[Policy for Personal Information Processing of YG SELECT]

YG PLUS Co., Ltd. (hereafter referred to as "the Company") highly values the personal information of its customers’ personal information and adheres to the Act on Promotion of Information and Communications Network Utilization and Information Protection, as well as the Personal Information Protection Act.

The Company outlines the following under its personal information processing policy: the purposes and methods for using customer-provided personal information; and the measures implemented to protect this information.If the Company updates its personal information processing policy, it will announce these changes on its website or notify individuals directly.

ο This policy will be enforced on and after May. 01, 2024.

1. Purpose of processing of personal information

The Company processes the personal information for the following purposes and shall not use the same for purposes other than the following purposes:

- Confirmation of the customer’s intention to sign up; identification and verification for the supply of service for the customer; maintenance of membership; payment for the supply of goods or service; delivery of goods or service, etc.

2. Period for processing and retaining personal information

(1) The Company shall process and retain the personal information within a period for retaining and using the personal information to which consent was obtained when collecting the personal information from a data subject, or within a statutory period for retaining and using the personal information.

(2) The detailed period for processing and retaining the personal information shall be as follows:

    - From when a customer signs up to when the customer withdraws his/her membership

(3) The personal information shall be retained in accordance with the relevant laws and regulations as follows:

1) Records on contracting, cancellation of orders, etc.: 5 years (Act on the Consumer Protection in Electronic Commerce)

2) Records on payment, supply of goods, etc.: 5 years (Act on the Consumer Protection in Electronic Commerce)

3) Records on settlement of dissatisfaction or disputes: 3 years (Act on the Consumer Protection in Electronic Commerce)

4) Records on marks and advertisements: 6 months (Act on the Consumer Protection in Electronic Commerce)

5) Books and documentary evidence on all transactions stipulated by tax laws: 5 years (Framework Act on National Taxes)

6) Records on electronic financial transactions: 5 years (Electronic Financial Transactions Act)

7) Records on service visits: 3 months (Protection of Communications Secrets Act)

3. Provision of personal information to a third party

The Company shall not provide the personal information to a third party, except in the following cases: where a data subject consents separately; and where so stipulated by the relevant laws and regulations, such as Articles 24-2, 22(2)2 and 3, etc. of the Act on Promotion of Information and Communications Network Utilization and Information Protection. However, the same shall not apply to the following cases:

(1) Where the users consent in advance to disclose or provide to a third party;

(2) Where an investigative agency and a supervisory authority demand in accordance with the statutory provisions or the procedures and methods stipulated by the laws and regulations;

(3) Where the personal information is provided in a format where a specific person could not be identified for the production of statistics, academic research, market research, sending of mails as to information provision and public announcement, etc.; or
 (4) Where it is required to perform the user’s transactions, the Company may provide his/her personal information as follows through legitimate procedures, such as obtaining consent from the user, etc.

4. Entrustment of processing of personal information

(1) The Company entrusts a part of the tasks required to provide the users with its service as follows:

1) <Customer CS>

- Trustee: Cafe24 and SIIC Inc.

- Tasks to be entrusted: Customer support and customer service

- Term: Until a user cancels his/her membership

2) <Distribution service>

- Trustee: CJ Logistics Corp., Yamato, DHL, EMS, BROS CARGO INTERNATIONAL

- Tasks to be entrusted: Operation and maintenance of distribution system, and delivery of goods

- Term: Until a user cancels his/her membership

3) <Payment PG>

- Trustee: Toss Payments, Danal, Naver Financial Co., Ltd., Kakao Pay, Viva Republica Co., Ltd., NHN PAYCO, Eximbay, PayPal

- Tasks to be entrusted: Purchase and payment

- Term: Until a user cancels his/her membership

4) <Hosting service>

- Trustee: Café 24 Co., Ltd.

- Tasks to be entrusted: Lease of YG SELECT server

- Term: Until a user cancels his/her membership
 

(2) When entering into an entrustment agreement, the Company shall specify, in the agreement, etc., the following matters: the prohibition of personal information processing for purposes other than the performance of entrusted works under Article 25 of the Act on Promotion of Information and Communications Network Utilization and Information Protection and Article 26 of the Personal Information Protection Act; technical and managerial safeguards of personal information; restriction on re-entrustment; supervision and management of trustee; compensation for damages, etc. Also, the Company shall supervise the trustees to process the personal information in a safe manner.

(3) Where the details of entrusted works or the trustees are changed, the Company shall disclose such facts without delay under this policy for personal information.

5. Rights and obligations of the data subject (user or legal representative) and how to exercise such rights

(1) A data subject (a legal representative, where a data subject is under 14 years of age) may demand the access, correction, deletion, etc., of personal information at any time, and may withdraw consent to the processing of personal information (or cancel membership).

(2) A data subject may access, correct, or withdraw after verifying himself/herself and clicking the “Modify Member Information” or “Cancel Membership” for accessing and modifying his/her personal information or for withdrawing consent (cancelling membership), respectively. Or a data subject may contact a privacy officer in writing, by phone, by email, or through a consultation notice board, etc.

(3) Where a data subject demands to correct an error in his/her personal information, the personal information concerned shall not be used or provided until being corrected completely. Also, where the erroneous personal information is already provided for a third party, the result of the correction shall be notified to the third party without delay, and thus the correction shall be made accordingly.

(4) Where a data subject demands, as stated above, the Company may verify whether the demand is made by the data subject or a legitimate representative thereof.

(5) Where a data subject demands, as stated above, the rights of the data subject may be restricted by Articles 35(5), 37(2), etc. of the Personal Information Protection Act.

(6) Where the personal information is specified to be collected by other laws and regulations, a data subject may not demand to delete the personal information concerned.

6. Personal information to be processed

(1) The Company shall process the following personal information:

1) Sign-up (general member)
 - Purpose of collection and use: Sign-up, instruction, and consultation for the use of service, verification, and prevention of misuse
 - Items to be collected and used: ID (email), password, name, nationality (Korean/alien), nickname
 - Period of retention: Until cancelling the YG SELECT account or a period under the relevant laws and regulations
 
 2) Sign-up (member whose account interworks with his/her SNS (Naver, Kakao, or Apple) account)
 - Purpose of collection and use: Sign-up, instruction, and consultation for use of service, verification, and prevention of misuse
 - Items to be collected and used: ID (email), name, nationality (Korean/alien), nickname
 - Period of retention: Until cancelling the YG SELECT account or a period under the relevant laws and regulations
 
 3) <Customer consultation service>
 - Required items: Email, mobile phone number, home address, home phone number, password, sign-in ID, name, service use record, access log, cookie, access IP information, payment record
 - Optional items:
 - How to collect: Collected when signing up
 - Period of retention: Until cancelling the YG SELECT account or a period under the relevant laws and regulations
 
 4) <Delivery>
 - Required items: Mobile phone number, home address, home phone number, name
 - Optional items:
 - How to collect: Collected when drafting an order
 - Period of retention: Until cancelling the YG SELECT account or a period under the relevant laws and regulations
 
 5) <Purchase and payment>
 - Required items: Email, mobile phone number, sign-in ID, name, credit card information
 - Optional items:
 - How to collect: Collected when paying an order
 - Period of retention: Until cancelling the YG SELECT account or a period under the relevant laws and regulations

7. Matters concerning installation, operation, and refusal of devices that automatically collect personal information, such as Internet access information files, etc.

The Company shall collect the cookie, IP service, and location information that are frequently saved, and it shall locate the member information to provide customized service. The user information is generated, collected, and saved automatically, as the user uses the Company’s service. Even if the user’s computer is identified, the user himself/herself is not identified on an individual basis.

a. Why the Company uses the automatic collection device

- Provide targeted marketing and personalized service through the following: analysis of access frequency, visiting time, etc., of members and visitors; understanding of preferences and interests of users; tracking of traces; checking of participation in various events and the number of visits, etc.

b. Installation/operation of automatic collection devices by the Company and refusal thereof

- A member shall have a right to choose whether to install cookies. Thus, a member may, by setting an option in his/her web browser, do the following: to allow all cookies; to be confirmed whenever a cookie is saved; or to disallow to save all cookies.

* Example of the setting method: (Internet Explorer) Tool > Internet Option > Personal Information

8. Destruction of personal information

The Company shall, in principle, destroy the personal information without delay, where a purpose of processing is attained in relation to the personal information concerned.

An electronic file shall be deleted so that it cannot be restored. And other printouts, writing, etc., shall be shredded or destroyed in a way where they could not be restored.

Also, the personal information of members who have not used the service for 1 year may be kept separately. And where the member demands to withdraw, the personal information concerned shall be deleted without delay.

9. Measures to secure the safety of personal information

The Company shall, under Article 28 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, take technical, managerial, and physical measures required to secure the safety as follows:

1) Regular internal inspection

An internal inspection is performed on a regular basis (once a quarter) to ensure the safety of handling personal information.

2) Minimization and training of staff handling personal information

The Company shall take countermeasures to manage personal information by designating and minimizing the number of staff who handle personal information.

3) Formulation and implementation of the internal management plan

The Company shall formulate and implement the internal management plan to process personal information safely.

4) Technical countermeasures against hacking, etc.

The Company shall do the following to prevent the personal information from being leaked or damaged by hacking, computer viruses, etc.: to install, renew, and inspect security programs on a regular basis; to install the system in an area to which access is strictly controlled; and to monitor technically and physically.

5) Encryption of personal information

The user’s personal information, such as passwords, etc., are saved and managed in an encrypted format. And the important data are filed and transmitted in an encrypted format or with a lock function.

6) Keeping of access records and prevention of forgery thereof

The records on access to the personal information processing system shall be kept and managed for at least 6 months. Also, the security functions are used to prevent the access records from being forged, lost, or stolen.

7) Restriction on access to personal information

The Company shall take measures necessary to control access to personal information by assigning, modifying, or canceling the access privilege to the database system processing the personal information. Also, the Company shall control unauthorized access to it with the firewall system.

8) Use of a locking system for document security

The document, auxiliary storage medium, etc., containing the personal information shall be kept in a safe place with a locking system.

9) Access control against unauthorized people

A physical storage place where personal information are kept shall be set separately, and the access control procedures shall be formulated and operated.

10. Designation of privacy officer

(1) The Company shall designate a personal information controller.The following privacy officer who shall have general supervision and control of the personal information processing, handle grievances and remedial compensation in relation to the personal information processing, etc.:

▶ Privacy officer

Name: Kim Tae-hyeon

Contact: 02-3140-4686, cs@ygselect.com

※ To be guided to the privacy department

▶ Privacy department

Department name: YG SELECT

Person in charge: Kim Tae-hyeon

Contact: 02-3140-4686, cs@ygselect.com

(2) A data subject could contact the privacy officer and privacy department as to any inquiry about the protection of personal information, handling of grievances, remedial compensation, etc., which may arise while using the service (or business) of the Company. The Company will reply and respond to such inquiries without delay.

11. Window to access personal information

(1) A data subject may request access to his/her own personal information under Article 35 of the Personal Information Protection Act. And the Company shall endeavor to handle such request without delay.

▶ Department that accepts and handles a request to access personal information

Department name: YG SELECT

Person in charge: Kim Tae-hyeon

Contact: 02-3140-4686, cs@ygselect.com

(2) A data subject may request access to his/her own personal information through the “personal information protection support portal (www.privacy.go.kr)” of the Ministry of Public Administration and Security, other than the department specified in Paragraph (1) above.

▶ Personal information protection support portal of the Ministry of Public Administration and Security → Complaint of personal information → Request to access personal information, etc. (I-PIN is required for verification)

12. Modification of the policy for processing of personal information

The current policy for the processing of personal information may be modified by the government policy or the need of the Company. Where the policy for processing of personal information is added, deleted or modified, such fact shall be notified in advance 7 days before its implementation on the website or by email. And such addition, deletion, and modification shall be implemented after 7 days from the date of notification.

 However, where the important matters, such as the purpose of collecting and using the personal information, a third party to which the personal information shall be provided, etc., are added, deleted, or modified, such fact shall be notified 30 days in advance and implemented after 30 days.