Article 1 Collection, Use, Retention, and Destruction of Personal Information

Members

1. Purpose of Collection and Use

(1) Membership registration and authentication, provision of services, verification and prevention of “fraudulent use,” and customer support

(2) Payment, cancellation, and refunds

(3) Delivery

(4) Marketing and analysis

2. Profile Information

(1) Personal Information

・ Name, email address, password, CI, DI, gender, age group, occupational category, physical and biometric information (height, weight, etc.), health information, lifestyle habits, and questionnaire information

(2) Sensitive Information

・ Facial identity information, biosignals (pulse waves, height, weight, etc.)

(3) Unique Identifying Information

ㆍ PC : MAC address, PC specifications, browser information, and program version information used during service use

ㆍ Mobile devices (mobile phones, tablets, etc.) : device type, OS information, device-specific unique identifiers (UDID, UUID, ADID/IDFA, IMEI, etc.), mobile carrier

ㆍ Other information : service usage (suspension) records, website/mobile application access date and logs, cookies, and access IP information

(4) Payment Information

ㆍ Card issuer name, card number, expiration date, card password, date of birth

(5) Delivery Information

ㆍ Delivery address, postal code, recipient

(6) Marketing and Analysis Information

ㆍ IDFA, ADID

3. Retention and Use Period

(1) Membership registration and authentication, service provision, prevention of fraudulent use, and customer support

ㆍ Deleted one month after membership withdrawal request

(2) Payment, cancellation, refund, and delivery

ㆍ Retained for five (5) years (Act on Consumer Protection in Electronic Commerce, etc.)

(3) Marketing and analysis

ㆍ Learning information excluding personal information is retained permanently for analysis and statistical purposes

※ “Fraudulent use” refers to acts of illegally or unfairly obtaining economic benefits such as coupons or event benefits provided by the “Company” through repeated membership withdrawal and re-registration or subscription cancellation, acts prohibited under the Terms of Service, identity theft, or other illegal acts.

※ All of the above information may be used to provide customized information and for statistical and analytical purposes in connection with service use.

Event Participants

1. Method of Collection

(1) Event participation

ㆍ mission of event winner information through SNS, communities, bulletin boards, etc.

(2) Event winners

ㆍ Collected from winners via text message, email, or phone call

2. Collected Information

(1) Event participation

ㆍ Name, email address, mobile phone number

(2) Event winners

ㆍ Physical prizes : recipient name, contact number, address, postal code

ㆍ Coupons : name, email address, mobile phone number

3. Purpose of Use

(1) Event participation : selection of winners

(2) Event winners : delivery of prizes

4. Retention and Destruction

ㆍ Collected information is destroyed within thirty (30) days after the end of the event

Dormant Members

1. Dormant members are members who have no service usage records for one (1) year after the last use of the service.

2. Personal information of such members is separately stored and securely retained, and notification is sent to the relevant members via text message or email at least thirty (30) days prior to the date of separate storage.

3. If dormant members wish to continue using the service before separation into the dormant user database, they must log in to the site.

4. Members may reuse their accounts upon request.

Information Collected and Retained Pursuant to Laws

1. Records on payment and supply of goods : five (5) years (Act on Consumer Protection in Electronic Commerce, etc.)

2. Records on contracts or withdrawal of subscription : five (5) years

3. Records on electronic financial transactions : five (5) years

4. Records on consumer complaints or dispute resolution: three (3) years

5. Records on advertising and display : six (6) months

6. Website access records : three (3) months (Communications Secrecy Protection Act)

Article 2 Provision of Personal Information to Third Parties

1. Personal information retained for service provision or compliance with statutory obligations may be provided to third parties within the scope of the original purpose of collection.
2. The “Company” does not use or provide personal information beyond the scope specified in this policy without user consent, except in the following cases:
   (1) Where the data subject has given prior consent
   (2) Where necessary for payment settlement related to service provision
   (3) Where required by investigative or judicial authorities pursuant to applicable laws
   (4) Where provided in a form that does not identify specific individuals for statistical, academic research, or market research purposes
   (5) Where requested pursuant to procedures prescribed by other relevant laws

(Mandatory) Status of Provision of Personal Information to Third Parties

1. Recipient

ㆍ Customers of the “Company”

2. Purpose of Provision

ㆍ Verification of customer usage status and improvement rate indicators

3. Items Provided

ㆍ Personal information (name, nickname, date of birth, gender, mobile phone number, nationality status, CI)

ㆍ nt position information, exercise records (type, duration, frequency, calories burned, etc.), exercise goals, height, weight, physical and exercise improvement rates

4. Retention Period

ㆍ Until the recipient’s purpose of use is achieved (subject to statutory retention periods)

Article 3 Outsourcing of Personal Information Processing

1. The “Company” outsources the processing of personal information as follows to ensure smooth service provision and efficient operations.

2. The “Company” continuously supervises and manages whether entrusted parties securely process personal information, and ensures immediate destruction of personal information held by entrusted parties upon termination of entrusted tasks.

Domestic Outsourcing of Personal Information Processing

DK Techin Co., Ltd. : Notification delivery (Kakao message delivery)

Mesa Cure Company Co., Ltd. : Provision and operation of user authentication functions based on facial recognition information (retained until one month after membership withdrawal or termination of outsourcing agreement)

※Mesa Cure Company Co., Ltd. provides technical infrastructure and analysis systems for facial recognition functionality. Facial images are not stored; only facial feature data generated for user authentication is retained for the above period and then irreversibly destroyed. The entrusted party does not use collected facial data for purposes other than user authentication or provide it to third parties.

Overseas Outsourcing of Personal Information Processing

Amazon Web Services (AWS) : Server provision (infrastructure for service operation)

Article 4 Procedures and Methods of Destruction of Personal Information

In principle, the “Company” destroys personal information immediately after the purpose of retention is achieved.

1. Destruction Procedures

Personal information for which the purpose of collection and use has been achieved is transferred to a separate database (or separate filing cabinet for paper documents) and securely stored in accordance with internal regulations and applicable laws, and destroyed without delay upon expiration of the retention period.

2. Destruction Methods

(1) Electronic files are deleted using technical methods that prevent recovery.

(2) Paper documents are destroyed by shredding or incineration.

Article 5 Rights of Members and Methods of Exercise

1. Users of the “Company’s” services (or legal guardians for users under the age of 14) may exercise the following rights as data subjects.
2. Members may request access, correction, withdrawal of consent, deletion, or viewing of their personal information at any time. However, refusal to consent to personal information processing may limit some or all services.
3. Requests for access, correction, or modification may be processed through the personal information management menu on the website or via one-on-one inquiries.
4. Requests for access pursuant to Article 35 of the Personal Information Protection Act may be submitted to the department below.

   Department Handling Personal Information Access Requests

   ㆍ Department : Healthcare Business Division

   ㆍ Contact : +82-70-4776-3304

   ㆍ Email : unocare@unovins.com

5. Withdrawal of consent and deletion may be requested via one-on-one inquiries. However, such withdrawal or deletion may restrict service use.
6. Membership withdrawal may be requested through “Settings > My Information Management > Withdraw,” and will be processed automatically one month after the request.
7. Customer consultations may be recorded, and separate notice will be provided by the counselor.

Article 6 Personal Information Protection Officer and Contact Information

The “Company” designates the following Personal Information Protection Officer.

1. All inquiries, complaints, and remedies related to personal information protection may be directed to the above contact points.
2. Data subjects may seek remedies through the following institutions:
   • Personal Information Infringement Report Center : 118 / privacy.kisa.or.kr
   • Supreme Prosecutors’ Office Cyber Crime Division : 1301 / www.spo.go.kr
   • National Police Agency Cyber Safety Bureau : 182 / www.cyber.go.kr
   • Personal Information Dispute Mediation Committee : 1833-6972 / www.kopico.go.kr
3. Data subjects may file administrative appeals pursuant to the Administrative Appeals Act.

Article 7 Information Security Efforts of the Company

The “Company” strives to protect users’ personal information and implements the following technical and administrative measures to ensure safety against loss, theft, leakage, alteration, or damage.

1. Regular Internal Audits

Regular internal audits (once per quarter) are conducted to ensure stability in personal information handling.

2. Encryption of Personal Information

Personal information is encrypted and securely stored and managed in accordance with relevant laws and internal policies.

3. Measures Against Hacking

The “Company” makes best efforts to prevent leakage or damage of personal information due to hacking or computer viruses.

4. Minimization and Training of Personnel

Access to personal information is limited to designated personnel, with separate passwords assigned and periodically updated. Regular training is conducted to emphasize compliance with this Privacy Policy.

5. Operation of Dedicated Personal Information Protection Organization

The “Company” operates an internal personal information protection organization to monitor compliance and promptly correct any identified issues. However, the “Company” bears no responsibility for issues arising from users’ negligence or Internet-related problems resulting in leakage of IDs, passwords, or other personal information.

Article 8 Obligation to Notify

Policies on changes to this Privacy Policy are as follows:

This Privacy Policy takes effect as of the effective date. Any additions, deletions, or amendments due to changes in laws or policies will be announced through Service notices and via text message or email at least seven (7) days prior to implementation. In cases involving significant changes affecting users’ rights, such as collection, use, or third-party provision of personal information, notice will be provided at least thirty (30) days in advance.

Article 9 Miscellaneous

This Privacy Policy does not apply to the collection of personal information by websites of other companies linked through the Services. Users should review the privacy policies of newly visited websites.