Eastsoft Co., Ltd. (hereinafter referred to as ‘the Company’) places great importance on the personal information of its users and is committed to protecting it in compliance with the Personal Information Protection Act and related legal regulations.
In accordance with Article 30 of the Personal Information Protection Act, the Company has established and publicized the following privacy policy to guide the procedures and standards for processing personal information and ensure any related grievances can be handled promptly and smoothly.

1. Guidance on Collection and Use of Personal Information

1) The Company collects the minimum necessary personal information for service use.
2) The Company processes users' personal information as follows:

Membership Registration and Service Use
Purpose of Collection Mandatory Items Optional Items Retention and Use Period
Membership Registration and User Identification Email, Password Name 6 months after membership withdrawal
Inquiries and Complaint Handling Name, Mobile Phone Number, Email Up to 3 years according to related laws
Password Reset Email, Password 6 months after membership withdrawal
Social (SNS) Membership Registration Google, Microsoft Name/Email User-selected options 6 months after membership withdrawal

Marketing
Purpose of Collection Mandatory Items Optional Items Retention and Use Period
Transmission of information related to PERSO marketing and benefits, service-related updates, and news Email Name Until consent withdrawal

Service Operation and Management
Purpose of Collection Mandatory Items Optional Items Retention and Use Period
Payment Card Registration and Payment For example: Card Number, Expiry Date, First 2 Digits of Card Password, Date of Birth/Business Registration Number, Email Until membership withdrawal or up to 5 years according to related laws

Guidance on Processing Without Consent
• The Company informs subjects about personal information that can be processed without their consent, including the type of information and the legal basis for processing, through methods prescribed by Presidential Decree such as email.
During the service use process and the provision of service tasks, the following information may be generated or additionally collected:
- IP address, cookies, access logs, visit date and time, service use records, misuse records
The Company may collect additional personal information after obtaining consent from the subject for the purpose of providing specialized services.
Personal information is collected through the following methods:
- When data subjects agree to the collection of personal information and directly enter the information during the PERSO account creation process on the website
- When personal information is provided from affiliated services or organizations
- When the data subject provides information during service consultations through email, fax, phone, or written forms

2. Handling of Sensitive Information

The Company does not collect sensitive personal information of its users.

3. Processing of Personal Information for Children Under 14

Our services are only available for users aged 14 and above to register.

4. Processing of Pseudonymized Information

The Company processes pseudonymized information for the following purposes. Pseudonymized information refers to information that cannot identify a specific individual without the use of additional information to restore it to its original state.

Pseudonymized Information Processing
Purpose of Processing Items Processed Retention and Use Period

Measures for Ensuring the Safety of Pseudonymized Information
• The Company takes measures to ensure the safety of pseudonymized information and the additional information required for restoring it to its original state (hereafter referred to as "additional information").
• Pseudonymized information and additional information are stored separately. However, if additional information is unnecessary, it is destroyed.
• Access rights to pseudonymized information and additional information are separated, and minimum necessary access rights are granted for operational execution. Records of access rights are maintained.
• The Company prepares related records in this privacy policy to manage the processing content of pseudonymized information.
• The processing of pseudonymized information for the purpose of identifying specific individuals is strictly prohibited.
• If information capable of identifying specific individuals is generated during the processing of pseudonymized information, the processing of such information is immediately stopped, and the information is promptly retrieved and destroyed.

5. Installation and Rejection of Automatic Personal Information Collection Devices

To provide personalized and customized services, the Company uses 'cookies' which store and frequently retrieve user's information.

Definition of Cookies
A small text file sent by the server used to run the website to the user's browser and stored on the hard disk of the user's computer.

Purpose of Use
Cookies facilitate the use of the website as set by the user and are used to provide personalized and customized services by understanding the record of visits and usage patterns of the website by the user.

Rejection of Cookie Collection
Cookies do not store information that identifies individuals, and users have a choice whether to use cookies. Users can allow all cookies, check each time a cookie is saved, or refuse all cookies by setting the web browser.

Example of Cookie Settings

[Web]
Internet Explorer: Tools menu at the top of the web browser > Internet Options > Privacy > Settings
Chrome: Settings menu on the right side of the web browser > Show advanced settings at the bottom > Content settings button under Privacy > Cookies

[App]
(1) (Android) ① Settings → ② Privacy → ③ Ads → ③ Reset advertising ID or delete advertising ID
(2) (iPhone) ① Settings → ② Privacy → ③ Tracking → ④ Allow Apps to Request to Track Off
※ The menu and method may vary depending on the mobile OS version.

6. Retention, Use Period, and Destruction of Personal Information

1. Upon the expiration of the retention period of personal information consented by the user, or once the purpose of processing has been achieved, the Company will immediately destroy the personal information. In the case of electronic file types, they are deleted in a way that cannot be recovered or reproduced, and for records, printouts, documents, etc., they are shredded or incinerated.
2. However, if there is a need to preserve personal information according to the company's internal policy or relevant laws, the information will be securely stored in a separate database (DB) for a specified period. During this period, the Company will keep the personal information according to the provisions of the law and will not use the information for any other purposes.
3. The contents of personal information retention and destruction are as follows:

Reasons for information storage by the company's internal policy
Stored Information Reason for Storage Retention Period
User information Prevention of wrongful sign-ups and usage upon withdrawal
(Stored and processed in an unidentifiable state)
6 months from withdrawal
User records Refund actions and complaint handling 6 months after handling completion

Reasons for information storage according to relevant laws
Stored Information Legal Basis Retention Period
Records related to contracts or withdrawal of subscriptions Act on the Consumer Protection in Electronic Commerce, Etc. 5 years
Record of payment and supply of goods, etc. 5 years
Record on consumer complaints or dispute resolution 3 years
Record on advertising and display 6 months
All transaction records and supporting documents as required by tax law National Tax Service Basic Act 5 years
Record of electronic financial transactions Electronic Financial Transactions Act 5 years
Record of access Protection of Communications Secrets Act 3 months
Record of communications confirmation 12 months

7. Personal Information Processing Entrustment

1. The company entrusts some personal information processing tasks for smooth processing of personal information tasks.
2. When entering into an entrustment contract, in accordance with Article 26 of the Personal Information Protection Act, the company specifies in the contract and other documents matters related to responsibilities such as personal information processing outside of the purpose of performing entrusted tasks, technical and managerial protective measures, and supervises the trustee to ensure the secure processing of personal information.
3. If the content of the entrusted work or the trustee changes, we will promptly disclose it through the prior consent notification according to the related laws or through this personal information processing policy.

Guide to Personal Information Processing Entrustment Tasks and Trustees
Intercom CS processing and operational tasks according to service use
Google LLC Web usability analysis and improvement, account verification, and service provision for membership services
ESTsoft Inc. Payment for the provision of paid services
Stripe, Inc. Payment for the provision of paid services
Noticeable Service-related update news
MS Azure Data storage and management of computer systems
Microsoft Account verification and service provision for membership services
Hotjar Analysis of service usage behavior

8. Overseas Transfer of Personal Information

The company does not provide personal information to other businesses overseas. However, personal information processing tasks are transferred overseas for the purpose of fulfilling contracts related to the provision of information and communication services and enhancing user convenience. If you do not consent to the overseas transfer of personal information, you may notify your refusal by contacting the email of the department in charge of personal information protection (privacy@estsoft.com). However, in this case, you will no longer be able to use the related services.
Purpose Items Time and Method Retention and Use Period Company and Country
Data storage and system operation & management Transferred via encrypted network when providing services /td> Until consent withdrawal or the earlier of contract termination Azure Cloud/ USA
Web usability analysis and improvement Visit time, service usage records, Cookie ID Transferred via encrypted network when providing services Until the earlier of contract termination or 5 years from the collection date Google LLC / USA
Payment for the provision of paid services Transaction amount, card number, expiration date, first two digits of card password, date of birth/business registration number, email Until membership withdrawal or up to 5 years in accordance with relevant laws ESTsoft Inc. / USA
Payment for the provision of paid services Transaction amount, card number, expiration date, first two digits of card password, date of birth/business registration number, email Until membership withdrawal or up to 5 years in accordance with relevant laws Stripe, Inc. / USA

9. Measures to Ensure the Security of Personal Information

The company has taken the following measures to ensure the security of personal information:

1) Managerial measures: Establishment and implementation of internal management plans, regular employee training
2) Technical measures: Management of access rights to personal information processing systems, installation of access control systems, encryption of personal information, installation and update of security programs
3) Physical measures: Access control for computer rooms, document storage rooms, etc.

10. Rights of Users and Legal Representatives and How to Exercise Them

1. Users can exercise their rights to request access, correction, deletion, and suspension of processing of personal information at any time, and can withdraw their consent to the use of personal information provided through cancellation request.
- Access and modification of personal information can be done in the ‘Account Settings’ menu.
- Service cancellation and membership withdrawal can be requested through the ‘Account Settings>Membership Withdrawal’ menu.
2. The exercise of rights mentioned in paragraph 1 can be made to the company in writing, by email, or fax, in accordance with Article 41, Paragraph 1 of the Enforcement Decree of the Personal Information Protection Act, and the company will take immediate action.
3. The rights mentioned in paragraph 1 can also be exercised through a legal representative or an agent authorized by the user. In this case, a power of attorney in accordance with the format in Annex 11 of the "Notice on the Methods of Processing Personal Information (No. 2020-7)" must be submitted.
4. Requests for access and suspension of processing of personal information may be restricted under Article 35, Paragraph 4, and Article 37, Paragraph 2 of the Personal Information Protection Act.
5. Requests for correction and deletion of personal information cannot be made if the personal information is specified as a collection target in other laws.
6. The company verifies whether the person making the request for access, correction⬝deletion, or suspension of processing is the user or a legitimate representative.

11. Personal Information Protection Officer and Remedies for Infringement of User Rights

1. Users seeking remedies for personal information infringement can apply for dispute resolution or consultation to the Personal Information Dispute Mediation Committee, the Personal Information Infringement Report Center operated by the Korea Internet & Security Agency, etc. For other reports or consultations on personal information infringement, please contact the following institutions.
Personal Information Dispute Mediation Committee
Website https://www.kopico.go.kr/ Phone 1833-6972
Personal Information Infringement Report Center (Operated by the Korea Internet & Security Agency)
Website https://privacy.kisa.or.kr/ Phone (toll-free) 118
Cyber Crime Investigation Unit of the Supreme Prosecutors' Office
Website https://www.spo.go.kr/ Phone (toll-free) 1301
Korean National Police Agency
Website https://ecrm.police.go.kr/ Phone (toll-free) 182


2. Under Article 35 (Access to Personal Information), Article 36 (Correction and Deletion of Personal Information), and Article 37 (Suspension of Processing of Personal Information) of the Personal Information Protection Act, those whose rights or interests have been infringed upon by an action or inaction of a head of a public institution can file for administrative adjudication in accordance with the Administrative Adjudication Act.
Central Administrative Appeals Commission
Website https://www.simpan.go.kr/ Phone (toll-free) 110


Personal Information Protection Officer
1. The company is responsible for the overall management of personal information processing tasks and has designated a Personal Information Protection Officer to handle complaints and remedy damages related to personal information processing.
2. Users can inquire with the Personal Information Protection Officer and the designated department about all personal information protection-related queries, complaints, and remedy for damages arising while using the company's services. The company will respond promptly to users' inquiries.

Personal Information Protection Officer
Name: Kwon Taek-soon
Position: CTO

Personal Information Protection Department
Department: IT Infrastructure Information Security Team
Phone: 02-583-4620
Email: privacy@estsoft.com

12. Information Access Inquiry

Users may request access to their personal information under Article 35 of the Personal Information Protection Act from the following department.
The company will make an effort to process users' requests for access to personal information swiftly.

Department receiving and processing requests for information access:
Department Name: ESTsoft Customer Center
Contact Number: 1544-8209
FAX: (02)-882-1155
Email: perso.info@estsoft.com

13. Changes to the Personal Information Processing Policy

The company will notify of any additions, deletions, or modifications to this personal information processing policy at least 7 days in advance.
However, in cases of significant changes to user rights such as changes to the items of personal information collected or the purpose of use, the company will notify at least 30 days in advance, and if necessary, re-obtain user consent.
1. This personal information processing policy will apply from July 30, 2024.

2. In case of changes to the personal information processing policy, the company will promptly announce it through the 'Notices' section of the company website.
- Announcement Date: July 23, 2024
- Effective Date: July 30, 2024