JYP Three Sixty Corporation 「FANS」 Service Privacy Policy

JYP Three Sixty Corporation 「FANS」 Service Privacy Policy In providing the 「FANS」 service (hereinafter referred to as the “Service”), JYP Three Sixty Corporation (hereinafter referred to as the “Company”) safeguards the freedom and rights of information subjects in accordance with the Personal Information Protection Act and other relevant laws and regulations, ensuring the secure management and processing of personal information. In adherence to Article 30 of the Personal Information Protection Act, we have formulated and disclosed the following privacy policy to keep information subjects informed of the procedures and standards governing the processing of personal information and to facilitate prompt and efficient resolution of any complaints related to personal information processing matters. Article 1 Purpose of the collection and use of personal information The Company processes personal information to fulfill contracts and provide services, including membership signup, consultation, and service application. The use of processed personal information will be limited to the specified purposes outlined below, and in the event that the intended use of the information changes, appropriate actions will be taken, including obtaining separate consent as mandated by Article 18 of the Personal Information Protection Act. Article 2 Personal information items processed The Company processes the following personal information items. The Company classifies the personal information of its members as either required or optional. The personal information items collected from using of the Service are as follows. 1. [Purpose of collection] Member identification and Service provision - Required: • Common: Profile information (username, profile photo) • General member: Email • Members linked to social media service accounts (Google, X, Apple): ID (email) - Optional: Name, date of birth, mobile phone number, place of residence (country or region), membership number Article 3 Duration of processing and retention of personal information ① If the Company collects personal information from its members, it is used and retained during the service usage period in principle. However, the Company retains personal information for a certain duration of time, as per the following, if such retention is required to comply with regulations in applicable laws and internal policies of the Company. ② The collected personal information will be entirely expunged and unusable in the event that a member withdraws their membership or has their account deleted due to providing false information. ③ When the purpose of collection and use of personal information has been fulfilled or the retention period for which the customer has been individually notified and consented to in advance has expired, the member's personal information will be promptly destructed. However, personal information may be retained for the duration specified below if its preservation is required in order to comply with applicable laws and regulations or internal policies of the Company. ­ In accordance with the Act on the Consumer Protection in Electronic Commerce, the following items shall be retained for a specified duration before their destruction. (Retention period in parentheses) • Record pertaining to contracts, subscription withdrawals, etc. (5 years) • Record pertaining to payments, supply of goods, etc. (5 years) • Record pertaining to consumer complaints or dispute resolution (3 years) • Record pertaining to labels and advertisements (6 months) ­ In accordance with the Framework Act on National Taxes, ledgers and evidential documents pertaining to all transactions mandated by the tax law are retained for five years before their destruction. ­ In accordance with the Electronic Financial Transactions Act, records on electronic financial transactions are retained for five years before their destruction. ­ In accordance with the Protection of Communications Secrets Act, service visit history is retained for three months before their destruction. ④ All personal information and activity history, including the member's account information, will be deleted upon membership withdrawal. However, any content, comments, or likes that the member has generated within the Service community will not be deleted. Article 4 Matters concerning the processing of personal information of minors under 14 years of age The Company's Service is not targeted towards individuals who are under 14 years of age. The Company may delete any personal information obtained from a minor and terminate the user's account upon becoming aware of the collection of personal information from a minor. Article 5 YouTube API Usage and Personal Information Protection Policy The Company utilizes the YouTube API service and complies with the terms of service and personal information protection policy. 1. YouTube Terms of Service (https://www.youtube.com/t/terms) 2. Google Privacy Policy (https://policies.google.com/privacy) 3. YouTube API Services Terms of Service (https://developers.google.com/youtube/terms/api-services-terms-of-service) 4. The collected items include the name of the YouTube channel, number of subscribers, number of videos, views, and video lists. If you do not wish to grant access to the "company" API, you can revoke permission at the link below. (https://myaccount.google.com/permissions) Article 6 Provision of personal information to third parties ① The Company uses personal information of its users within the scope outlined in “Article 3, Purpose of Collection and Use of Personal Information,” and does not use outside the scope without prior consent of the users or disclose personal information to external entities. However, the following situations are an exception. 1. When users provide prior consent for disclosure 2. When in accordance with the law or an investigative agency requests in compliance with the prescribed procedures and methods established by the law for the intent of conducting an investigation Article 7 Entrusting of personal information processing ① To enhance Service quality, the Company entrusts the processing of personal information to an external professional company, and in order to secure the safety of entrustment, the Company explicitly delineates the Service provider’s observance of instructions related to personal information, confidentiality of personal information, prohibition of third party disclosure, and liability in the event of violation through an entrust contract and retains a written copy of the contract. ② The Company's personal information entrusting agency and entrusted business scopes are as follows. The Trustee : HYOSUNGITX Co.,Ltd. Entrusted business scopes : Customer service center operation and customer consultation Period of retention and use : Until the entrusted task concludes The Trustee : New Partner Co., Ltd. Entrusted business scopes : Event operation Period of retention and use : Until the entrusted task concludes ③ In the event that there are any changes to the trustee or the entrusted work, we shall promptly disclose such changes via this Privacy Policy. Article 8 Transfer of personal information outside the country ① Regarding the Service, the Company transfers personal information to the foreign corporations listed below. Transfer recipient (country) and Chief Information Officer's contact details : AMAZON Web Service (USA) - https://aws.amazon.com/ko/contact-us/ Personal information items transferred : All personal information generated or obtained from users Purpose of transfer : Personal information transmission, processing, and storage via cloud services (However, AMAZON Web Service is responsible for physical management aspects of the server and has no access to the personal information of the members.) Date and method of transfer : Online delivery when collecting personal information Personal information retention and use period of the transfer recipient : Until the intended purpose of collecting and using personal information has been fulfilled or upon the termination of the consignment contract Transfer recipient (country) and Chief Information Officer's contact details : Zendesk (USA) - https://www.zendesk.kr/contact/ Personal information items transferred : Email, consultation details Purpose of transfer : Customer consultation processing Date and method of transfer Personal information retention and use period of the transfer recipient Transfer recipient (country) and Chief Information Officer's contact details Personal information items transferred Purpose of transfer : Customer consultation processing Date and method of transfer : Transfer via network at the moment of one-on-one consumer inquiry registration and email transmission Personal information retention and use period of the transfer recipient : Until the conclusion of the consignment contract or retained for three years following the registration of an inquiry in adherence to pertinent laws Transfer recipient (country) and Chief Information Officer's contact details : Postmark (USA) - https://postmarkapp.com/contact Personal information items transferred : Email address, community username of the affiliated artist, membership number, Event winner information (email, name, date of birth, phone number) Purpose of transfer : Email transmission service Date and method of transfer : Transmission of email via network Personal information retention and use period of the transfer recipient : Until the entrusted task concludes ② Users may reject international transfer of their personal information by contacting the personal information protection department specified in Article 14 of this Privacy Policy. However, one may be denied access to the Service or have their usage limited in case of rejection. ③ In the event that there are any changes to the overseas transfer, we shall promptly disclose such changes via this Privacy Policy. Article 9 Procedures and methods for the destruction of personal information ① In principle, once the retention period expires or the intended purpose of collecting and using personal information has been fulfilled, the Company promptly destroys the information. ② Destruction process In principle, personal information provided by members for membership signup is promptly expunged once its intended purpose of collecting and use has been fulfilled and shall not be utilized for any purpose other than retention except when mandated by law. However, personal information that must be preserved in adherence to pertinent laws and regulations is stored separately. Personal information of users, which is stored separately, shall not be utilized for any purposes other than those explicitly specified by law. ③ Destruction method Destruction of printed personal information involves shredding or incineration, while technical methods that make the records unrecoverable are employed to delete personal information stored in electronic files. Article 10 Rights, responsibilities, and modes of exercise of information subjects and legal representatives ① Members can access, browse, or update their personal information at any time. Additionally, they have the option to request membership cancellation, suspension of personal information processing, or withdrawal of consent to personal information processing. In such situations, however, access to some or all of the Services may be restricted. When a user is banned indefinitely from the service, the user's personal information may be retained for an indefinite period of time. ② Users can access and update their personal information themselves via [My Profile] in the Service platform. Additionally, members can terminate their service agreement at any time via "Fan’s" within the service; in the event of termination, the user's personal information will be entirely deleted. However, in the event that it pertains to the provisions specified in Article 6, Paragraph 2 of the Privacy Policy, it may be retained for a certain period in adherence to pertinent laws. ③ When a member requests for correction or deletion of one's own personal information, the Company will promptly execute the required measures subsequent to authenticating the member's identity. Furthermore, in the event that any of the stipulations outlined in Article 20, Paragraph 1 (Restrictions on Use, etc.) of the Terms of Service are applicable, the Chief Privacy Officer may, at their discretion, delete personal information, such as member accounts. ④ Personal information that is requested to be corrected will not be disclosed or utilized again until the correction is completed. Furthermore, in the event that incorrect personal information has already been disclosed to a third party, we shall inform said third party of the outcome of the correction in order to facilitate the necessary rectification. ⑤ The Company processes personal information that has been canceled or deleted at the request of the member in accordance with Article 6 of the Privacy Policy and prevents it from being viewed or utilized for any other purpose. Article 11 Precautions to ensure security of personal information The Company implements the following technical and managerial precautions when handling personal information of its members in order to ensure its safety against loss, theft, unauthorized access, modification, or damage. 1. Technical precautions The Company strives to protect the personal information of members against leakage or damage caused by hacking or computer viruses. We frequently create backups of data to mitigate the risk of personal information damage and employ cutting-edge anti-virus software to safeguard against leakage or damage to users' data or personal information. Moreover, we ensure the security of personal information transmission across networks by employing encrypted communication methods. An intrusion prevention system is employed to regulate unauthorized external access, and every effort is made to be equipped with every possible technological device with the intent of ensuring system security. 2. Managerial precautions Personal information processing at the Company is restricted to the person in charge, and a separate, frequently updated password is allocated for the purpose of periodic renewal. We emphasize at all times that all persons in charge adhere to the Privacy Policy by providing them with ongoing training. The Company appoints a Chief Privacy Officer to oversee the implementation of the Privacy Policy at all times and makes sure that prompt remedial action is taken in the event that any issues are identified. However, the Company shall not be liable for any issues resulting from the disclosure of personal information as a result of the user's carelessness or Internet failures. 3. Physical precautions The Company employs an access control system over a computer room and data storage room in order to ensure the security of personal information. Article 12 Matters concerning the installation, operation, and rejection of automatic personal information collecting devices ① The Company installs and operates cookies in order to deliver a quicker web experience to the users, and the users can reject this matter. ② Cookies are extremely small text files that are sent to the user's browser by the server that runs the application. Cookies are stored in the storage medium of the user's device. Cookies do not collect individual identification information, and users may reject cookie storage or delete it at any time. 1. Purpose of using cookies: By implementing cookies, the Company can deliver a quicker and more convenient web experience to users by storing preferences set by the administrator or user-specified settings. 2. Installation/Operation and refusal of cookies: Users have the option to install cookies. Users can configure their web browser and operating system to allow all cookies, require confirmation every time cookies are saved, or refuse to save all cookies. However, users’ web experience may become inconvenient, and they may encounter difficulties when using certain login-based services by refusing to install cookies. Article 13 Matters concerning the collection, use, and rejection of behavioral information ① The Company utilizes Google Analytics, a log analysis tool provided by Google, to examine service usage statistics. Google Analytics is utilized to collect behavioral information regarding our Service users; however, in this case, only the information that does not allow identification of individuals is collected. To prevent such processing of information, one may refuse information processing using the procedures outlined below. - For Android: Settings>Privacy>Ads>Delete Advertising ID - For iOS: Settings>Privacy&Security>Tracking>Deactivate “Allow Apps to Request to Track” ② In this case, the Company does not utilize the collected behavioral information for the purpose of online personalized advertising. Article 14 Chief Privacy Officer ① The Company appoints the Chief Privacy Officer to be accountable for the overall management of personal information processing and is tasked with resolving complaints and providing damage relief to information subjects. 1. Chief Privacy Officer ­ Name: Minjong Jung ­ Position: CTO ­ Email: privacy_360@jype.com ­ Phone: 02-477-3360 2. Privacy department ­ Department name: IT Lab ­ Person in charge: Heechan Park ­ Phone: 02-477-3360 ­ Email: privacy_it360@jype.com ② The information subject may inquire the Chief Privacy Officer and the privacy department with any concerns regarding the protection of personal information, the handling of complaints, damage relief, or anything else that may arise during the use of the Company's Service. The Company will provide responses and handle inquiries from information subjects without delay. Article 15 Requesting access to personal information The information subject may request to view, correct or delete personal information, suspension of processing, or withdrawal of consent (hereinafter “requesting access to personal information, etc.”) to the following department in accordance with Articles 35 to 37 of the Personal Information Protection Act. The Company will make every effort to promptly handle the information subject's request to access personal information. ­ Department name: IT Lab ­ Person in charge: Heechan Park ­ Phone: 02-477-3360 ­ Email: privacy_it360@jype.com Article 16 Methods for relief of rights infringement ① The information subject may petition the Korea Internet & Security Agency's Personal Information Infringement Reporting Center, the Personal Information Dispute Mediation Committee or seek consultation in order to obtain relief from personal information infringement. For consultations and additional reports of personal information breaches, please contact the organizations listed below. 4. Personal Information Dispute Mediation Committee: (without area code) 1833-6972 (www.kopico.go.kr) 5. Personal Information Infringement Report Center: (without area code) 118 (privacy.kisa.or.kr) 6. Supreme Prosecutor's Office: (without area code) 1301 (www.spo.go.kr) 7. National Police Agency: (without area code) 182 (ecrm.cyber.go.kr) ② An individual whose rights or interests have been violated as a result of an action or omission by the head of a public institution regarding a demand in adherence to the stipulations outlined in Article 35 (Access to Personal Information), Article 36 (Correction or Erasure of Personal Information), and Article 37 (Suspension of Processing of Personal Information) of the Personal Information Protection Act, may petition for an administrative trial in compliance with the stipulations outlined in the Administrative Appeals Act. ­ Online Administrative Appeals: (without area code) 110 (www.simpan.go.kr) Article 17 Revisions to the Privacy Policy ① When this Privacy Policy is revised, the Company announces the changes, the reason for change, and the date of implementation along with the current Privacy Policy on the notice page within the Service. However, in the event that significant revisions occur regarding member rights, such as the collection and utilization of personal information or its disclosure to a third party, a minimum of thirty days' notice shall be furnished, and the members’ consent may be sought again. ② The effective date of this Privacy Policy is February 23, 2024. (Notification date: February 16, 2024) ________________________________________ JYP Three Sixty Corp. CEO (Name) : Hyun Sik Pi, Sang Bong Byun Business Registration No. : 327-87-02151 Address : (05402) 7-13, Seongan-ro, Gangdong-gu, Seoul, Second Floor (Seongnae-dong) E-mail : fans_help@jype.com