EQBR Holdings Co., Ltd. (“Company”), in processing the personal information of the Member, etc (as defined below), complies with the privacy regulations under the relevant statutes ("Relevant Laws”) that the information and communication service provider must comply with, such as the “Act on Promotion of Utilization of Information Network and Information Protection,” the “Personal Information Protection Act,” the “Communication Secrets Protection Act,” and the “Telecommunication Business Act”.

The Company publishes the Privacy Policy on the first page of the website so that Users can easily check it at any time. This Privacy Policy (this "Privacy Policy”) may be changed in accordance with the Relevant Laws and the Company’s internal policies, and the Member, etc can be easily confirm the most current version of the Privacy Policy through the Company’s internet homepage.

This Privacy Policy applies to all services provide by the Company (including {company}, etc., collectively “Services”)

Article 1 Purpose of processing personal information. The Company processes personal information for the following purposes.

a. Membership management Sign-up for member and/or member’s statutory agent ("Member, etc”), identification and authentication of member, prevention of unauthorized use, communication to the Member, etc, handling or preservation of record of disputes with or complaints from the Member, etc and so forth. b. Service provision Provision of contents and Services, bill mailing, settlement and collection of fee, etc. c. Development of new business and marketing Improvement of existing Services, development of new and customized Services, preparation of statistics for commercial purpose, industrial research, marketing events and gift promotions, etc.

Article 2 Retention of personal information The retention and use period of personal information starts from the sign up of membership and ends on the withdrawal of membership. However, the Company may retain the part of personal information of the Member, etc for the reasons listed a. through d. below, even after the withdrawal of membership.

a. Consent from the Member, etc With the Member, etc’s prior written consent, the Company may retain the personal information as provided in the consent letter. b. Pseudonymization The Company may retain the pseudonymized personal information as provided under Article 28-2 of the Personal Information Protection Act of Korea. c. Internal policy of the Company

d. Relevant Laws

The Company retains the personal information which is subject to the retention requirement under the Relevant Laws for the period specified by such laws. The following table is an example, not a exhaustive list.

Contract, material business documents
Article 33(1) of commercial code
10 years
Record on contract or withdrawal of offer
Article 6(3) of Act on the Consumer Protection in Electronic Commerce, etc.
5 years
Record on settlement and supply of products/services

5 years
Record on customer service (complaint, disputes)

3 years
Record on labelling and advertisement

6 months
Books and evidential papers about all transactions regulated by the tax law
Article 85-3(2) of the Framework Act on National Taxes
5 years
Log-in history
Article 15(2) of the Protection of Communications Secrets Act
3 months

c. Dormant accounts Except when a separate period is specified in the Relevant Laws or a separate request is made by the Member, etc, the personal information of the Member, etc who does not re-use(log-in) for last 1 year ("Dormant Member”) is destroyed or stored and managed in the manner separate from other members. The Company will inform

the Dormant Member, by 30 days prior to the date of expiry of 1-year period, of (i) the fact that his or her personal information will be destroyed or stored separately, (ii) date of expiry, and (iii) the items of such personal information, by e-mail, telephone or similar method.

Article 3 Provision of personal information to third parties

The Company provides to a third party the Member, etc’s personal information in the following cases in accordance with Articles 17 and 18 of the Personal Information Protection Act: a. when the Member, etc gave a consent; b. when it is inevitably required by the laws or to comply with the obligation under the laws; c. when it is inevitably necessary to conclude or perform the contract with the Member, etc; d. when it is manifestly necessary for the imminent interest involving the life, body and property of the Member, etc and a third party and the Company cannot obtain the prior consent for the reason that the Member, etc cannot express his opinion or the member’s contact information is missing; or e. when it is necessary to settle the service fee.

Article 4 Procedure and method of destruction of Personal Information

a. Procedure for destruction

The Personal Information of the Member, etc, after achieving the goal of collection of the personal information, shall be transferred to a separate DB (or an additional cabinet for written form) and retained for a particular period in accordance with Article 2 of this Privacy Policy and destroyed thereafter. The personal information shall not be used for any purposes other than its retention.

b. Method of destruction

The papers on which the personal information is printed are shredded by a shredder or burned to be destroyed. The personal information stored in an electric file format is deleted by a technique which permanently destroys the records.

Article 5 Outsourcing of personal information processing

In order to provide better service, the Company outsources to a third parties (“Outsourcees”) part of processing work of personal information. The Company educates and supervises the Outsourcees under Article 26 of the Personal Information Protection Act so that they do not violate the Relevant Laws. The status of outsourcing is as follows:

Article 6 Rights and obligations of the Member, etc

The Member, etc has the right to request the Company to disclose, correct, delete and/or suspend to process the personal information about themselves held in the Company. However, the exercise of such rights may be restricted as provided by the Relevant Laws, such as Article 35(4), 36(1), and 37(2) of the Personal Information Protection Act, and the service provided by the Company may be also restricted corresponding to the exercise of such rights. In the case that the Member, etc requested to correct an error with respect to such Member, etc.’s personal information, the Company will not process the personal information of such Member, etc, and will notify to the third party to whom the Company provided the incorrect information and make the third party correct the error in the personal information of the Member, etc. The Company process the deleted personal information in accordance with Article 3 of this Privacy Policy. If any Member, etc needs a support for exercising the above-mentioned rights, please contact the Privacy Officer specified in Article 10 of this Privacy Policy.

Article 7 Items of Personal Information to be processed

When the purpose of collection and use of personal information is attained, the User’s personal information is destroyed without further delay in principle. The Company uses the following procedure and method to destroy personal information. a. Procedure for destroying When the purpose of collection and use of personal information is accomplished, the information that a User entered for signing up or using other services is transferred to a separate DB (or an additional cabinet for written form) to be stored for a particular period to comply with internal policies and other related Acts for information protection (refer to the section of Retention and use period of personal information) and then destroyed. The same personal information is not used for any purposes other than its retention unless it is required by laws. b. Method of destroying The papers on which the personal information is printed are shredded by a shredder or burned to be destroyed. The personal information stored in an electric file format is deleted by a technique which permanently destroys the records.

Article 8 Measures to secure the safety of personal information

The Company takes the following technical and administrative measures to ensure the safety of personal information to prevent leakage or damage of personal information in the processing of the Member, etc’s personal information. a. Password encryption The Member, etc’s password is encrypted before being saved and managed and only the Member, etc knows it. Also, only the Member, etc can check and change her or his personal information by using the password. b. Measures against hacking, etc. The Company is doing its best to prevent any leakage or damage from being caused by hacking or spyware, etc., to our Member, etc’s personal information. The Company regularly backs up to proactively prevent damage to the personal information and use encrypted communications, etc. to ensure a safe transfer of the personal information on the network. The Company also puts its utmost effort to equip all technical devices available to secure safety such as, using the latest security program to protect the Member, etc’s personal information from leakage or damage, controlling unauthorized access from outside with an intruder blocking system, holding log-in history, etc. putting its utmost effort to equip all technical devices available to secure safety in other parts of the system. c. Utilization of the minimum number of human resources for processing personal information and training The Company limits the operation of processing personal information to the person in charge, assigns a separate password for that person and regularly updates it and frequently provides training to the person to highlight compliance with this Privacy Policy. d. Operating a specialized organization for privacy protection The Company is making efforts to check how this Privacy Policy is complied with by operating an in-house specialized organization for privacy protection and promptly makes corrections if a problem is found. However, the Company shall not be liable for any damages that are not attributable to the Company but caused by negligence on the part of the Member, etc or incidents which happen in the areas not managed by the Company even though the Company carried out its obligation to protect privacy.

Article 9 Installation, operation and refusal of automatic personal information collecting method

• The Company uses cookies in order to store and frequently retrieve member’s information. • A cookie includes the information to provide the customized services for members (services used by members, patters of usage of services or websites, search history, etc.) and stored in the member’s computer. • Cookies do not automatically or proactively collect the personal information, and the Member, etc can refuse storage of cookies or delete them anytime by setting options in the browsers that the Member, etc uses. However, when storing cookies is disabled, there might be a difficulty in the use of some services of the Company that need log-in. • • • Please refer to the manual of browsers that the Member, etc uses with respect to the manner to enable/disable the cookie installation

Article 10 The Personnel in charge of privacy protection

The Member, etc may report any complaint related to privacy protection that occurs while using the Service of the Company to the person in charge of privacy protection or the corresponding department. The Company will respond quickly and diligently to the Member, etc’s complaints. • Chief Information Protection Officer: [name, title, phone, email addresss] • • Information Protection Manager: [name, title, phone, email addresss] • • • Please contact the following institutions to report or need further consultation in relation to other privacy infringement issues. Privacy Infringement Report Center (visit https://privacy.kisa.or.kr or call 118 without a telephone exchange number) The Cybercrime Investigation Division of the Supreme Prosecutor’s Office (visit http://www.spo.go.kr or call 1301 without a telephone exchange number) Cyber Bureau of National Police Agency (visit http://cyberbureau.police.go.kr or call 182 without a telephone exchange number)

Article 11 Changes in Privacy Policy

If there are changes in this Privacy Policy, the Company will notify to Member, etc at least 7 days prior to the revision through the method the Member, etc registered. However, when significant changes in the Member, etc’s rights will be made such as the collected items, purpose of use of personal information, etc., the Company will notify it at least 30 days in advance.