The Company handles the collected personal information for the objectives described below. The handled personal information is not used for purposes other than the following purposes, and prior consent will be required if the purposes of use are modified:

• Provision of goods or services
• Service supply, content supply, customized service supply, etc.

• Personal information file name: AIRBOX CO., LTD.
• Personal information item: name, email, mobile phone number
• Collection method: website, written form
• Basis of retention: records on website inquiries
• Retention period: destroyed immediately after accomplishing the work purpose

① The Company currently does not commission personal information handling tasks.

② The Company specifies matters related to responsibilities such as prohibition of handling of personal information other than to perform the entrusted work, technical and administrative protection measures, restrictions on recommissioning, management and supervision of the commission company, and compensation for damages arising from the contract, etc. in the document and supervises whether the commission company handles personal information safely according to Article 25 of the Personal Information Protection Act when signing the commissioning contract.

③ When commissioned tasks or commission companies are changed, such will be announced without delay through the personal information handling policy.

A user shall be able to exercise the following rights as a personal information subject:

① An information subject shall be able to exercise the personal information protection-related rights in the following subparagraphs at all times:

• 1) Request to view personal information
• 2) Request to correct errors, etc.
• 3) Request to delete personal information
• 4) Request to stop handling

② The rights according to Paragraph (1) may be exercised toward the Company through written document, email, or document facsimile (fax) according to annex No. 8 Form in the Enforcement Rules of the Personal Information Protection Act, and the Company shall take immediate action for this.

③ When an information subject requests the correction or deletion of personal information-related errors, etc., the Company shall neither use nor provide the relevant personal information until the requested information is corrected or deleted.

④ The rights in Paragraph 1 may be exercised through agents such as legal representatives of the information subject or those who have been delegated accordingly. In such case, a power of attorney should be submitted according to annex No. 11 Form in the Enforcement Regulations of the Personal Information Protection Act.

The Company handles the following personal information items:

• Required items: name, email, mobile phone number
• Optional item: inquiry type, messages
• Collection method: website, written form

In principle, once the purpose of personal information handling is achieved, the Company may destroy the related personal information without delay. The destruction procedure, deadline, and method are as follows:

• The information inputted by a user is transferred to a separate database (a separate document for paper-based information) and saved for a certain period or immediately destroyed according to the internal policies and other related acts. Here, the personal information transferred to the database shall not be used for purposes other than those specified in the acts. The personal information of a user who specifies the destruction due-date is destroyed within five days of the end date of the retention period when the retention period lapses. The user's personal information is also destroyed within five days of the date when the processing of personal information is considered unnecessary such as accomplishment of purpose of personal information handling, required service's abolition, or business termination.
• Destruction method for electronic file format information, technical methods that cannot reproduce the record are employed.
• Personal information produced in paper is destroyed using paper shredders or through incineration.

The Company will take all the necessary technical, managerial, and physical measures to ensure the safety of personal information as follows in accordance with Article 29 of the Personal Information Protection Act:

① Periodic auditing

The Company conducts its own audit on a regular basis (quarterly) to secure the reliability of personal information handling.

② Minimization of the number of personal information handling staff and education

The staff who are responsible for personal information handling are designated, and the Company takes measures to manage personal information by minimizing the number of such staff.

③ Establishment and enforcement of internal management plan

The Company has established and enforced internal management plans for the secure handling of personal information.

④ Technical measures to cope with hacking, etc.

To prevent the leak or damage of personal information due to hacking or computer viruses, the Company installs security programs and updates and inspects such programs on a regular basis. The system is installed in a place where access from the outside is controlled and monitored and blocked technically and physically.

⑤ Encryption of personal information

The Company employs additional security functions such as encryption of files and sending of data for important data that can be identified by the user only or use of file lock function as the passwords in the users' personal information are stored and managed after being encrypted.

⑥ Archiving connection logs and prevention of forgery and alteration

The log data of the connection to the personal information handling system shall be archived and managed for at least six months, and security functions are used to prevent forgery, alteration, theft, and loss of connection log data.

⑦ Access control of personal information

The Company takes the necessary measures for access control of personal information through the assignment, modification, and cancellation of access rights to the database system that handles personal information and controls unauthorized access from outside using the intrusion prevention system.

⑧ Use of locking device for document security

Documents and auxiliary storage media containing personal information are stored in a secure place equipped with a locking device.

⑨ Access control of unauthorized persons

The Company has put a separate physical storage place for personal information archiving and established and enforced the access control procedure.

① The Company has appointed a person in charge of personal information protection as follows to oversee the task of personal information handling and handle complaints and damage relief of information subjects in relation to personal information handling:

• [Person in charge of personal information protection]
• Name : Ji-Hyun Kim
• Position : Chief of Dept.
• Telephone : admin@airbox.co.kr, +82-32-819-3690

※ It is connected to the department in charge of personal information protection.

• [Department in charge of personal Information]
• Department name : Admin Dept.
• Person in charge : Ji-Hyun Kim Chief of Dept.
• Telephone : admin@airbox.co.kr, +82-32-819-3690

② The information subject may ask the person and department in charge of personal information protection regarding all personal information protection-related inquiries, complaint handling, and compensation for damage that occurred while using the company services (or businesses). The Company will answer and process the inquiry from the information subject without delay.

The personal information handling policy shall become effective on the implementation date and, if amended, removed, or corrected in line with the relevant laws and regulations and guidelines, shall be published via a notice seven (7) days prior to the implementation of amendment.