PT. Indounni Beauty (hereinafter "IUCS") complies with the Personal Information Protection Act and related laws and provides customer consultation services (hereinafter "services") on the IndoUnni CS website (Indounni.com, hereinafter "the site"). In accordance with Article 30 of the Personal Information Protection Act, IUCS establishes and discloses the following privacy policy to protect the personal information and rights of data subjects and to handle related grievances smoothly.

1. Purpose of Processing Personal Information and Collection Items IUCS collects minimal personal information as follows to provide services.

2. Processing and Retention Period of Personal Information

1) IUCS will continue to retain personal information collected while the data subject uses the services, but will promptly delete it when the agreed period expires or when grounds for deletion arise due to the termination of IUCS's service provision.

2) Notwithstanding paragraph 1, when preservation is necessary according to relevant laws, personal information will be retained for a certain period as stipulated by those laws.

3. Provision of Personal Information to Third Parties

1) IUCS processes personal information only within the scope specified at the time of collection and provides personal information to third parties only in cases falling under Articles 17 and 18 of the Personal Information Protection Act with the consent of the data subject; otherwise, the data subject's personal information is not provided to third parties.

2) In accordance with the "Guidelines for Processing and Protecting Personal Information in Emergency Situations" jointly announced by government departments, IUCS may provide personal information to relevant agencies without the consent of the data subject in emergency situations such as disasters, infectious diseases, incidents or accidents causing imminent danger to life or body, or imminent property loss. In such cases, IUCS will provide only the minimum necessary personal information based on legal grounds and will not provide it for purposes other than intended.

4. Entrustment of Personal Information Processing

1) IUCS entrusts personal information processing tasks as follows to provide and improve services smoothly. IUCS stipulates necessary matters to ensure that personal information is safely managed in accordance with relevant laws when making entrustment contracts, and the information entrusted is limited to the minimum necessary to achieve the purpose.

2) When concluding entrustment contracts, IUCS specifies in documents such as contracts, in accordance with the Personal Information Protection Act, matters concerning prohibition of processing personal information beyond the purpose of performing entrustment tasks, security measures, restrictions on re-entrustment, management and supervision of trustees, liability for damages, etc., and supervises whether trustees safely process personal information.

3) If the content of entrustment tasks or trustees changes, it will be disclosed through this privacy policy.

5. Additional Use of Personal Information

1) IUCS may additionally use personal information without the consent of members in accordance with Article 15, Paragraph 3 of the Personal Information Protection Act to provide services smoothly.

2) IUCS considers the following when additionally using personal information:

◆ Whether it is related to the original collection purpose

◆ Whether the additional use of personal information is predictable in light of the circumstances of collection or processing practices

◆ Whether it unduly infringes on the interests of users

◆ Whether necessary security measures such as pseudonymization or encryption have been taken

6. Processing of Personal Information of Children Under 14

1) When collecting personal information from children under 14, IUCS collects the minimum necessary personal information for providing the relevant services under Article 2 with the consent of a legal representative.

2) When collecting personal information from children under 14, IUCS may request minimal information such as the legal representative's name and contact information from the child and verifies that a valid legal representative has consented through one of the following methods.

7. Rights and Obligations of Data Subjects and Legal Representatives and How to Exercise Them

1) Data subjects may exercise rights such as viewing, correcting, deleting, and requesting suspension of processing of personal information at any time against IUCS.

2) The rights under paragraph 1 may be exercised in writing, by email, etc., to IUCS, and IUCS will take action without delay.

3) The rights under paragraph 1 may be exercised through the data subject's legal representative or a delegated agent. In this case, a power of attorney in accordance with the Personal Information Protection Act must be submitted.

4) If a data subject requests correction of an error in personal information, IUCS will not use or provide that personal information until the correction is completed. Additionally, if incorrect personal information has already been provided to a third party, IUCS will promptly notify the third party of the correction results so that corrections can be made.

5) The data subject's request to view personal information and suspend processing may be limited under Article 35, Paragraph 4 and Article 37, Paragraph 2 of the Personal Information Protection Act.

6) If personal information is specified as a collection target in other laws, correction and deletion of that personal information cannot be requested.

7) When a request for viewing, correction, deletion, or suspension of processing is made according to the rights of the data subject, IUCS verifies that the person making the request is the data subject or a legitimate agent.

8. Destruction of Personal Information

1) In principle, IUCS promptly destroys the relevant personal information when the period agreed upon by the data subject expires or the purpose of processing personal information is achieved.

2) If personal information must continue to be preserved according to laws despite the expiration of the retention period agreed upon by the data subject or the achievement of the processing purpose, the personal information is moved to a separate database (DB) or stored in a different storage location.

3) The procedure and method for destroying personal information are as follows:

◆ Destruction procedure: IUCS selects personal information for which grounds for destruction have arisen and destroys it with the approval of the personal information protection officer.

◆ Destruction method: Personal information recorded and stored in electronic file form is destroyed using technical and physical methods so that the records cannot be reproduced, and personal information recorded and stored on paper documents is destroyed by shredding or incineration.

9. Installation, Operation, and Rejection of Automatic Personal Information Collection Devices

1) IUCS installs and operates devices that automatically collect personal information, such as 'cookies' that regularly save and retrieve information about data subjects.

2) Cookies are very small text files sent by the server operating IUCS's website to the data subject's browser and are stored on the data subject's computer hard disk.

◆ Purpose of using cookies: Analyzing the frequency of access or visit time of data subjects, identifying their preferences and areas of interest, and using them as indicators for service improvement. Tracking information about web pages viewed to provide differentiated business information.

◆ Installation, operation, and rejection of cookies: Data subjects have the option regarding cookie installation. By setting options in their web browser, they can allow all cookies, go through verification each time a cookie is saved, or reject the storage of all cookies. However, if data subjects reject cookie installation, there may be difficulties in providing some services.

◆ Method to reject cookie settings:

- Internet Explorer web browser: [Tools] > [Internet Options] > [Privacy] tab > Change [Settings]

- Chrome web browser: Upper right menu [Settings] > [Advanced] > [Content Settings] > [Cookies] settings

10. Collection, Use, Provision of Behavioral Information and Rejection

1) IUCS collects and uses behavioral information to provide optimized services and benefits to data subjects during service use.

2) IUCS collects the following behavioral information:

◆ Items collected: Device information (device identifier, operating system, hardware version, device settings, etc.), log information (access time, service use logs, records of improper use), usage information (search history, payment history, application history)

◆ Collection method: Automatic collection when visiting/executing websites and other methods allowed by relevant laws and guidelines

◆ Collection purpose: To provide personalized product recommendation services (including advertising) based on users' interests and preferences

◆ Retention and use period: 2 years from the date of collection

11. Measures to Ensure the Safety of Personal Information

IUCS takes the following measures to ensure the safety of personal information:

◆ Administrative measures: Establishment and implementation of internal management plans, regular employee training, etc.

IUCS limits the handling of personal information to designated personnel and assigns separate passwords that are regularly updated. It also implements administrative measures to ensure compliance with the personal information handling policy, such as regular training on the acquisition of new security technologies and personal information protection obligations.

◆ Technical measures: Management of access rights to personal information processing systems, installation of access control systems, encryption of unique identification information, etc., installation of security programs, etc.

IUCS uses an intrusion prevention system to control unauthorized access from outside and strives to equip itself with all technically possible security devices to systematically secure security. The data subject's personal information is encrypted, stored, and managed. Important data is also protected through separate security functions such as encryption during storage and transmission.

◆ Physical measures: Access control to computer rooms, data storage rooms, etc.

IUCS does its best to prevent the data subject's personal information from being leaked or damaged by hacking or computer viruses. IUCS installs systems in externally access-controlled areas, regularly backs up data to prepare for damage to personal information, and uses the latest antivirus programs to prevent the data subject's personal information or data from being leaked or damaged. It also enables secure transmission of personal information over networks through encrypted communication, etc.

12. Personal Information Protection Officer and Department

IUCS designates the following personal information protection officer to take overall responsibility for tasks related to personal information processing and to handle complaints and damage relief related to personal information processing:

▶ Personal Information Protection Officer

Department: PT. Indounni. Beauty

Name/Position: Simon Han

Contact: 628111189328

Email: simonhan@indounni.com

※ Connects to the Personal Information Protection Department.

▶ Personal Information Protection Department

Department: Administration Division

Manager: Celine Go

Contact: 6281297770352

Email: celinego@indounni.com

Data subjects may inquire with the Personal Information Protection Officer and department regarding all requests for viewing personal information and inquiries, complaints, and damage relief related to personal information protection that arise while using IUCS's services (or business). IUCS will respond to and handle data subjects' inquiries without delay.

13. Remedies for Infringement of Data Subjects' Rights

If you need to report or consult about personal information infringement, please contact the following institutions:

▶ Personal Information Infringement Report Center (operated by Korea Internet & Security Agency)

Responsibilities: Reporting personal information infringement, consulting applications

Website: privacy.kisa.or.kr

Phone: 118 (no area code)

Address: 3rd Floor, Personal Information Infringement Report Center, 9 Jinheung-gil, Naju-si, Jeollanam-do (Bitgaram-dong 301-2), 58324

▶ Personal Information Dispute Mediation Committee

Responsibilities: Applications for personal information dispute mediation, collective dispute mediation (civil resolution)

Website: www.kopico.go.kr

Phone: 1833-6972 (no area code)

Address: 4th Floor, Seoul Government Complex, 209 Sejong-daero, Jongno-gu, Seoul, 03171

▶ Supreme Prosecutors' Office Cyber Crime Investigation Division: 1301 (no area code) www.spo.go.kr

▶ National Police Agency Cyber Investigation Bureau: 182 (no area code) https://ecrm.cyber.go.kr

14. Changes and Notification of Privacy Policy

This privacy policy is effective from the implementation date, and if there are additions, deletions, or modifications to the content due to changes in laws/policies or security technologies, changes to the privacy policy will be announced through notices on the site at least 7 days before implementation. However, for significant changes affecting the rights of data subjects, notice will be given at least 30 days in advance, and the consent of data subjects may be obtained again if necessary.

Announcement date: September 13, 2023
Implementation date: October 14, 2023