Article 1 (Purpose of Personal Information Processing)

he Company shall process personal information for the following purposes. Personal information to be processed shall not be used for purposes other than the purposes specified below. If there is any change to the intended purposes, the Company shall take necessary measures, such as obtaining consent separately in accordance with the Personal Information Protection Act and other relevant laws.

The following shall specify the purposes of personal information processing that the Company performs based on the business affairs of personal information processing:

1. Receipt of Customer Inquiry:
   • Processing personal information to seamlessly respond to customer inquiries upon receipt.
2. Receipt at the Voice of Customer:
   • Processing personal information to seamlessly respond to and handle customer reports and grievances received through the Voice of Customer.

Article 2 (Personal Information Processing and Retention Period)

1. The Company shall retain and process personal information within the personal information retention and usage periods by relevant laws, or within the personal information retention and usage periods for which consent has been obtained from customers when collecting personal information.
2. The personal information processing/retention period and the grounds for personal information retention shall be as follows:
   • 1) In the case of records on customer complaints or dispute resolution: Three (3) years under the Act on the Consumer Protection in Electronic Commerce;
   • 2) For records of website visits: Three (3) months (retention of communication confirmation data under Article 41 of the Act on the Protection of Communications Secrets);
   • 3) Other cases where consent has been individually obtained from customers: The period for which consent has been obtained.

Notwithstanding the retention periods prescribed above, if it is necessary to continuously retain personal information, the Company shall obtain consent from customers.

Article 3 (Matters Related to Offering Personal Information to Third Party)

1. In principle, the Company shall process personal information of customers only within the explicitly specified scope of purposes for personal information collection and usage and shall offer personal information to a third party only when consent has been obtained from a customer, or there are special provisions by relevant laws.
2. In providing personal information to a third party, the Company shall inform customers of the following, and obtain his/her consent:
   • The receiving party of personal information;
   • The purposes of the receiving party of personal information in using personal information;
   • The receiving party’s purpose of using personal information;
   • Specific personal information to be provided;
   • The period during which the receiving party retains and uses the personal information.
3. The preceding paragraphs shall not apply to the cases falling under any of the following:
   • In cases where prior consent of a customer has been obtained;
   • In cases where there are special provisions by relevant laws;
   • In cases where an investigation agency demands personal information for investigation purposes following the predetermined procedures and methods as prescribed by relevant laws.

Article 4 (Entrustment of Personal Information Processing)

1. The Company does not entrust personal information processing to a third party.

Article 5 (Rights and Duties of Data Subjects, and Methods to Exercise the Rights)

1. A customer as a data subject may exercise at any time the following rights related to personal information protection against the Company:
   • 1) The right to demand access to his/her personal information;
   • 2) The right to demand correction of an error, etc., if any;
   • 3) The right to demand deletion;
   • 4) The right to demand the suspension of personal information processing.
2. In exercising the rights under paragraph 1, a customer can do so by writing, e-mails, facsimile, etc., using Form 8 under the Enforcement Rules of the Personal Information Protection Act, and the Company shall take measures immediately.
3. If a customer demands correction or deletion of an error, etc., of his/her personal information, the Company shall not use or provide the relevant personal information until when correction or deletion thereof is completed.
4. The rights under paragraph 1 shall be exercised by representatives such as a legal representative or a duly authorized representative. In such cases, the power of attorney in conformance with Form 11 under the Enforcement Rules of the Personal Information Protection Act must be submitted.

Article 6 (Items of Personal Information Processing, and Collection Methods)

1. The Company shall process the following items of personal information to seamlessly respond to customer inquiries, and customer complaints received at the Voice of Customer.
   • Information for collection: e-mails
2. The following items of personal information may be automatically generated and collected in the course of using the Internet service.
   • IP addresses accessing the websites, cookies, records on service usage, access logs, etc.
3. The Company shall collect personal information by the following method:
   • Obtaining consent from a customer in the course of his/her using the service.

Article 7 (Destruction of Personal Information)

1. The Company shall immediately destruct personal information when such personal information becomes unnecessary due to reasons such as lapse of the personal information retention period, or fulfillment of the purpose of personal information processing.
2. Regardless of the lapse of the personal information retention period for which consent has been obtained from a customer, or fulfillment of the purpose of personal information processing. If it is necessary to continue to retain personal information in accordance with other relevant laws, such personal information shall be retained after moving to a separate database or different storage location.
3. The procedure and methods for personal information destruction shall be as follows:
   • 1) The destruction procedure: The Company shall select personal information for which a ground of destruction thereof occurs, and destruct personal information after obtaining approval from the person responsible for personal information protection at the Company;
   • 2) The destruction methods : The Company shall destroy personal information recorded and stored in electronic file forms by means that make it impossible to reproduce the records of such information, and destroy personal information registered and stored in paper documents by shredding such documents using a shredder or incinerating them.

Article 8 (Measures to Ensure Safety of Personal Information)

The Company shall take the following measures to ensure safety of personal information.

1. Administrative measures: Establishment and implementation of internal management plans, regular training for employees, and collection of personal information protection pledges, etc., from the persons responsible for personal information processing.
2. echnical measures: Access authority management for personal information processing systems, etc., installation of access control systems, encryption of unique identification information, etc., and installation of security programs.
3. Physical measures: Access control of computer rooms, material storage room, etc.
   • 1) Encryption of personal information : Personal information of a customer is encrypted, stored, and managed so that only an information owner can know such information. In the case of critical data, separate security functions are used such as encryption of files and data for transmission, or file locking functions.
   • 2) Technical measures against hacking, etc. : The Company shall install security programs to prevent leakage or damage of personal information caused by hacking, computer viruses, etc. These programs shall be regularly updated and inspected. The Company shall install systems in controlled areas with restricted external access to monitor and prevent unauthorized access technically and physically.
   • 3) Access to personal information : Necessary measures shall be taken for access control of personal information such as granting, change, and deletion of access authority to database systems processing limited personal information, and any unauthorized access from the outside shall be controlled using firewall systems.
   • 4) Retention of access records and prevention of forgery or alteration : The records on access to personal information processing systems shall be stored, and managed, and security functions shall be used to prevent such access records from being forged, altered, stolen, or lost.
   • 5) Using locking devices for document security : Documents with personal information, auxiliary storage media, etc., shall be kept in a safe location.
   • 6) Access control against unauthorized persons : Physical storage locations for personal information shall be designated separately, with access controls established and maintained to prevent unauthorized access.

Article 9 (Matters of Installation, Operation, and Refusal of Automatic Personal Information Collection Devices)

The Company shall operate cookies, etc., capable of storing and finding customer information frequently as needs arise. Cookies are small text files that the servers running the Company website transmit to the browser of a customer, and that are stored in the customer’s computer hard drive. The Company may run cookies for the following purposes.

1. Purposes of Using cookies, etc.
   • Cookies, etc., shall be used to carry out target marketing and offer personalized services to a user through analyses of the frequency of access to websites and visit time, identification, and analyses of areas of interest of the user, and identification of the number of participation and visits to events, etc.
2. Collection Items of Cookies
   • Cookie ID (stored for the usage of service, and deleted in the case of refusal)
3. Methods to Refuse Installation of Cookies
   • A customer has a right of choice in the installation of cookies. By choosing one of options on a web browser, a customer may allow all cookies, make it mandatory to check every time cookies are stored, or refuse the storage of all cookies.
   • An example of installation method (in the case of the Internet Explorer) : Select in the order of Tools on top of a web browser > Internet Options > Personal Information > Advanced > Installation Method.
   • However, if a customer refuses storage of cookies, he/she may face difficulties in using some of the services.

Article 10 (Responsible Person for Personal Information Protection)

1. The Company shall take overall responsibility for the duties of personal information processing and designate the person responsible for personal information protection and the person in charge of personal information protection to handle customer complaints, and remedy damage with respect to personal information processing.
   • 1) Person responsible for personal information protection : An Hong-sik;
   •  
   • 2) Person in charge of personal information protection : Hwang In-chang;
     • Phone: 02-519-3325
     • E-mail: inchang@ypzinc.co.kr
2. A customer may contact the responsible person for personal information protection and the person in charge of personal information protection with respect to any matters related to inquiries, complaints, remedy for damage, etc., that may arise out of., or in connection with the use of the service (or business) of the Company. Upon receipt thereof, the Company shall immediately provide feedback and process them.

Article 11 (Claim for Access, Correction, Deletion, or Suspension of Processing, etc., of Personal Information)

A customer may file a claim for access, correction, deletion, or suspension of processing, etc., of personal information (hereinafter referred to as “Access, etc.”) to the following person in charge as in accordance with Article 35 of the Personal Information Protection Act. The Company shall exercise efforts to process such claims for access, etc., of personal information in a time-efficient manner.

1. Person in charge of receiving and processing claims for access, etc., of personal information:
   • 1) Person in charge: Park Gwang-il
   • 2) Phone: 02-519-3634
   • 3) E-mail: peace@ypzinc.co.kr

Article 12 (Methods of Relief from Infringement on Rights and Interests)

A customer may seek relief for damages arising from personal information infringement or request related consultations from the following institutions. The institutions are independent from the Company. If a customer is not satisfied with the outcome of the Company’s own handling of a personal information complaint or request for relief, or if further assistance is needed, the customer may contact these institutions.

1. The Personal Information Infringement Reporting Center run by the Korea Internet & Security Agency: Business affairs under its jurisdiction: Reporting infringement of personal information and requesting consultations.
   • Website: privacy.kisa.or.kr
   • Phone: (without area code) 118
   • Address: (138-950) The Personal Information Infringement Reporting Center at the Korea Internet & Security Agency at 135, Jungdae-ro, Songpa-gu, Seoul
2. The Personal Information Dispute Mediation Committee run by the Korea Internet & Security Agency:
   • Business affairs under its jurisdiction: Requesting personal information dispute mediation, and mediation of collective dispute (resolution under the Civil Act).
   • Website: privacy.kisa.or.kr
   • Phone: (without area code) 118
   • Address: (138-950) The Personal Information Dispute Mediation Committee at the Korea Internet & Security Agency at 135, Jungdae-ro, Songpa-gu, Seoul
3. The High-Tech and Financial Crimes Investigation Division at the Supreme Prosecutors’ Office (www.spo.go.kr / 02-3480-3573)
4. The Cyber Bureau at the Nation Police Agency (cyberbureau.police.go.kr / (without area code) 182)

Article 13 (Amendment of the Privacy Policy)

This Privacy Policy shall take effect on May 4, 2023.