Purposes of processing personal data

(hereinafter referred to as the "Company") processes personal information for the following purposes. The personal information processed will not be used for any purpose other than the following purposes, and if the purpose of use is changed, the Company will take necessary measures such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act.

1. Sign up and manage members

Personal information is processed for the purpose of confirming the intention to join the membership, identifying and authenticating the person in accordance with the provision of membership services, maintaining and managing membership, preventing unauthorized use of the service, confirming the consent of the legal representative when processing personal information of children under the age of 14, various notices and notifications, and handling grievances.

2. Providing goods or services

We process personal information for delivery of goods, provision of services, sending contracts and invoices, provision of content, provision of customized services, identity verification, age verification, payment and settlement, and debt collection.

This Privacy Policy applies to the Flavial account-based services provided by the Company (the "Services"). However, if an account-based service operates a separate processing policy, that service will be governed by its own separate processing policy.

Processing and retention of personal information

① shall process and retain personal information within the period of retention and use of personal information in accordance with the law or the period of retention and use of personal information agreed upon when collecting personal information from the information subject.

② The processing and retention period of each personal information is as follows.

1. Homepage membership registration and management: Until withdrawal from the business/organization website, but if the following reasons apply, until the end of the reason
2. If there is an ongoing investigation or inquiry into a violation of applicable laws, etc.
3. If a debt-debt relationship remains due to the use of the website, until the debt-debt relationship is settled.
4. For , until <Retention Period
5. Provision of goods or services: Until the completion of the supply of goods and services and the completion of payment and settlement, but until the end of the period in the following cases
   1. ) Records of transactions such as display, advertisement, contract contents and performance in accordance with the Act on Consumer Protection in Electronic Commerce, etc.
      • Records regarding display-advertising: 6 months
      • Records of contract or subscription withdrawal, payment, supply of goods, etc.: 5 years
      • Records of consumer complaints or dispute handling: 3 years
   2. ) Retention of communication verification data in accordance with the Communications Secrets Protection Act
      • Subscriber communication date, start and end time, other subscriber's number, usage, and originating base station location data: 1 year
      • Computer communication, Internet log data, and access point tracking data: 3 months
   3. ) : <Retention Period

What personal information we process

1. processes the following personal data items
2. Sign up and manage members
   • Required: Full name, date of birth, address, phone number, email address
   • Optional: Marital status, Interests
3. Providing goods or services
   • Required: name, date of birth, address, phone number, email address, credit card number, bank account information
   • Optional: Interests, past purchases
4. (if collecting only required information)
   • , <processing item

Regarding the processing of personal information from children under the age of 14

When collecting personal information about children under the age of 14, obtains the consent of the legal representative to collect the minimum amount of personal information necessary to perform the service.

Required: Legal representative's name, relationship, and contact information

② In addition, when collecting personal information of children for publicity related to the of , separate consent is obtained from the legal representative.

③ When collecting personal information from children under the age of 14, may require the child to provide minimum information, such as the name and contact information of a legal representative, and will verify that the legal representative has given consent in one of the following ways

• Requiring the legal representative to indicate whether he or she consents on the internet site where the consent is posted, and sending a text message to the legal representative's cell phone confirming that the controller has received the indication of consent.
• How to have your legal representative indicate consent on the internet site where the consent form is posted and obtain your legal representative's card information, including credit and debit cards.
• Have the legal representative indicate whether he or she consents on the internet site where the consent is posted, and verify the legal representative's identity, such as through mobile phone verification.
• Issue, mail, or fax a written document containing the consent to the legal representative, and have the legal representative sign and return it.
• How to get an email from a legal representative to indicate consent by sending an email with the consent language
• Informing the legal representative of the consent over the phone and providing information on how to obtain consent or verify the consent, such as an internet address, and making a second phone call to obtain consent.
• Otherwise, inform the legal representative of the consent in a manner consistent with the above and confirm the expression of consent.

• Provision of Personal Information to Third Parties

① processes the personal information of the information subject only within the scope specified for the purpose of processing the personal information, and does not provide the personal information of the information subject to a third party only in cases falling under Articles 17 and 18 of the Personal Information Protection Act, such as the consent of the information subject or special provisions of the law, and otherwise does not provide the personal information of the information subject to a third party.

② provides only the minimum necessary scope with the consent of the information subject in the following cases for smooth service provision.

To whom	Purpose	What you get	Retention and Usage Period
<Credit card company	Event co-hosting card issuance, business partnerships	Name, address, phone number, email address, card payment account information, credit information	For the duration of the transaction under the credit card issuance agreement
<third-party name	<Purpose	<Article	<Period of retention and use by the recipient

③ may provide personal information to related organizations without the consent of the information subject in the event of an emergency, such as a disaster, prisoner's disease, an event or accident that poses an imminent danger to life or body, or an imminent loss of property, as follows.

Categorization	Statutory Law	Provider organization	Personal information provided
Disaster response	Disaster Safety Act	Central or regional task force	Name, social security number, address, and telephone number (including cell phone number)The following information for identifying the route of movement and search and rescue a. Information collected through CCTV B. Transportation card usage information C. Date, time, and place of use of credit, debit, and prepaid cards D. Prescription medical institution name, phone number, and date of treatment in the medical record book (if you are a telecommunications provider or location information provider) Personal location information
Prevent and manage infectious diseases	How to prevent infectious diseases	Centers for Disease Control and Prevention or national city or state	Name, resident registration number, address, and telephone number (including cell phone number)Prescription and medical records in accordance with the Medical ActImmigration control records for the period prescribed by the Commissioner of the Ministry of Health and WelfareImmigration control records for the period prescribed by the Commissioner of the Ministry of Health and WelfareAdditional information to identify the route of travel, such as "Credit card, debit card, and prepaid card usage information pursuant to the Financial Services Act B. "Transportation card usage information pursuant to the Act on the Development and Promotion of Public Transportation C. "Video information collected through video information processing equipment in accordance with the Personal Information Protection Act (if you are a telecommunications provider or location information provider, please specify) Personal location information
Communicable Disease Outbreaks in Livestock - Preventing Spread	How to prevent livestock diseases	Ministry of Agriculture, Forestry, and Fisheries National Livestock Biosecurity Agency	(Complete if you are a private location provider or toll road operator) Highway traffic information
Find missing children, mentally disabled, dementia patients, etc.	Missing Children Act	Police stations	(List if you are a personal location information provider, telecommunications provider, identity verification organization, or provider of alternative means of resident registration) Personal location information, Internet address, telecommunications factual verification data

In the following cases, will only provide the minimum amount of personal information required under the applicable laws and will not provide it in a manner that is inconsistent with the purpose.

(Individual) Location Information Provider

• A person who collects location information and provides it to a person engaged in location-based service business with permission under the Location Information Protection Act

Telecommunications carrier

• Persons who are registered or notified under the Telecommunications Business Act (including those exempted from notification) and provide telecommunications services

Identity verification organization

• Identity verification organization pursuant to Article 23(3) of the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.

Provider of an alternative means of signing up for a social security number

• "Provider of alternative means of registration for resident registration number pursuant to Article 24(2) of the Personal Information Protection Act

Information and communication service provider

• Telecommunications carriers pursuant to Article 2 (8) of the Telecommunications Business Act and persons who provide information or mediate the provision of information using the telecommunications role of telecommunications carriers for commercial purposes

Destruction of personal information

① shall destroy the personal information without delay when the personal information becomes unnecessary, such as the expiration of the personal information retention period or the achievement of the purpose of processing.

If the personal information retention period agreed to by the information subject has elapsed or the purpose of processing has been achieved, but the personal information must continue to be retained in accordance with other laws and regulations, the personal information shall be transferred to a separate database (DB) or preserved in a different storage location.

③ The procedures and methods for destroying personal information are as follows.

1. Destruction Procedures

selects the personal information for which the reason for destruction has occurred and destroys the personal information with the approval of the personal information protection officer of .

• Destruction methods

will destroy personal information recorded and stored in electronic files in such a way that the records cannot be reproduced, and will destroy personal information recorded and stored in paper documents by shredding or incineration.

▪ Measures regarding the destruction of personal information of unused users (if any)

① destroys the information of users who have not used the service for one year. However, it may be stored and managed separately from other users' personal information until the retention period prescribed by other laws has elapsed.

② shall notify the user of the fact that personal information will be destroyed, the expiration date of the period, and the items of personal information to be destroyed in a notifiable manner such as email, text, etc. at least 30 days prior to the destruction of personal information.

③ If you do not want your personal information to be destroyed, you can log in to the service before the period expires.

• Unused Personal information Destroy etc. About Actions (Separate storage time)

① converts users who have not used the service for one year into dormant accounts and keeps their personal information separately. The separated personal information will be stored for one year and then destroyed without delay.

② shall notify the prospective member of the fact that the personal information will be kept separately, the date of the prospective member's inactivation, and the items of personal information to be kept separately at least 30 days prior to the human transition in a method that can be notified to the user, such as email, text, etc.

If you do not want to switch to a human account, you can log in to the service before switching to a dormant account. Also, if you log in even though your account has been converted to a dormant account, you can restore your dormant account to use the normal service with your consent.

Rights and obligations of data subjects and legal representatives and how to exercise them

① The information subject may exercise rights such as requesting to view, correct, delete, or suspend the processing of personal information at any time to .

Requests for access to personal information about children under the age of 14 must be made directly by a legal representative, and information subjects who are minors over the age of 14 may exercise their rights in relation to the personal information of the information subject by themselves or through a legal representative.

② The exercise of the right may be made in writing, e-mail, facsimile transmission (FAX), etc. to in accordance with Article 41 (1) of the Enforcement Decree of the Personal Information Protection Act, and will take action without delay.

③ You may also exercise your rights through an agent, such as the legal representative of the information subject or a person who has been delegated. In this case, you must submit a power of attorney in the form of Attachment No. 11 of the "Notification on the Method of Processing Personal Information (No. 2020-7)".

④ Requests for access to personal information and suspension of processing may limit the rights of the information subject under Article 35, Paragraph 4, and Article 37, Paragraph 2 of the Personal Information Protection Act.

⑤ A request for correction or deletion of personal information cannot be made if the personal information is specified as the subject of collection under another law.

⑥ shall verify whether the person making the request for access, correction, deletion, or suspension of processing in accordance with the rights of the information subject is the person or his/her authorized representative.

▪ Measures to ensure the safety of personal information

takes the following measures to ensure the safety of personal information.

1. Management measures: establishment and implementation of internal management plan, operation of dedicated organization, regular employee training
2. Technical measures: management of access rights to personal information processing systems, installation of access control systems, encryption of personal information, installation and renewal of security programs
3. Physical measures: Access control to computer labs, archives, etc.

In order to ensure the safety of personal information, implements the following activities in addition to those stipulated by laws and regulations.

1. Privacy activities: social media operations, publishing transparency reports
2. Domestic and international privacy certifications: ISO/IEC 27001, ISMS-P

▪ Installation, operation, and rejection of automatic personal information collection devices

1. uses 'cookies' that store and retrieve usage information from time to time to provide individualized services to the information subject.
2. Cookies are small amounts of information sent to your computer's browser by the server (http) used to run the website and are sometimes stored on your PC's hard disk.
   1. Purpose of cookies: We use cookies to provide you with optimized information by identifying the types of services and websites you visit and use, popular search terms, secure connections, etc.
   1. Installation, operation and rejection of cookies: You can reject the storage of cookies by setting the options in the Tools>Internet Options>Privacy menu at the top of your web browser.

• If you refuse to save cookies, you may experience difficulties in using our personalized services.

▪ Collection, use, and rejection of behavioral information

① The collects and uses behavioral information to provide customized services and benefits, online personalized advertisements, etc. optimized for the information subject in the process of using the service.

② collects behavioral information as follows.

What behavioral information do we collect?	How we collect behavioral information	Purpose of collecting behavioral information	Retention and use periods and subsequent data processing
User's website/app service visits, search history, and purchase history	Automatically collected when users visit/launch websites and apps	Provide personalized product recommendation services (including advertisements) based on user's interests and preferences	Destroy 180 days after collection date

<If you have allowed a third party (such as an online advertising provider) to collect and process your behavioral information for online personalized advertising, etc.

allows online personalized advertising providers to collect and process behavioral data as follows

• Advertising operators who wish to collect and process behavioral information : ○○○, ○○○, ○○○, ○○○, ○○○,
• How we collect Behavioral Information: Automatically collected and transmitted when you visit our websites or launch our apps
• Behavioral information items collected and processed: user's web/app visit history, search history, purchase history, etc.
• Retention-use period: days

③ The collects only the minimum behavioral information necessary for online personalized advertising, etc. and does not collect sensitive behavioral information that may clearly infringe on the rights, interests or privacy of individuals, such as ideas, beliefs, family and relatives, education, medical history, and other social activities.

④ does not collect behavioral information for personalized advertising purposes from children it knows are under the age of 14 or from online services whose primary users are children under the age of 14, and does not provide personalized advertising to children it knows are under the age of 14.

⑤ collects and uses advertising identifiers for online personalized advertising in the mobile app. The data subject can block or allow personalized advertising in the app by changing the settings on the mobile device.

• Block/allow ad identifiers on smartphones
• (Android) ① Settings → ② Privacy → ③ Ads → ③ Reset or delete Ad IDs

• (iPhone) ① Settings → ② Privacy → ③ Tracking → ④ Allow apps to request tracking

Menus and methods may vary slightly depending on the mobile OS version.

⑦ The information subject can block or allow online personalized advertising in bulk by changing the cookie settings of the web browser. However, changing cookie settings may affect the use of some services, such as automatic login to websites.

• Personalized ad blocking/allowing via web browser
• Internet Explorer (Internet Explorer 11 for Windows 10)
  • In Internet Explorer, select the Tools button and then select Internet Options
  • Select the Privacy tab, select Advanced in Settings, and then select Block or allow cookies
• Microsoft Edge
  • In Edge, click the top-right "..." sign, then click Settings.
  • Click "Privacy, search, and services" on the left side of the Settings page, then in the "Do not track" section, select whether and at what level you want to "Do not track".
  • Select whether to "Always use "strict" tracking protection when searching InPrivate".
  • In the "Privacy" section below, select whether or not you want to "Send a Do Not Track Request".
• Chrome browser
  • In Chrome, click the top-right '⋮' sign (chrome customize and control), then click Show settings.
  • Click "Show advanced settings" at the bottom of the Settings page and click Content settings in the "Privacy" section.
  • In the Cookies section, check the box for "Block third-party cookies and site data.

⑧ Data subjects can contact us at the following contact information to inquire about behavioral information, exercise their right of objection, or report damage.

• Department in charge of personal information protection Department Name : Security Team, Person in charge : Jaehoon Park

Contact : 010-4532-3888, pjh2051@naver.com

▪ Additional use and offer criteria

(1) is the person who processes personal information in accordance with Articles 15 (3) and 17 (4) of the Personal Information Protection Act.

"In consideration of Article 14-2 of the Enforcement Decree of the Personal Information Protection Act, we may additionally use and provide personal information without the consent of the information subject.

Item	Purpose of use and provision	Retention and Usage Period
Name, contact, and address	Send additional communications about the services you offer on a regular basis	Destroy as soon as it serves its purpose

② Accordingly, has considered the following points in order to make additional use and provision without the consent of the information subject.

• Whether the additional use or disclosure of personal information is related to the purpose for which it was originally collected.
  • Whether it is foreseeable, based on the circumstances under which the personal information was collected or the processing practices, that further use or provision of the personal information will be made
  • Whether the further use or provision of personal information unreasonably infringes on the interests of the data subject
  • Whether you've taken the necessary steps to ensure safety, such as pseudonymization or encryption.

Privacy officer and request for access to personal information

① is responsible for the processing of personal information in general, and designates a personal information protection officer as follows to handle complaints and damage relief of information subjects related to the processing of personal information.

The information subject may request access to personal information pursuant to Article 35 of the Personal Information Protection Act to the following departments. will endeavor to promptly process the information subject's request for access to personal information.

Separation	Full name, etc.	Contact
Privacy Officer	Job Title : ○○○ Director Name : ○○○	Phone number : Email : Fax number :
Privacy Office	Department Name: Contact Name :	Phone number : Email : Fax number :
Request access to personal information	Department Name: Contact Name	Phone number : Email : Fax number :

③ The information subject may contact the person in charge of personal information protection and the department in charge of personal information protection for all personal information protection-related inquiries, complaints, damage relief, etc. that occurred while using the service (or business) of . will respond to and handle inquiries from the information subject without delay.

▪ Remedies for infringement

① guarantees the right of self-determination of personal information of the information subject and strives to provide counseling and damage relief due to personal information infringement, and if you need to report or consult, please contact the department in charge below.

• Grievance Department Department Name: Management Team Person in Charge: Jaehoon Park

Contact: 010-4532-3888, Email: pjh2051@naver.com

The information subject may apply for dispute resolution or counseling to the Personal Information Dispute Mediation Committee, the Personal Information Infringement Report Center of the Korea Internet & Security Agency, etc. to receive relief from personal information infringement. For other reports and consultations on personal information infringement, please contact the following organizations.

1. Personal Information Dispute Mediation Committee : (without area code) 1833-()72 (www.kopico.go.kr)
2. Personal Information Infringement Report Center: (without area code) 118 (privacy.kisa.or.kr)
3. General Prosecutor's Office: 1301 (without area code) (www.spo.go.kr)
4. National Police Agency: 182 (without area code) (ecrm.cyber.go.kr)

③ A person whose rights or interests have been infringed upon by an action or omission taken by the head of a public institution in response to a request pursuant to the provisions of Article 35 (Access to Personal Information), Article 3 (Correction or Deletion of Personal Information), or Article 37 (Suspension of Processing of Personal Information) of the Personal Information Protection Act may file an administrative appeal in accordance with the Administrative Appeals Act.

• Central Administrative Appeals Commission: 110 (without area code) (www.simpan.go.kr)

▪ Changes to the Privacy Policy

This Privacy Policy is effective as of April 23, 2024.