(Effective as of November 1, 2025)

KOSAEM Co., Ltd. (hereinafter, the “Company”) complies with the Personal Information Protection Act and the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc., and other applicable laws to protect the rights and freedoms of users. The Company lawfully processes personal information and safely manages it.

In accordance with Article 30 of the Personal Information Protection Act, the Company establishes and discloses this Privacy Policy to inform users of the procedures and standards for the processing of personal information, and to ensure that related complaints are handled promptly and smoothly.

1. Purpose of Processing Personal Information

The Company processes personal information for the following purposes:

① Membership Registration and Management

• Identification of users for membership-based services, maintaining and managing membership qualifications, preventing fraudulent or unauthorized use of services, issuing notices and announcements, handling complaints and customer inquiries, and retaining records necessary for dispute resolution.

② Provision of Goods or Services

• Fulfillment of contracts related to service provision, billing and payment, content provision, purchase and payment processing, refunds, product delivery, identity verification, and collection of fees.

③ Service Improvement and Marketing

• Development and specialization of new products or services, transmission of promotional information such as events,
• Providing services and advertisements tailored to demographic characteristics, analyzing access frequency and service usage statistics.

2. Retention and Use Period of Personal Information

In principle, the Company destroys personal information without delay once the purpose of collection and use has been achieved. However, if retention is required by law, the Company stores user information for a legally specified period and separately manages such data.

Retention periods under relevant laws are as follows:

• Records on contracts or cancellation of contracts: 5 years (Consumer Protection Act in Electronic Commerce)
• Records on payment and supply of goods: 5 years
• Records on consumer complaints or dispute resolution: 3 years
• Records on display/advertising: 6 months
• Records on website visits: 3 months (Protection of Communications Secrets Act)
• Records related to VAT reporting: 5 years

3. Items of Personal Information Processed

① Items Collected

1) Membership registration

• Email account sign-up: (Required) Name, email address, mobile phone number, password
• Kakao account: (Required) Profile information (nickname/profile photo), Kakao account (email, phone number); (Optional) gender, age group, birthday, birth year
• Naver account: (Required) Name, email address, mobile phone number; (Optional) gender, birthday, age group, birth year
• Facebook: (Required) Email address
• Google: (Required) Profile photo, email address, phone number
• Apple: (Required) Name, email address

2) For teacher accounts: information about teaching qualifications such as “Korean Language Teacher Certificate” or “Secondary Korean Teacher Certificate”

3) Automatically collected information during service use:
Service usage records, access logs, IP information, misuse records, country, device information (model, OS, MAC address, language and country info, device identifiers, advertising identifiers)

4) For age verification or identity authentication:
Name, mobile phone number, date of birth, gender, DI/CI verification information, nationality status

5) Customer center inquiries:
Email address, mobile phone number

6) Paid transactions:
Payment information collected by the PG company depending on the payment method;
For refunds: name, contact information, bank name, account holder, account number

7) Event prize fulfillment:

• Physical items: name, address, phone number
• Mobile items: name, mobile phone number
• For tax-related processing: front copy of ID card (for tax reporting purposes)

8) Additional information collected for certain services (with separate consent):
Nickname, profile photo, school name and email (student discount plan), graduation date, creator contract information (name, gender, birth date, education, nationality, address, phone, email, resident registration number, bank information, SNS accounts)

② Methods of Collection

Website or app sign-up, service use, membership modifications, written forms, phone, fax, customer center interactions, event participation, partner company provision, automated data collection tools, and surveys.

※ The Company does not knowingly collect information from children under 14 years of age and only processes such information with parental consent when legally required.

4. Provision of Personal Information to Third Parties

① The Company processes personal information within the scope disclosed in Section 1 and does not provide it to third parties unless permitted by law or with user consent.

② Exceptions

• When a user consents for transaction fulfillment, the Company may provide the minimum necessary information to service providers for delivery, verification, or customer service.

• When required by law or by investigative authorities under statutory procedures
• When providing de-identified information for statistics, academic research, or market analysis

5. Outsourcing of Personal Information Processing & Overseas Transfers

① Outsourced tasks

The Company may outsource personal information processing for smooth service provision and ensures safe management through adequate technical and administrative measures.

(Examples include payment processing, identity verification, delivery, customer service operations, customer service systems, chat services, SMS/Kakao notification sending, and infrastructure management.)

② Overseas Transfers

If tasks requiring personal information are outsourced overseas, the Company discloses the following:

• Items transferred: name, email address, mobile phone number
• Purpose: app push notifications, email sending, marketing tasks
• Retention: destroyed without delay after the task is completed
• Additional transfers may occur for security and fraud prevention (destroyed after tasks are completed)

③ Users may refuse overseas transfers, but service availability may be limited if such transfers are essential.

6. Procedures and Methods for Destroying Personal Information

① Destruction

The Company destroys personal information without delay after the retention period expires or processing purposes are achieved. If retention is required by law, data is moved to a separate DB or stored separately and then destroyed after the retention period.

② Methods

• Electronic files: permanently deleted using non-recoverable technical methods
• Paper documents: shredded or incinerated

7. Rights and Obligations of Users and Legal Representatives

① Users may request access, correction, deletion, withdrawal of consent, or suspension of processing at any time through “My Page” or by contacting the customer center or privacy officer.

② If correction is requested, the information is not used or provided until correction is completed.

③ Requests may be made through legal representatives with proper documentation.

④ Deletion may not be possible when other laws require data retention.

⑤ The Company verifies the identity of the requester or authorized representative.

8. Measures to Ensure the Security of Personal Information

Administrative, technical, and physical safeguards include:

• Administrative: internal management plans, dedicated departments, regular training
• Technical: access control, encryption, security programs and updates

9. Use of Cookies

Cookies are used to provide personalized services, including analyzing access frequency, user behavior, and participation in events.

Users may choose whether to allow cookies through browser settings. However, rejecting cookies may restrict certain login-required services.

10. Collection and Use of Behavioral Information

The Company collects behavioral information to provide personalized services and advertisements.

① Items collected:

Website/app visit history, browsing history, purchase history
Retention: up to 1 year, then destroyed.

② Third-party behavioral advertising providers may collect such data.

③ No sensitive behavioral information is collected.

④ Mobile advertising identifiers may be used; users may restrict ad tracking in device settings.

⑤ Users may opt out of personalized advertisements through browser settings.

⑥ Inquiries related to behavioral information can be made at:

+82-10-3432-2924

11. Privacy Officer and Contact Information

Users may contact the following regarding inquiries, complaints, or requests for access:

• Privacy Officer: +82-10-3432-2924
• Personal Information Access Department: +82-10-3432-2924

Users may also seek dispute resolution or counseling through:

• Personal Information Dispute Mediation Committee
• Korea Internet & Security Agency
• Cybercrime Investigation Units, etc.

12. Links to Third-Party Sites

The Company may provide links to third-party websites. This Privacy Policy does not apply to such websites, and the Company is not responsible for the content or policies of third-party sites. Users should review the privacy policies of visited sites.

13. Amendments and Notification of Changes

The Privacy Policy may be revised due to legal changes, government policies, or Company requirements. Users will be notified at least 7 days prior to enforcement via app messages or email. Separate consent will be obtained when required by law.

This Privacy Policy takes effect on November 1, 2025.