Appendix of Privacy Protection Policy

<1> Lawful processing of personal information under GDPR

Processing personal information by Keyin shall be lawful only if and to the extent that at least one of the following applies:

• • A user has given consent to the processing of his or her personal information.
• • Processing is necessary for the performance of a contract to which a user is party or in order to take steps at the request of a user prior to entering into a contract:
  • - Member management, identification, etc.
  • - Performance of a contract in relation to providing the services required by users, payment and settlement of fees, etc.
• • Processing is necessary for compliance with a legal obligation to which Keyin is subject

  - Compliance with relevant law, regulations, legal proceedings, requests by the government

• • Processing is necessary in order to protect the vital interests of users, or other natural persons

  - Detection of, prevention of, and response to fraud, abuse, security risks, and technical issues that may harm users or other natural persons

• • Processing is necessary for the performance of a task carried out in the public interest or in the excise of official authority vested in Keyin
• • Processing is necessary for the purposes of the legitimate interests pursued by Keyin or by a third party (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child).

<2>User's right when applying GDPR

The users or their legal representatives, as main agents of the information, may exercise the following rights regarding the collection, use and sharing of personal information by Keyin:

• • The right to access to personal information;

  The users or their legal representatives may access the information and check the records of the collection, use and sharing of the information under the applicable law.

• • The right to rectification;

  - The users or their legal representatives may request to correct inaccurate or incomplete information.

• • The right to erasure;

  - The users or their legal representatives may request the deletion of the information after the achievement of their purpose and the withdrawal of their consent.

• • The right to restriction of processing;

  - The users or their legal representatives may make temporary suspension of treatment of personal information in case of the disputes over the accuracy of information and the legality of information treatment, or if necessary to retain the information.

• • The right to data portability

  - The users or their legal representatives may request to provide or transfer the information.

• • The right to object

  - The users or their legal representatives may suspend the treatment of personal information if the information is used for the purpose of direct marketing, reasonable interests, the exercise of official duties and authority, and research and statistics.

• • The right to automated individual decision-making, including profiling

  - The users or their legal representatives may request to cease the automated treatment of personal information, including profiling, which has critical impact or cause legal effect on them.

If, in order to exercise the above rightss, you, as an user, use the menu of 'amendment of member information of webpage or contact Keyin by sending a document or e-mails, or using telephone to Keyin ( person in charge of management of personal information or a deputy), Keyin will take measures without delay: Provided that Keyin may reject the request of you only to the extent that there exists either proper cause as prescribed in the laws or equivalent cause.

<3> Data transfer to other countries

Considering it engages in global businesses, Keyin may provide the users' personal information to the companies located in other countries for the purpose as expressly stated in this Policy. For the places where the personal information is transmitted, retained or processed, Keyin takes reasonable measures for protecting those personal information.

(If used in the US, additional security measures may be available) In addition, when the personal information obtained from the European Union or Switzerland is used or disclosed, Keyin may have to comply with the US-EU Privacy Shield and Swiss-US Privacy Shield, take other measures or obtain consent from users so far as those complies with the regulations of EU so as to use a standardized agreement provision approved by executing organizations of EU or securing proper safe measures.

<4> 3rd party's sites and services

The website, product or service of Keyin may include the links to the ones of a 3rd party and the privacy protection policy of the site of 3rd party may be different. Thus, it is required for the users to check additionally that policy of a 3rd party site linked to the site of Keyin.

<5> Guide for users residing in California

If the user resides in California, certain rights may be given. Keyin prepare preventive measures necessary for protecting personal information of members so that Keyin can comply with online privacy protection laws of California.

In case of leakage of personal information, an user may request Keyin to check the leakage. In addition, all the users in the website of Keyin, can modify their information at any time by using the menu for changing information by connecting their personal account.

Moreover, Keyin does not trace the visitors of its website nor use any signals for 'tracing prevent'. Keyin will not collect and provide any personal identification information through ad services without consent of users.

<6> Guide for users residing in Korea

Keyin guides several additional matters to be disclosed as required by the information network laws and personal information protection laws in the Republic of Korea as follows:

(1) Information collected

The items collected by Keyin are as follows:

• • Examples of required information

  Examples of required information

  Title of service	Items to be collected(examples)
  Internet membership service	- Name, email address, ID, telephone number, address, national information, encoded identification information (CI), identification information of overlapped membership (DI) - For minors, information of legal representatives (name, birth date, CI and DI of legal representatives)
  Online payment service	- Name, address, telephone number, and email address - For payment with credit card : name of card company, number and expiration of card - For small sum payment charged on the mobile phone: mobile phone number, payment approval number - For payment by remittance: name of bank, account number and password of account - For deposit without a bankbook: name of remitter, contact information - Delivery information including delivery address, name and contact information of recipient - Information of bid, purchase and sales
  Social network service	- Name, email address, ID, telephone number, address, national information, address list (acquaintance) - Information of place of taking pictures and date of creation of files - Information of service use of members such as the type of contents watched or used by members, frequencies and period of activities of members
  In the course of using services, the information as described below may be created and collected: - Information of devices (equipment/device identifier, operation system, hardware version, equipment set-up and telephone number) - Log information (Log data, use time, search word input by users, internet protocol address, cookie and web beacon) - Location information (Information of device location including specific geographical location detected through GPS, Bluetooth or Wifi) - Other created information

• • Examples of optional items

  The user may reject the collection and use of optional items and, even in case of rejection, there is no limit on use of services

  Examples of optional items

  Purpose of collection	Items to be collected(examples)
  User analysis	- The reason for membership, occupation, marriage status, wedding anniversary, interest category and SNS account information
  Provision of customized ad	- Contents and result of marketing activities and event participation
  Delivery of urgent notice	- Information provided by the users regarding execution, maintenance, execution, management of other agreements and event participation
  Marketing	- Preference, advertisement environment, visited pages regarding service use of users

• • Additional procedure for collection of sensitive information

  If collection of sensitive information is indispensable, Keyin may collect it by going through lawful procedure in accordance with relevant laws and regulations. The sensitive information which may be collected by Keyin is as follows:

  • - Thoughts and belief
  • - Membership of and withdrawal from labor union or political party
  • - Political opinions
  • - Information of health and sexual life
  • - Genetic information obtained from the result of gene test
  • - Information of criminal record including announcement, exemption and suspension of sentences, care and custody, protective custody, treatment and custody, probation, lapse of suspension of sentence and cancellation of suspension of execution.

(2) Commission for collected personal information

For carrying out services, Keyin commissions external professional companies (subcontractors) to process personal information as follows. This commissioned works for processing personal information is carried out by each subcontractor and service only if necessary, for providing that service.

In commissioning process of personal information, in order to secure safety of personal information , Keyin supervises and ensure to expressly state in the agreement with subcontractors so that those subcontractors will safely process personal information by strictly complying with directions regarding personal information protection, keeping personal information secret, not disclosing it to a 3rd party and being liable for accidents and returning or destructing personal information upon termination of the commission or process.

Commission for collected personal information

Name of subcontractors	Description of commissioned works (services)
Bunch	Customer service

(3) Period for retention and use of personal information

In principle, Keyin destructs personal information of users without delay when: the purpose of its collection and use has been achieved; the legal or management needs are satisfied; or users request: Provided that, if it is required to retain the information by relevant laws and regulations, Keyin will retain member information for certain period as designated by relevant laws and regulations. The information to be retained as required by relevant laws and regulations are as follows:

• - Record regarding contract or withdrawal of subscription: 5 years (The Act on Consumer Protection in Electronic Commerce )
• - Record on payment and supply of goods:5 years (The Act on Consumer Protection in Electronic Commerce )
• - Record on consumer complaint or dispute treatment: 3 years (The Act on Consumer Protection in Electronic Commerce )
• - Record on collection/process, and use of credit information: 3 years (The Act on Use and Protection of Credit Information )
• - Record on sign/advertisement: 6 months(The Act on Consumer Protection in Electronic Commerce )
• - Log record of users such as internet/data detecting the place of user connection: 3 months(The Protection of Communications Secrets Act )
• - Other data for checking communication facts: 12 months (The Protection of Communications Secrets Act )

(4) Procedure and method of destruction of personal information

In principle, Keyin destructs the information immediately after the purposes of its collection and use have been achieved without delay: Provided that, if any information is to be retained as required by relevant laws and regulations, Keyin retain it for the period as required by those laws and regulations before destruction and, in such event, the personal information which is stored and managed separately will never be used for other purposes. Keyin destructs: hard copies of personal information by shredding with a pulverizer or incinerating it; and delete personal information stored in the form of electric file by using technological method making that information not restored.

(5) Technical, managerial and physical measures for protection of personal information

In order to prevent the loss, theft, leakage, alteration or damage of personal information of the users, Keyin takes technical, managerial and physical measures for securing safety as follows:

Examples of optional items

Items	Examples
Technical measures	- Utilize security servers for transmitting encryption of personal information - Take measures of encryption for confidential information - Install and operate access control devices and equipment - Establish and execute internal management plan
Managerial measures	- Appoint a staff responsible for protecting personal information - Provide education and training for staffs treating personal information - Establish and execute internal management plan - Establish rules for writing passwords which is hard to be estimated - Ensure safe storage of record of access to personal information processing system - Classify the level of authority to access to personal information processing system
Physical measures	- Establish and operate the procedure for access control for the facilities for storing personal information - Store documents and backing storage containing personal information in safe places which have locking device

(6) Staff responsible for managing personal information

The staff of Keyin responsible for managing personal information is as follows:

• • Name of staff responsible for managing personal information:
• Name : Yun Hyeong Jo
• Tel. : 82-2-6952-4434
• E-mali : admin@raonark.com

The latest update date: 1st August, 2021.

The following contents and materials were referred to in this guideline.

• • OECD 1980's Privacy guideline (Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, 1980)
• • EU 1995's Protection of individuals with regard to the processing of personal data and on the free movement of such data (Directive 95/46/EC)
• • EU Cookies guideline(Directive 2009/136/EC)
• • UK, Protection of individuals (Data Protection Act, 1998)
• • France, Information Processing, Index and Freedom Act (Loin ̊ 78- 17du6janvier1978relativeàl'informatique,auxfichiersetauxliverté)
• • Germany, Federal Privacy Protection Act (Bundesdatenschutzgesetz, BDSG)
• • USA, FTC's Principles of Fair Information Practice (Fair Information Practice Principle)
• • USA, Safe Harbor Principles
• • EU-USA, EU-US Privacy Shield Principles
• • Swiss-US, Privacy Shield Principles
• • USA, COPPA : Children's Online Privacy Protection Act
• • USA, CalOPPA : The California Online Privacy Protection Act of 2003
• • Japan, Personal Information Protection Act, Ministry of internal affairs and communications 'Guidelines for the protection of personal information in telecommunications business'
• • China, Ministry of Industry and Information Technology's 'Rules for the Protection of Personal Information of Communication Internet Users'
• • Other major global tech companies' Privacy Policy