The Company processes personal data for the following purposes. The personal data processed shall not be used for purposes other than the following, and in case of a change of the purpose of use, necessary measures such as obtaining a separate consent shall be implemented in accordance with Article 18 (Restriction on Use of Personal Data for Purposes Other Than Those Originally Intended and on Provision to Third Parties) of the Personal Information Protection Act.

1. Category	Purpose	Items
   Customer Inquiries	Personal identification and authentication, prevention of fraudulent use by customers, record-keeping for dispute resolution, handling civil complaints, delivery of notifications, verification of intent to delete written posts	Name, phone number, email, inquiry details
   Newsletter	Newsletter subscription and cancellation, sending newsletters to subscribers	Name, email, affiliation (category)

1. ※ The Company collects personal data in the following ways:
2. ㆍOnline (website, mobile), consultation board, email, telephone contact

The Company, in principle, processes the personal data of data subjects within the scope specified in Article 1 (Purpose of Processing Personal Data). The Company only provides personal data to third parties in cases that fall under Articles 17 and 18 of the Personal Information Protection Act, such as with the consent of the data subject or under special legal provisions. Except in these cases, the Company does not provide the personal data of data subjects to third parties.

1. 2.When the Company enters into an outsourcing contract, it specifies in the contract or other written documents the prohibition of personal information processing for purposes other than the outsourced tasks, technical, managerial, and physical protection measures, restrictions on sub-outsourcing, management and supervision of the subcontractor, and liability for damages. The Company also supervises the subcontractor to ensure they handle personal information securely.
2. 3.If the content of the outsourced tasks or the subcontractor changes, the Company shall promptly inform the data subjects and disclose the changes through the privacy policy.

1. 1.Users and data subjects may exercise the following rights related to personal data protection against the Company at any time:
2. ①Request for access to personal data
3. ②Request for correction or deletion in case of errors, etc.
4. ③Request for suspension of processing or withdrawal of consent
5. 2.The exercise of rights pursuant to Paragraph 1 may be made to the Company in writing, by phone, by e-mail, or by fax, and the Company shall take necessary measures without delay.
6. 3.If a user or data subject requests the correction of errors in personal data, the Company shall not use or provide the relevant personal data until the correction is completed.
7. 4.If the Company cannot take immediate action upon a request for access, correction, deletion, suspension of processing, or withdrawal of consent from a user or data subject, it will notify the user of the reason and may postpone the action. When the reason for the delay has been resolved, the requested action will be taken without delay. However, a request for the deletion of personal data cannot be processed if the personal data is specified as a collection item under other laws.
8. 5.In principle, the Company does not collect personal data from data subjects under the age of 14 (hereinater referred to as "children").
9. 6.In the case of a child under the age of 14, the exercise of rights pursuant to Paragraph 1 may be made through a representative, such as the legal representative of the user or data subject, or a person authorized by them. In this case, a power of attorney in accordance with Form No. 11 of the Enforcement Rule of the Personal Information Protection Act must be submitted.

1. 1. Development and Implementation of an Internal Management Plan
2. ㆍ The Company’s internal management plan is established and implemented in accordance with the internal guidelines of the Ministry of the Interior and Safety.
3. 2. Minimization and Training of Personal Data Handlers
4. ㆍ The Company designates a minimal number of staff to handle personal data and implements personal data protection education and management measures.
5. 3. Restriction of Access to Personal Data
6. ㆍ The Company takes necessary measures to control access to personal data by granting, modifying, and deleting access rights to the database system processing personal data, and uses intrusion prevention systems to control unauthorized access from outside.
7. 4. Retention and Prevention of Tampering with Access Records
8. ㆍ The Company retains and manages records of access to the personal data processing system (web logs, summary data) for at least one year, and uses security features to prevent tampering, theft, or loss of access records.
9. 5. Encryption of Personal Data
10. ㆍ Personal data of data subjects, such as passwords, is stored and managed in encrypted form, ensuring that only the data subject knows it. Important data is protected by encrypting files and transmission data or using file locking features.
11. 6. Technical Measures Against Hacking, etc.
12. ㆍ To prevent the leakage and damage of personal data caused by hacking or computer viruses, the Company installs security programs, performs regular updates and inspections, and installs systems in areas with restricted external access, and also monitors and blocks such attempts both technically and physically. Additionally, network traffic monitoring is in place to detect attempts at illegally altering data.
13. 7. Access Control for Unauthorized Personnel
14. ㆍ The Company has a separate physical storage location for personal data systems that store personal data and establishes and operates access control procedures for this location. Furthermore, papers and backup storage media that include personal information are kept in a safe place with locks.

1. 1.The Company uses cookies that store and frequently retrieve usage information to provide individualized custom services to users.
2. 2.Cookies are small text files sent by the server (http) used to render the website via the user's computer browser and may be stored on the hard disk of the user's PC computer.
3. ①Purpose of the Use of Cookies: They are used to provide optimized information to users by analyzing their visit and usage patterns, popular search terms, and secure access status for each service and website visited by the user.
4. ②Acceptance, Operation, and Refusal of Cookies: Users may refuse to store cookies by setting relevant options in the Tools > Internet Options > Privacy menu at the top of their web browser. However, if you refuse to store cookies, you may experience difficulties in using some services provided by the Company.

1. 1. Purpose of Installing Image Data Processing Devices

1. ㆍ Ensuring facility safety and fire prevention
2. ㆍ Ensuring customer safety, protecting the workplace, and preventing crimes such as theft
3. ㆍ Preventing unauthorized intrusion by non-authorized personnel within the workplace

1. 2. Number of Installations, Installation Locations, and Imaging Scope
2. In accordance with relevant laws and regulations, the Company installs and operates image data processing devices after reviewing their suitability in the following locations.
3. ㆍ Main entrances where personnel and vehicles enter and exit the premises, lobbies, ground/underground parking lots, and other areas and zones where public safety and the protection of trade secrets require security measures

1. 3. Responsible Departments and Managers

2. Category	Location	Purpose	Manager		Remarks
   			Responsible Entity	Contact Info.
   Headquarters	Gyedong HQ	Crime prevention, security	Security Management Center	02-746-3116
   R&D Center	Mabuk R&D Center		R&D Support Team	02-746-0248
   Site	Nationwide on-site offices		※ Site Manager (see onsite bulletin board for contact details)

1. 4. Recording Time, Retention Period, Storage Location, and Processing Method of Image Data
2. ㆍ Recording Time: continuous recording 24 hours a day
3. ㆍ Retention Period: at least 30 days from the date of recording
4. ㆍ Storage Location and Processing Method: stored and processed in the control room for image data processing devices

1. 5. Methods and Locations for Viewing Image Data
2. 1) After contacting the image data manager in advance, viewing the image data is possible at a designated location.

1. 1. The Company has appointed the following Chief Privacy Officer and Privacy Manager to oversee and take responsibility for personal data processing tasks, handle customer complaints, and provide remedies related to personal data processing.
2. ㆍ Chief Privacy Officer

1. Name: Kim Hyun-Min
2. Title: CPO (Chief Privacy Officer)
3. Contact: 1577-7755, privacy@hdec.co.kr

1. ㆍ Privacy Manager

1. Organization: Public Relations Group
2. Name: Lee Young Joo
3. Contact: 1577-7755, zoo1975@hdec.co.kr

1. 2. Customers and data subjects can request any matters related to personal data protection, such as inquiries, complaint handling, damage relief, and requests for access to personal data, arising from the use of the Company’s services (or business). The Company shall respond and handle inquiries from customers and data subjects without delay.
2. ※ However, emails sent for purposes other than inquiries, complaints, or issues related to personal data protection may not receive a response or be processed. Additionally, unsolicited commercial emails sent without the consent of the responsible officer may be reported to relevant authorities and handled in accordance with Articles 50 to 50-8 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.

1. ㆍ Department for Receiving and Processing Requests for Access to Personal Data

1. Department: Public Relations Group
2. Manager: Lee Young Joo
3. Contact: 1577-7755, zoo1975@hdec.co.kr
4. Working Hours: Weekdays 09:00-17:00
5. Closed: Saturdays, Sundays, and public holidays

1. 1. Personal Information Infringement Report Center (operated by Korea Internet & Security Agency)

1. ㆍ Scope of Work: Reporting personal data infringement, requesting consultation
2. ㆍ Website: privacy.kisa.or.kr
3. ㆍ Phone: 118 (no area code required)
4. ㆍ Address: Personal Information Infringement Center, 3rd Floor, 9 Jinheung-gil (301-2 Bitgaram-dong), Naju-si, Jeollanam-do (58324)

1. 2. Personal Information Dispute Mediation Committee

1. ㆍ Scope of Work: Applying for personal data dispute mediation, applying for collective dispute mediation (civil resolution)
2. ㆍ Website: www.kopico.go.kr
3. ㆍ Phone: 1833-6972 (no area code required)
4. ㆍ Address: 4th Floor, Government Complex Seoul, 209 Sejong-daero, Jongno-gu, Seoul (03171)

1. 3. Supreme Prosecutors’ Office: 1301 (no area code required) www.spo.go.kr
2. 4. National Police Agency Cyber Terrorism Response Center: 1566-0112

1. ㆍ Date of Announcement of the Privacy Policy: September 22, 2025
2. ㆍ Effective Date of the Privacy Policy: September 29, 2025