety of Personal Information

The Company has taken the following measures to ensure safety of personal information. The Company, however, shall not be liable for any harm resulting from a data breach such as unwanted disclosure of ID, password, resident registration number, caused by the Member’s negligence or Internet problems, despite the Company’s full performance of its obligations to protect Members’ privacy.

1) Encryption of personal information including Members’ passwords

The Company transmits Members’ personal information over the network via encrypted communication. The Company also encrypts Members’ passwords for storage so that only the Member, and no one else, knows the password. In addition, only Members who know their passwords can access or change their personal information.

2) Measures against hacking, etc.

The Company makes every effort to prevent leakage or damage of Members’ personal information caused by hacking or computer viruses. The Company frequently backs up data to offset risk of any damage to personal information and uses the latest antivirus software to prevent leakage or damage of Members’ personal information or data. The Company also uses encrypted communication etc., to safely transmit personal information over the network. Furthermore, the Company runs an intrusion prevention system to restrict unauthorized access and strives to take all other possible technical measures to ensure the security of systems.

3) Keeping minimal number of employees and the education of employees handling personal information

The Company keeps employees handling personal information to a minimum. The company also provides a separate password to preclude other employees from accessing personal information and periodically renews such password. Additionally, the Company repeatedly emphasizes compliance with this Privacy Policy by frequently offering training programs for such employees.

4) Restrictions on Access to Personal Information

The Company restricts entry of unauthorized personnel by keeping personal information in a separate place and setting and operating procedures to control access to such place. The Company also stores documents and external storage devices in a safe place by using special locks for securing documents.

Article 9. Cookie Policy

① The Company uses cookies, which are small pieces of information that store and retrieve Members’ access information, to provide personalized and customized service to Members. When a Member visits the website, the website server reads cookies stored in the Member’s web browser and can provide service without requiring Members to input additional information.

②    Members have an option for setting a cookie. Members may allow all cookies by setting the option on the web browser, complete the confirmation whenever a cookie is stored, or block the storage of all cookies. If Members, however, reject the storage of a cookie, then Members may have difficulties using the services.

③ The information collected by cookies is limited to the unique ID of each Member and no other information is collected. The data of the unique IDs collected by the services via cookies can be used for the following purposes:

Article 10. Linked Websites

The Company may provide on its website the websites of other companies or links to other websites. If Members visit such websites, Members should review the privacy policies posted by such websites as those policies are irrelevant to this Privacy Policy.

Article 11. Obligation to Notify

The Company will notify Members of any addition, deletion, or revision of this Privacy Policy at least seven (7) days prior to the scheduled amendment through reasonable methods such as showing a notification message on the initial screen page. If, however, a modification puts Members at a disadvantage, the Company will notify such amendments at least thirty (30) days prior to the scheduled amendment. The inquiries related to modifications can be submitted to the customer center.

Article 12. Chief Privacy Officer

The Company prioritizes protecting the Members’ personal information and makes its best efforts to not damage or leak personal information of its Members. The Company will quickly respond to all privacy-related complaints arising from the use of the services once the complaints are submitted to the customer center.

[Chief Privacy Officer]

Article 13. Requests to Access Personal Information

Pursuant to Article 35 of PIPA, Members may make a request to access their personal information to the following department. The Company will put efforts to take care of Members’ access requests without undue delay.

[Department for Handling Requests to Access personal information]

Office/Department/Team: CS Team

E-mail: privacy@koy.company

Article 14. Remedies for Violation of Privacy Rights and Interests

①    The Company values its Members’ opinions. The Company will give prompt and full responses to any inquiries regarding the Company’s services. To ensure smooth communication with its Members, the Company operates the customer center. The contact information of the customer center is as follows:

[Customer Center]

Phone: 02-789-1431

E-mail: support@koy.company

② When help is needed on other privacy matters, please contact the Personal Information Infringement Reporting Center of Korea Internet & Security Agency, a sub-organization under the Ministry of Science and ICT, or the Cyber Bureau of Investigation of National Police Agency.

[Personal Information Infringement Reporting Center, Korea Internet & Security Agency]

Phone: 118 (without dialing an area code)

Website: http://privacy.kisa.or.kr

[Cyber Bureau of Investigation, National Police Agency]

Phone: 02-393-9112

Website: http://www.netan.go.kr

[Cyber Crime Investigation Unit of the Supreme Prosecutor’s Office]

Phone: 02-3480-3751

Website: http://www.spo.go.kr

Effective Date: March. 08, 2023