Article 1 (Purpose)

SYMPLE (hereinafter “the Company”) establishes this Privacy Policy (hereinafter “the Policy”) to protect the personal information (hereinafter “Personal Information”) of individuals (hereinafter “Users” or “Individuals”) who use the Company’s services (hereinafter “Company Services”). The Company complies with relevant laws, including the Personal Information Protection Act and the Act on Promotion of Information and Communications Network Utilization and Information Protection (the “Information and Communications Network Act”), and ensures that Users’ privacy concerns are promptly and appropriately addressed.

Article 2 (Principles of Processing Personal Information)

The Company may collect Users’ personal information in accordance with relevant laws and this Policy. Collected information may be provided to third parties only with the individual’s consent. However, where required by law, the Company may provide such information to third parties without prior consent.

Article 3 (Disclosure of this Policy)

The Company discloses this Policy on the homepage’s main page or via a linked page so that Users can review it at any time. The Company ensures the Policy is easy to read by using legible font size, color, etc.

Article 4 (Changes to this Policy)

This Policy may be revised according to amendments in relevant laws, guidelines, notifications, or changes in Company Services or government policy.

If the Policy is amended, the Company will notify Users by one or more of the following methods:

• Announcement on the main page or a popup on the Company’s website.

• Written notice, fax, e-mail, or other similar methods.

Notices will be made at least 7 days before the effective date of the revised Policy. If changes significantly affect Users’ rights, the Company will notify at least 30 days in advance.

Article 5 (Information for Membership Registration)

For membership registration, the Company collects the following:

• Required: Name, nickname, date of birth, mobile phone number

• Optional: Gender

Article 6 (Information for Identity Verification)

• Required: Mobile phone number, name, date of birth, gender

Article 7 (Information for Legal Guardian Consent)

When guardian consent is required, the Company collects:

• Required: Guardian’s name, date of birth, gender, mobile phone number

Article 8 (Information for Payment Services)

To provide payment services:

• Required: Card number, card password, expiration date, date of birth (yy/mm/dd), bank name, account number

Article 9 (Information for Issuing Cash Receipts)

To issue cash receipts:

• Required: Recipient’s name, date of birth, address, mobile phone number, cash receipt card number

Article 10 (Information for Service Provision)

• Required: Nickname, date of birth, contact information

• Optional: Step count, sleep duration, heart rate, depression level

Article 11 (Information for Monitoring Service Use and Fraud)

Collected for statistical analysis and prevention of fraudulent activities:

• Required: Service usage records, cookies, access logs, device information

(Fraud includes repeated withdrawal and re-registration, repeated cancellations after purchases, misuse of coupons/events, identity theft, and other prohibited acts.)

Article 12 (Collection Methods)

The Company collects personal information through:

• User input on the website or application

• Importing health data recorded on smartphones

• Customer service inquiries, community boards, etc.

Article 13 (Use of Personal Information)

The Company uses collected information for:

• Service announcements and notifications

• Responding to inquiries, complaints, and improving services

• Providing Company Services

• Preventing and sanctioning service misuse

• Developing new services

• Demographic and usage analytics

Article 14 (Retention Period)

Personal information is retained only as long as necessary to fulfill collection purposes. Fraudulent use records may be retained for up to one year after account termination to prevent abuse.

Article 15 (Retention Period under Law)

As required by law:

• Records of contracts/cancellations: 5 years

• Records of payment and supply of goods: 5 years

• Records of complaints/disputes: 3 years

• Records of advertisements: 6 months

• Web access logs (per Communications Privacy Protection Act): 3 months

• Electronic financial transactions: 5 years

• Location data: 6 months

Article 16–18 (Destruction of Personal Information)

Personal information will be destroyed once its purpose is achieved or retention period expires.

• Stored electronically: Deleted using technical methods preventing recovery.

• Printed form: Shredded or incinerated.

Article 19 (Transmission of Advertising Information)

The Company obtains explicit prior consent before sending commercial advertisements electronically, except in limited lawful cases. Users can withdraw consent at any time, and the Company will comply immediately.

Article 20–22 (User Rights and Obligations)

Users and legal guardians may view, modify, or request deletion of their information at any time. They must keep their information accurate; responsibility for issues from inaccurate entries lies with the User. Impersonation or unauthorized use of another’s information may result in loss of membership and legal penalties.

Article 23–27 (Company’s Responsibilities and Security Measures)

The Company implements technical and administrative measures to secure personal information, including encryption of passwords, antivirus programs, firewalls, intrusion prevention systems, and staff training.

Article 28–29 (Data Breach Response)

If a breach occurs, the Company will promptly notify affected Users and report to regulatory authorities. Where contact information is unavailable, notice will be posted on the Company website for at least 30 days.

Article 30–31 (Cookies)

Cookies may be used to provide customized services. Users may accept, confirm, or refuse cookies via browser settings. Refusal may limit some login-required services.

Article 32 (Data Protection Officer)

Data Protection Officer: Minsoo Kim

Position: CEO

Email: mimsut@symple.kr

Article 33 (Remedies)

If you are located in Korea, you may seek dispute resolution or consultation from the following agencies:

• Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)

• Personal Information Infringement Report Center: 118 (privacy.kisa.or.kr)

• Supreme Prosecutors’ Office: 1301 (www.spo.go.kr)

• National Police Agency: 182 (ecrm.cyber.go.kr)

If you are located outside Korea, including the United States, and believe your privacy rights have been infringed, you may contact your local data protection authority. In the United States, you may file a complaint with:

• Federal Trade Commission (FTC): 1-877-FTC-HELP (www.ftc.gov)

• Your State Attorney General’s Office (contact information varies by state)

The Company will make every effort to respond promptly and appropriately to any requests or complaints related to personal information protection.

Article 34 (Collection and Use of Health Data)

For personalized mental health services, the Company may collect the following health data with explicit prior consent:

• Step count, sleep duration, heart rate

• Self-reported depression survey responses

Data is used only for:

• Personalized missions, content, and reminders

• Early detection of mental health changes for preventive support

• Service improvement via AI-based behavior analysis

All health data is encrypted, anonymized when analyzed, and strictly access-controlled. The Company is not a medical institution; data is not used for diagnosis or treatment. With consent, limited data may be shared with partner mental health professionals. Users may withdraw consent at any time, and related data will be promptly deleted.

Supplementary Provision

This Policy takes effect on December 3, 2024.