(hereinafter referred to as the “Company”) establishes and discloses the Privacy Policy as follows in order to protect the personal information of information subjects in accordance with Article 30 of the Personal Information Protection Act and to enable prompt and smooth handling of grievances related thereto.

Article 1 (Purpose of Personal Information Processing)

The Company processes personal information for the following purposes. The personal information processed will not be used for any purpose other than the following purposes, and if the purpose of use changes, the Company will take necessary measures such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act.

1. Membership registration and management

- Personal information is processed for the purpose of confirming the intention to join the membership, identifying and authenticating the person in accordance with the provision of membership services, providing a better service use experience such as account recommendations, maintaining membership, preventing unauthorized use of the service, and handling various notices and grievances.

2. Provision of Services

- We process personal information for the purpose of providing services, providing content, providing customized services, payment and settlement of fees, etc.

3. Grievance handling

- We process personal information for the purpose of verifying the identity of the complainant, investigating the facts of the complaint, and notifying the result of the contact notification.

4. Utilization for marketing and advertising

- Personal information is processed for the purpose of developing new services (products) and providing customized services, providing services and displaying advertisements according to demographic characteristics, verifying the validity of services, identifying the frequency of access or statistics on members' use of services, etc.

Article 2 (Items of Personal Information Collected and Method of Collection)

The Company processes the following personal information items

1. membership registration

- Required: Email, password, SNS membership information, duplicate registration confirmation information (DI)

- Purpose of use: User identification, notice delivery, service use and counseling (Information automatically generated in the course of service use or business processing) Service usage history, access logs, cookies, access IP information, device information, and bad usage history

2. collection method

1)When a member directly enters the information when signing up for membership on the homepage/identity verification

2)When the user agrees to the collection of personal information and enters the information directly in events, sweepstakes applications, surveys, seminars, etc.

3)In the process of consultation through the customer center, the user's personal information may be collected after prior consent through webpage, mail, fax, telephone, etc.

3. The Company does not collect sensitive information that may infringe on the precious human rights of users in any case, and if it is unavoidably collected in accordance with the obligations stipulated by laws and regulations, the Company will always obtain prior consent from users. The Company collects users' personal information by having users enter it directly when registering for membership, automatically collecting it in the process of providing various services, email, telephone, etc.

Article 3 (Personal Information Retention and Use Period)

1. Until the user's request for withdrawal or withdrawal of consent to the collection and use of personal information. However, if there is a record of illegal use or suspected illegal use of the member in accordance with the Company's terms and conditions, the Company shall retain and destroy the personal information for 5 years from the time of collection, notwithstanding the user's request for withdrawal and withdrawal of consent to the collection and use of personal information.

2. Notwithstanding the Company's Privacy Policy, the information required to be kept by the following related laws and regulations shall be kept for the period prescribed by the laws and regulations.

1)Personal information related to service use (login records)

- Grounds for retention: 「Protection of Communications Secrets Act」.

- Retention period: 3 months

2)Records on display/advertising

- Retention basis: Act on Consumer Protection in Electronic Commerce etc.

- Retention period: 6 months

3)Records of consumer complaints or dispute handling

- Retention basis: Act on Consumer Protection in Electronic Commerce, etc.

- Retention period: 3 years

Article 4 (Provision of Personal Information to Third Parties)

The Company processes the personal information of the information subject only within the scope specified in Article 1 (Purpose of Processing Personal Information), and provides personal information to third parties only in cases falling under Articles 17 and 18 of the Personal Information Protection Act, such as the consent of the information subject and special provisions of the law.

The Company does not provide personal information to third parties without the prior consent of the user. However, to the extent necessary for the user to use the following services, the Company provides personal information to third parties after obtaining the user's consent. In other words, users who do not use the following services do not provide personal information.

[BloomingBit Service]

- Recipient: Sendgrid

- Purpose of Provision: Sending emails

- Items of personal information provided: Email address

- Period of retention and use of personal information by the recipient: Until withdrawal from membership or termination of service

- Recipient: Onesignal

- Purpose of provision: App push

- Personal information items provided: Device token, device information, IP information, user ID

- Period of retention and use of personal information by the recipient: Until withdrawal from membership or termination of service

- Recipient: Google

- Purpose of provision: Google Analytics, error information collection

- Personal information items to be provided: Device token, device information, IP information, user ID

- Period of retention and use of personal information by the recipient: Until withdrawal from membership or termination of service

- Recipient: Amazon Web Services, Inc.

- Purpose of provision: Email delivery

- Items of personal information provided: Email address

- Period of retention and use of personal information by the person to whom the personal information is provided: Until withdrawal from membership or termination of service

- Period of retention and use of personal information of the recipient: Until withdrawal from membership or termination of service

Article 5 (Overseas Transfer of Personal Information)

The Company may transfer personal information overseas or manage it overseas in order to provide services and improve the convenience of users as follows.

- Name and contact information of the transfer recipient: Amazon Web Service Inc., aws-korea-privacy@amazon.com

- Transferred countries: Japan, United States

- Date and method of transfer: Transfer via network at the time of service use

- Items of personal information transferred: Items collected in the Privacy Policy

- Purpose of the transfer recipient's use: Sending emails, operating and managing cloud servers containing personal information during the personal information retention period

- Period of retention and use by the transfer recipient: Until withdrawal from membership or termination of consignment contract

- Name and contact information of the transfer recipient: Google, googlekrsupport@google.com

- Transferred country: United States

- Transfer date and method: Transfer via network at the time of service use

- Personal information items transferred: device token, device information, IP information, user ID

- Purpose of use of the transfer recipient: Google Analytics, error information collection

- Period of retention and use by the recipient: Until withdrawal of membership or termination of consignment contract

- Name and contact information of the transfer recipient: Onesignal, privacy@OneSignal.com

- Transferred country: United States

- Date and method of transfer: Transfer via network at the time of service use

- Personal information items transferred: device token, device information, IP information, user ID

- Purpose of use of the transfer recipient: App push

- Period of retention and use of the transfer recipient: Until withdrawal from membership or termination of consignment contract

- Name and contact information of the transferred company: Sendgrid, privacy@twilio.com

- Transferred country: United States

- Date and method of transfer: Transfer via network at the time of service use

- Items of personal information transferred: Email address

- Purpose of use of the transfer recipient: sending emails

- Period of retention and use by the transfer recipient: Until withdrawal from membership or termination of consignment contract

Article 6 (Rights, obligations of the information subject and legal representative and how to exercise them)

1. The information subject may exercise the right to view, correct, delete, or request suspension of processing of personal information at any time against the Company.

2. The exercise of the rights under Paragraph 1 may be made in writing, e-mail, facsimile transmission (FAX), etc. to the Company in accordance with Article 41 (1) of the Enforcement Decree of the Personal Information Protection Act, and the Company will take action without delay.

3. The exercise of the rights under Paragraph 1 may be made through an agent, such as the legal representative of the information subject or a person who has been delegated. In this case, a power of attorney in the form of Appendix No. 11 to the Enforcement Rules of the Personal Information Protection Act must be submitted.

4. Requests for access to personal information and suspension of processing may limit the rights of the information subject pursuant to Article 35 (4) and Article 37 (2) of the Personal Information Protection Act.

5. A request for correction and deletion of personal information cannot be made if the personal information is specified as the subject of collection in other laws.

6. The Company shall verify whether the person making a request for access, correction, deletion, or suspension of processing in accordance with the rights of the information subject is the person or his/her legitimate representative.

Article 7 (Procedure and Method of Destruction of Personal Information)

In principle, the Company shall destroy the user's personal information without delay when the purpose of collecting and using personal information is achieved. The procedure, deadline, and method of destruction are as follows. However, if the Company obtains separate consent from the user for the period of personal information storage, or if a law imposes an obligation to keep information for a certain period of time, the Company will keep the personal information securely for that period of time.

1. Destruction Procedure

The information entered by the user is transferred to a separate database (separate documents in case of paper) after the purpose is achieved and stored for a certain period of time in accordance with internal policies and other relevant laws and regulations, or destroyed immediately. In this case, the personal information transferred to the DB will not be used for any other purpose unless required by law.

2. destruction method

1)Personal information stored in the form of electronic files is permanently deleted using technical methods that cannot reproduce the records. Personal information printed on paper shall be destroyed by shredding or incineration.

2)In the case of obtaining separate consent from the user for the storage period of personal information, the Company shall retain personal information for 5 years from the date of termination of the use contract in order to prevent abuse of rights, abuse, and to prepare for various disputes and requests for investigation cooperation if the customer withdraws or is expelled.

Article 8 (Consignment of Personal Information Processing)

1. The Company consigns the processing of personal information as follows to improve its services, and stipulates the necessary matters to ensure that personal information is managed safely in the consignment contract in accordance with relevant laws and regulations. The Company's entrusted personal information processing organizations and entrusted tasks are as follows.

- Entrusted party (trustee): Amazon Web Service Inc.

- Details of consignment: Operation and management of cloud servers containing personal information during the period of personal information storage.

2. When entering into a consignment contract, the Company specifies in documents such as contracts the prohibition of processing personal information other than for the purpose of performing consignment work, technical and administrative protection measures, restrictions on re-consignment, management and supervision of the consignee, and liability for damages in accordance with Article 26 of the Personal Information Protection Act, and supervises whether the consignee processes personal information safely.

3. If the content of the entrusted work or the entrustee changes, we will disclose it through this Privacy Policy without delay.

Article 9 (Installation/Operation and Rejection of Automatic Personal Information Collection Devices)

1. The Company uses 'Cookies' to store and retrieve user's information from time to time in order to provide personalized and customized services.

2. Cookies are very small test files that the server used to operate the website sends to the user's browser and are stored on the device used by the user (PC, smartphone, tablet, etc., among devices that can use the service). When you subsequently visit the Website, the Website server reads the contents of the cookie stored on your hard disk to maintain your preferences and provide you with personalized services. Cookies do not automatically or actively collect personally identifiable information, and you can refuse to store or delete these cookies at any time.

3. Purpose of use of cookies, etc.

The Company uses cookies to identify the type of access and use of each of the Company's services and websites visited by users, secure connection, news editing, and user size to provide users with optimized and customized information, including advertisements.

4. Installation/operation and rejection of cookies

You have the option to install cookies. Therefore, you can accept all cookies, confirm each time a cookie is saved, or refuse to save all cookies by setting options in your web browser. However, if you refuse to accept cookies, you may have difficulty using some services that require you to log in. Here's how to specify whether or not to allow cookies to be installed.

- Web browsers

Microsoft Edge : [dot icon] > [Settings] > [Cookies and site permissions] > [Manage and delete cookies and site dating].

Chrome : [Settings] > [Advanced settings] > [Privacy and security] > [Site settings] > [Cookies].

- Analyzing logs through Google Analytics

The Company uses Google Analytics to analyze logs. It cannot identify you and is only used for aggregate log analysis. You can reject the collection of Google Analytics (by using the 'Block Cookie Settings' or 'Google Analytics Opt-out Browser Add-on').

- Analyzing service usage history when using the App

When you use the App, the following information may be collected from app stores or advertisers for smooth and normal service. Google Advertising ID, Android ID (Android OS only), device information (model name, OS version, unique identification number)

- You can opt out of the collection of advertising identifiers in the following ways.

-> On Android, [Settings > Google > Ads] or [Settings > General > Account & sync > Google > Privacy & personal information > Ads settings].

-> On iOS, [Settings > Privacy > Ads].

Article 10 (Technical and administrative protection measures for personal information)

The Company considers your personal information as the most valuable value and makes the following efforts in handling your personal information.

1. We encrypt your personal information.

The Company transmits users' personal information using encrypted communication sections and keeps important information encrypted.

2. Efforts are made to protect against hacking and computer viruses.

The Company has installed a system in an area with controlled access from the outside to prevent the leakage or damage of users' personal information due to hacking or computer viruses. We have installed a system that can detect and block intrusions by hackers, etc. and monitor them 24 hours a day, and we have installed an antivirus program to prevent the system from being infected with the latest malware or viruses.

3. We minimize the number of people who have access to valuable personal information.

The Company minimizes the number of employees who handle personal information to reduce the risk of personal information leakage. In addition, the Company has established systematic standards for the creation and change of passwords and access rights to database systems that store personal information and systems that process personal information, and conducts continuous audits.

4. We provide regular training to our employees on the protection of users' personal information.

All employees who handle personal information are regularly trained on the obligations and security of personal information protection.

5. Managing personal IDs and passwords

In addition to the above efforts, users themselves should be careful not to disclose their passwords to third parties. In particular, always be careful not to leak passwords through PCs installed in public places. We recommend that only you use your ID and password, and that you change your password frequently.

Article 11 (Personal Information Management Officer and Person in Charge)

The Company has designated the person in charge of personal information protection and the person in charge of viewing requests as follows to manage the collected personal information of members, and will promptly and sincerely respond to inquiries related to personal information.

- Person in charge : Sanha Kim

- Position : CEO

- Email : help@bloomingbit.io

In addition, if your personal information has been infringed and you need to report or consult about it, you can contact the following organizations for help.

- Personal Information Infringement Report Center (privacy.kisa.or.kr) - (without area code) 118

- Personal Information Dispute Mediation Committee (https://www.kopico.go.kr) - 1833-6972

- Supreme Prosecutors' Office Cyber Investigation Division (대검찰청 ) - (without area code) 1301

- National Police Agency Cyber Investigation (사이버범죄 신고시스템 (ECRM) ) - (without area code) 182

Article 12 (Obligation to Notify Changes)

1. Details of this Privacy Policy and other personal information protection policies are disclosed at the bottom of the first page of the BloomingBit homepage operated by the Company so that members can easily view them at any time. The contents of this Privacy Policy may change from time to time, so please check it every time you visit the homepage.

2. If this Privacy Policy is further deleted or modified due to changes in relevant laws and policies or security technology, we will notify the reason and content of the change through the BloomingBit homepage at least 7 days before the revision.

3. This Privacy Policy shall be applied as follows.

Date of Announcement : 2023.11.28

Enforcement date: 2023.12.0