Pebblous Inc. (hereinafter "Company") complies with the Personal Information Protection Act and other applicable laws to lawfully process and safely manage personal information in order to protect the freedom and rights of data subjects. The Company establishes and discloses this Privacy Policy to inform users of the procedures and standards for the processing and protection of personal information, and to enable the prompt and smooth handling of related grievances.

Article 1 (Purposes of Personal Information Processing)

The Company processes personal information for the following purposes. Personal information processed for these purposes will not be used for any other purpose, and if the purpose of use changes, the Company will take necessary measures such as obtaining separate consent.

1. Member registration and management: Confirming intention to register, maintaining and managing membership, preventing fraudulent use, sending various notices and notifications, handling grievances.
2. Service provision: Providing basic/customized services, sending contracts and invoices, billing and settlement, debt collection.
3. Marketing and advertising: Providing customized advertisements, providing event and promotional information, and offering participation opportunities.
4. Service improvement and development: Improving existing services and developing new services, developing customized services.

Article 2 (Categories of Personal Information Processed)

The Company collects and uses the minimum personal information necessary to provide the Service.

1. Information collected upon membership registration
   • ID (email address), password
2. Information collected when using paid services
   • Credit card payment: card issuer name, card number, and other credit card information
   • Bank transfer: account holder name, account number, bank name, and other bank account information
   • Mobile payment: mobile phone number, carrier, and other payment information
3. Information automatically generated and collected during service use
   • IP address, cookies, service usage records (visit and usage records, improper usage records, etc.), device information (mobile phone model, OS name and version), advertising identifiers
4. When handling grievances: Collecting and processing necessary items from the above categories

Article 3 (Retention Period for Personal Information)

1. The Company processes and retains personal information within the retention and use period stipulated by law or agreed upon when collecting personal information from users.
2. Notwithstanding paragraph ①, where applicable laws require retention of certain information for a specified period, the Company retains such information for the following periods:
   1. Records under Article 6 of the Act on Consumer Protection in Electronic Commerce
      • Records of contracts, cancellations, payments, and supply of goods/services (including purchase information, cancellation/exchange/refund information, payment information, and shipping numbers): 5 years
      • Records of consumer complaints and dispute resolution: 3 years
      • Records of advertisements: 6 months
   2. Telecommunications data under Article 15-2 of the Protection of Communications Secrets Act
      • Computer communication, log records, and access tracking data: 3 months
      • Records of consumer complaints and dispute resolution: 3 years
   3. Books and supporting documents under Article 85-3 of the Framework Act on National Taxes
      • All transaction books and supporting documents under tax law: 5 years

Article 4 (Provision of Personal Information to Third Parties)

The Company processes users' personal information only within the scope of the stated purposes and provides personal information to third parties only with the user's consent or as permitted by the Personal Information Protection Act. The Company does not otherwise provide users' personal information to third parties.

Article 5 (Entrustment of Personal Information Processing)

1. The Company entrusts personal information processing as follows:

   Processor	Entrusted Work
   Amazon Web Services, Inc. (Seoul Region)	Cloud service use

2. When entering into entrustment contracts, the Company specifies in the contract and other documents matters such as prohibition of personal information processing outside the scope of the entrusted work, technical and administrative protective measures, restrictions on re-entrustment, supervision and oversight of the processor, and liability for damages, and supervises whether the processor handles personal information safely.
3. If a processor re-entrusts the Company's personal information processing, the Company's consent is obtained.
4. If the entrusted work content or processor changes, it will be disclosed through this Privacy Policy without delay.

Article 6 (Rights and Obligations of Users and Legal Representatives, and How to Exercise Them)

1. Users may exercise rights against the Company at any time, including requesting access, correction, deletion, or suspension of processing of personal information, and refusing or requesting an explanation of automated decisions.
2. The rights under paragraph ① may be exercised through the user's legal representative or an authorized agent. A power of attorney confirming the delegation must be submitted.
   • Requests for access to personal information of children under 14 must be made directly by their legal representative. Minor users aged 14 or over may exercise rights personally or through their legal representative.
3. The rights under paragraph ① may be exercised in writing, by email, or equivalent methods, and the Company will act without delay.
   • Users may directly view, modify, or delete personal information at any time via My Page > Edit My Information on the website, or request transfer via "Contact Us."
   • Users may withdraw consent to the collection and use of personal information at any time via "Membership Withdrawal."
   • Users may refuse automated decisions and request explanations at any time via "My Page" on the website.
4. Some rights may be restricted under the Personal Information Protection Act and other applicable laws. Additionally, if personal information is specified as a collection target under other laws, deletion cannot be requested.
5. Users may not be disadvantaged for exercising their rights.
   • Department: Customer Satisfaction Team
   • Contact: 044-584-3824, contact@dataclinc.ai

Article 7 (Destruction of Personal Information)

1. The Company destroys personal information without delay when it becomes unnecessary.
2. Where personal information must continue to be retained under applicable laws despite the expiry of the agreed retention period or achievement of the processing purpose, it is transferred to a separate database (DB) or stored in a separate location.
3. The procedure and method for destruction are as follows:
   1. Procedure: The Company selects personal information for destruction and destroys it with the approval of the Personal Information Protection Officer.
   2. Method: Personal information in electronic file format is destroyed using technical methods that make recovery impossible; paper documents are shredded or incinerated.

Article 8 (Measures to Ensure Safety of Personal Information)

The Company takes the following measures to ensure the safety of personal information:

1. Administrative measures: Establishing and implementing an internal management plan, conducting regular employee training, etc.
2. Technical measures: Technical countermeasures against hacking, encryption of personal information, managing access rights to personal information processing systems, preserving and preventing forgery/alteration of access records, etc.
3. Physical measures: Access control for server rooms and data storage rooms

Article 9 (Automatic Personal Information Collection Devices — Installation, Operation, and Opt-Out)

The Company uses cookies to store and retrieve user information in order to provide individually customized services. Cookies are small pieces of information sent by the server operating the website to the user's web browser, and may be stored on the user's hard disk.

1. Purpose of cookies: Used to analyze access frequency and visit times, track service usage patterns and preferences, check security status, and understand user scale, for security management, service improvement and development of new services, and to provide customized services and advertisements.
2. Installation, operation, and opt-out: Users have the right to choose whether to accept cookies and may refuse to store them by changing settings as follows:
   • Android: Settings > Privacy > Ads > Delete advertising ID
   • iPhone: Settings > Privacy > Tracking > Allow Apps to Request to Track (disable)
3. Refusing to store cookies may cause difficulties with some services.

Article 10 (Personal Information Protection Officer)

1. The Company designates a Personal Information Protection Officer to oversee personal information processing and handle user complaints and remedies.

   ▶ Personal Information Protection Officer

   • Name: Joohaeng Lee
   • Position: CEO
   • Contact: 044-584-3824, contact@dataclinc.ai

   ▶ Personal Information Department

   • Department: Customer Satisfaction Team
   • Contact: 044-584-3824, contact@dataclinc.ai
2. Users may contact the Personal Information Protection Officer or relevant department for all personal information protection inquiries, complaints, and remedy requests arising from the use of the Service. The Company will respond and act without delay.
3. Users may contact the following organizations for relief from personal information infringement:
   • Personal Information Dispute Mediation Committee: (no area code) 1833-6972 (www.kopico.go.kr)
   • Personal Information Infringement Report Center: (no area code) 118 (privacy.kisa.or.kr)
   • Supreme Prosecutors' Office: (no area code) 1301 (www.spo.go.kr)
   • National Police Agency: (no area code) 182 (ecrm.cyber.go.kr)
4. The Company guarantees users' right to personal information self-determination and strives to provide consultation and remedy for personal information infringement. For inquiries or reports, please contact the department below.

   ▶ Customer Inquiry and Report for Personal Information Protection

   • Department: Customer Satisfaction Team
   • Contact: 044-584-3824, contact@dataclinc.ai

Article 11 (Changes to the Privacy Policy)

The Company may modify this Privacy Policy to reflect changes in laws or services. If this Privacy Policy changes, the Company will post changes at least 7 days before the effective date, and the modified Privacy Policy takes effect on the stated effective date. However, for material changes to users' rights such as changes to collected personal information items or purposes of use, the Company will notify users at least 30 days in advance.