Paprika Data Lab Inc. (hereinafter "the Company") complies with the provisions of the 「Personal Information Protection Act」 and related laws and regulations to protect the freedom and rights of data subjects, and lawfully processes and securely manages personal information. Accordingly, pursuant to Article 30 of the 「Personal Information Protection Act」, we establish and disclose the following privacy policy to inform data subjects of the procedures and standards for processing personal information and to handle related grievances promptly and smoothly.

1. Purpose of Processing Personal Information

The Company processes personal information for the following purposes. The personal information being processed will not be used for purposes other than those listed below, and should the purpose of use change, we will take necessary measures, such as obtaining separate consent in accordance with Article 18 of the 「Personal Information Protection Act」.

1. Membership Registration and Management: We process personal information for the purpose of confirming the intent to join, identifying and authenticating individuals for membership services, maintaining and managing membership status, preventing fraudulent use of services, verifying the consent of a legal representative when processing the personal information of children under 14, providing various notices and notifications, and handling grievances.

2. Provision of Services: We process personal information for providing services, sending contracts and invoices, delivering content, offering customized services, verifying identity, verifying age, processing payments and settlements, and for debt collection. (For statistical purposes using information that cannot identify individuals).

3. Personal Information Processing by the Data Processor: To handle inquiries and errors that occur during the use of the Company's services, the personal information processor may access personal information after an inquiry has been received.

4. Promotional Use: If a member has already conducted or is conducting a survey publicly using Walla, to promote that the member is a Walla user.

5. Marketing and Advertising: To provide basic service information, promote new services, provide information on events and advertisements and offer participation opportunities, analyze access frequency or statistics on service usage by users, and verify service effectiveness.

2. Processing and Retention Period of Personal Information

The Company processes and retains personal information within the period of retention and use stipulated by law or the period agreed upon when collecting personal information from the data subject. The respective processing and retention periods for personal information are as follows:

1. Website Membership Registration and Management: Until withdrawal from the business's website.

   However, in the following cases, until the end of the respective period:

   • If an investigation or inquiry regarding a violation of relevant laws is in progress, until the investigation or inquiry is concluded.

   • If a claim or debt relationship related to website use remains, until the said claim or debt is settled.

2. Provision of Goods or Services: Until the supply of goods or services is completed and payment/settlement is finalized.

   However, in the following cases, until the end of the respective period:

   • Records on display, advertising, contract details, and their fulfillment under the 「Act on Consumer Protection in Electronic Commerce, etc.」

     • Records on display and advertising: 6 months

     • Records on contracts or withdrawal of offers, payment, and supply of goods: 5 years

     • Records on consumer complaints or dispute resolution: 3 years

   • Retention of communication confirmation data under the 「Protection of Communications Secrets Act」

     • Subscriber telecommunication date/time, start/end times, counterpart subscriber number, frequency of use, location data of the originating base station: 1 year

     • Computer communication, internet log records, and access point tracking data: 3 months

   • Under the 「Credit Information Use and Protection Act」

     • Records on the collection/processing and use of credit information: 3 years

3. Personal Information Items Processed

The Company processes the following personal information items:

1. For membership registration, the Company processes the following items:

   • Required Items: Google account email address, nickname, set profile picture.

   • Optional Items: Institutional information.

   • Collection Method: User input on the site.

2. During service use or business processing, the Company processes the following items:

   • IP address, cookies, visit date/time, fraudulent use records, service use records, etc.

   • Collection Method: Automatically generated and collected.

   • To provide stable services, the Company may additionally collect the following items through legal procedures and with user consent:

3. IP address, cookies, visit date/time, service use records, records of improper use, payment history, the geographic location of your device at the time of service use, etc.

   • Collection Method: Collection through information gathering tools.

   • Walla complies with the Google API Services User Data Policy, including the Limited Use requirements, when using and transferring to any other app information received from Google APIs.

4. Access and Use of Google User Data: Information imported from a Google account, such as email, nickname, and profile picture, is used only for providing core service functions like member registration, profile creation, and login, based on the user's explicit consent. This allows us to provide optimal service to the user, and this data is not used for any purpose other than improving service functionality.

   • Storage of Google User Data: Google user data is stored securely on Google Firebase, and the stored data is protected from being leaked externally without the user's consent.

   • Sharing of Google User Data: Google user data is not shared with third parties. Except when necessary for service provision, it is not transferred or shared externally without the user's consent. In accordance with the Google API Services User Data Policy, data is used only for the purpose of providing and improving the core functions of the service.

5. Walla uses OpenAI's GPT throughout its services, and information utilized for AI functions (such as open-ended response analysis) is shared with OpenAI.

4. Provision of Personal Information to Third Parties

1. The Company processes the personal information of data subjects only within the scope specified in the "Purpose of Processing Personal Information." Personal information is provided to third parties only in cases that fall under Article 17 and Article 18 of the 「Personal Information Protection Act」, such as with the consent of the data subject or special provisions in the law. Otherwise, the data subject's personal information is not provided to third parties.

   • Information submitted by a person who wishes to become an applicant for the Walla service for the purpose of service execution.

   • Information submitted for payment processing by a person who wishes to use the Walla service.

   • Except for the items above, and unless there are special provisions in other laws, we do not use personal information beyond the notified and specified scope or provide it to third parties.

2. The Company provides information to the minimum extent necessary after obtaining the data subject's consent in the following cases for smooth service provision.

3. The Company may provide personal information to relevant authorities without the consent of the data subject in emergency situations such as disasters, infectious diseases, events causing imminent danger to life or body, or imminent property loss.

4. Furthermore, in accordance with Article 59 (Prohibited Acts) of the Personal Information Protection Act, company officials who handle or have handled personal information for service provision shall not engage in any of the following acts:

   • Acquiring personal information or obtaining consent for its processing through false or other fraudulent means.

   • Disclosing personal information learned in the course of duty or providing it for use by others without authority.

   • Damaging, destroying, altering, forging, or leaking another person's personal information without proper authority or in excess of permitted authority.

5. Entrustment of Personal Information Processing

1. For the smooth processing of personal information, the Company entrusts the processing of personal information as follows:

   • Stripe, Inc.

     • Entrusted Party (Trustee): Stripe, Inc.

     • Entrusted Task: Use of PG payment services.

     • Retention and Use Period: [Link to be provided]

   • Google Cloud Platform

     • Entrusted Party (Trustee): Google Cloud Platform

     • Entrusted Task: Server operation for service provision.

     • Retention and Use Period: Until membership withdrawal, service termination, or termination of the entrustment contract.

   • Cloudflare

     • Entrusted Party (Trustee): Cloudflare

     • Entrusted Task: Server operation for service provision.

     • Retention and Use Period: Until membership withdrawal, service termination, or termination of the entrustment contract.

   • OpenAI

     • Entrusted Party (Trustee): OpenAI

     • Entrusted Task: Automatic survey generation and analysis on the results page.

     • Retention and Use Period: [Link to be provided]

2. When concluding an entrustment contract, the Company, in accordance with Article 26 of the 「Personal Information Protection Act」, clearly states in documents such as the contract the prohibition of processing personal information for purposes other than performing the entrusted task, technical and administrative protection measures, restrictions on re-entrustment, management and supervision of the trustee, and matters concerning liability for damages, and supervises whether the trustee processes personal information safely.

3. If the content of the entrusted task or the trustee changes, we will disclose it without delay through this privacy policy.

4. The Company entrusts payment-related tasks to the foreign corporation Stripe, Inc. as follows:

   • Stripe, Inc.

     • Entrusted Party (Trustee): Stripe, Inc.

     • Entrusted Task: Use of PG payment services.

     • Retention and Use Period: Until membership withdrawal, service termination, or termination of the entrustment contract.

   • Google Cloud Platform

     • Entrusted Party (Trustee): Google Cloud Platform

     • Entrusted Task: Server operation for service provision.

     • Retention and Use Period: Until membership withdrawal, service termination, or termination of the entrustment contract.

   • Cloudflare

     • Entrusted Party (Trustee): Cloudflare

     • Entrusted Task: Server operation for service provision.

     • Retention and Use Period: Until membership withdrawal, service termination, or termination of the entrustment contract.

6. Procedure and Method of Personal Information Destruction1

1. The Company destroys the relevant personal information without delay when it becomes unnecessary, such as upon the expiration of the retention period or the achievement2 of the processing purpose.

2. If personal information must be retained in accordance with other laws despite the expiration of the retention period agreed to by the data subject or the achievement of the processing purpose, the personal information is transferred to a separate database (DB) or stored in a different location.

3. The procedure and method of destroying personal information are as follows:

   • Destruction Procedure

     • The Company identifies the personal information for which a reason for destruction has occurred and destroys it with the approval of the Company's Chief Privacy Officer.

   • Destruction Method

     • The Company destroys personal information recorded and stored in electronic file format in a way that the records cannot be reproduced. Personal information recorded and stored on paper documents is destroyed by shredding or incineration.

7. Rights and Obligations of Data Subjects and Legal Representatives and How to Exercise Them

1. Data subjects may exercise their rights to request access, correction, deletion, and suspension of processing of personal information from <Name of Personal Information Processor> at any time.

   • Request to access personal information.

   • Request for correction in case of errors, etc.

   • Request for deletion.

   • Request to suspend processing.

2. The exercise of these rights can be made to the Company in writing, by e-mail, or by fax (FAX) in accordance with Article 41(1) of the Enforcement Decree of the 「Personal Information Protection Act」, and the Company will take action without delay.

3. The exercise of rights can also be done through a legal representative of the data subject or an authorized agent. In this case, a power of attorney in the form of Appendix No. 11 of the "Notification on Personal Information Processing Methods (No. 2020-7)" must be submitted.

4. The rights of the data subject to request access and suspension of processing of personal information may be restricted under Article 35(4) and Article 37(2) of the 「Personal Information Protection Act」.

5. A request for correction and deletion of personal information cannot be made if the personal information is specified as a collection item in other laws.

6. The Company verifies whether the person making the request for access, correction/deletion, or suspension of processing is the data subject or a legitimate representative.

8. Measures to Ensure the Security of Personal Information

1. The Company takes the following measures to ensure the security of personal information:

   • Administrative Measures: Establishment and implementation of an internal management plan, operation of a dedicated organization, and regular employee training.

   • Technical Measures: Management of access rights to personal information processing systems, installation of access control systems, encryption of personal information, and installation and updating of security programs.

2. In addition to the measures prescribed by law, the Company implements the following activities to ensure the security of personal information:

   • Minimization and Training of Staff Handling Personal Information: We implement measures to manage personal information by designating and limiting staff who handle it to a minimum.

   • Regular Internal Audits: We conduct regular internal audits (quarterly) to ensure the security of personal information handling.

   • Encryption of Personal Information: The user's personal information and password are encrypted, stored, and managed, so only the user knows them. For important data, separate security functions such as encrypting files and transmission data or using a file lock function are used.

   • Protection against Hacking and Computer Viruses: The company installs security programs to prevent personal information leakage and damage from hacking or computer viruses, performs periodic updates and checks, installs systems in areas with controlled external access, and monitors and blocks them technically and physically.

   • Restricting Access to Personal Information: We take necessary measures to control access to personal information by granting, changing, and revoking access rights to the database system that processes personal information, and we use an intrusion prevention system to control unauthorized access from the outside.

   • Storage and Prevention of Forgery/Alteration of Access Records: We store and manage the access records to the personal information processing system for at least 6 months and use security functions to prevent the forgery, alteration, theft, or loss of access records.

9. Matters Concerning the Installation, Operation, and Refusal of Automatic Personal Information Collection Devices

1. The Company may use 'cookies,' which store and frequently retrieve user information, to provide individualized customized services.

   • To provide differentiated information for each member when creating a survey.

   • To analyze the access frequency or stay time of members and non-members to identify user preferences and interests and provide specialized services.

   • To track the history of answered surveys to provide personalized response services.

   • To provide information on the usage period when using paid services.

   • To use as a measure for service reorganization by analyzing user habits.

2. Cookies are small amounts of information that the server (http) used to operate a website sends to the user's computer browser and may be stored on the user's PC hard disk.

   • Purpose of Using Cookies: To identify visit and usage patterns for each service and website visited by the user, popular search terms, security access status, etc., to provide optimized information to the user.

   • Installation, Operation, and Refusal of Cookies: You can refuse to store cookies through the option settings in the Tools > Internet Options > Privacy menu at the top of your web browser.

   • Consequences of Refusing Cookies: Refusing to store cookies may cause difficulties in using customized services.

10. Matters Concerning the Collection, Use, and Refusal of Behavioral Information

1. The Company collects and uses behavioral information during the service use process to provide optimized customized services, benefits, and online customized advertisements to data subjects.

2. The Company collects behavioral information as follows:

   • Items of Behavioral Information Collected: User's website/app service visit history, search history, purchase history.

   • Method of Collecting Behavioral Information: Automatic collection when a user visits/runs a website or app.

   • Purpose of Collecting Behavioral Information: To provide personalized product recommendation services (including advertisements) based on the user's interests and tendencies.

   • Retention/Use Period and Subsequent Information Processing Method: Destroyed 1 year from the date of collection.

3. The Company collects only the minimum behavioral information necessary for online customized advertisements and does not collect sensitive behavioral information that could significantly infringe on an individual's rights, interests, or privacy, such as ideology, beliefs, family and kinship, academic and medical history, and other social activities.

4. The Company does not collect behavioral information for customized advertising purposes from children known to be under 14 years of age or from online services primarily used by children under 14, and does not provide customized advertisements to children known to be under 14.

5. The Company collects and uses advertising identifiers for online customized advertisements in mobile apps. The data subject can block or allow customized ads in the app by changing the settings on their mobile device.

6. Blocking/Allowing Advertising Identifier on a Smartphone:

   • (Android) ① Settings → ② Privacy → ③ Ads → ③ Reset advertising ID or Delete advertising ID

   • (iPhone) ① Settings → ② Privacy & Security → ③ Tracking → ④ Turn off "Allow Apps to Request to Track"

     ※ Menus and methods may differ slightly depending on the mobile OS version.

7. Data subjects can collectively block or allow online customized advertisements by changing the cookie settings in their web browser. However, changing cookie settings may affect the use of some services, such as automatic website login.

   • Blocking/Allowing Customized Ads via Web Browser:

     • Internet Explorer (for Windows 10 Internet Explorer 11):

       • In Internet Explorer, select the Tools button, and then select Internet options.

       • Select the Privacy tab, and under Settings, select Advanced and choose to block or allow cookies.

     • Microsoft Edge:

       • In Edge, click the '...' icon in the top right corner, then click Settings.

       • Click 'Privacy, search, and services' on the left side of the settings page and select whether to enable 'Tracking prevention' and the level.

       • Select whether to 'Always use "Strict" tracking prevention when browsing InPrivate'.

       • Under the 'Privacy' section below, select whether to 'Send "Do Not Track" requests'.

     • Chrome Browser:

       • In Chrome, click the '⋮' icon (Customize and control Google Chrome) in the top right corner, then click Settings.

       • Click 'Show advanced settings' at the bottom of the settings page and click 'Content settings' in the 'Privacy' section.

       • In the Cookies section, check the box for 'Block third-party cookies and site data'.

8. Data subjects can inquire about matters related to behavioral information, exercise their right to refusal, and report damages by contacting the contact person below.

   • Personal Information Protection Department:

     • Contact Person: Yonggwan Jo

     • Contact: yonggwan@paprikadatalab.com

11. Processing of Pseudonymized Information

1. For statistical purposes, scientific research, and preservation of public records, the Company processes collected personal information after pseudonymizing it so that a specific individual cannot be identified, as follows.

   • Matters concerning the processing of pseudonymized information.

   • Matters concerning the provision of pseudonymized information to third parties (to be completed only if applicable).

12. Chief Privacy Officer

1. The Company has designated a Chief Privacy Officer as follows to take overall responsibility for tasks related to the processing of personal information and to handle complaints and remedy damages of data subjects related to personal information processing.

2. Chief Privacy Officer

   • Name: Yonggwan Jo

   • Position: Data Engineer

   • Contact: yonggwan@paprikadatalab.com (connects to the Personal Information Protection Department)

13. Remedies for Infringement of Rights and Interests

1. Data subjects may apply for dispute resolution or consultation with the Personal Information Dispute Mediation Committee, the Korea Internet & Security Agency (KISA) Personal Information Infringement Report Center, etc., to seek relief from personal information infringement. For other reports and consultations on personal information infringement, please contact the following organizations:

   • Personal Information Dispute Mediation Committee: (no area code) 1833-6972 (www.kopico.go.kr)

   • Personal Information Infringement Report Center: (no area code) 118 (privacy.kisa.or.kr)

   • Supreme Prosecutors' Office: (no area code) 1301 (www.spo.go.kr)

   • National Police Agency: (no area code) 182 (ecrm.cyber.go.kr)

2. The Company strives to guarantee the data subject's right to self-determination regarding their personal information and to provide consultation and remedy for damages due to personal information infringement. If you need to report or consult, please contact the department below.

   • Customer Consultation and Reporting for Personal Information Protection

     • Contact Person: Yonggwan Jo

     • Contact: yonggwan@paprikadatalab.com

3. A person whose rights or interests have been infringed by a disposition or omission made by the head of a public institution in response to a request under Article 35 (Access to Personal Information), Article 36 (Correction or Deletion of Personal Information), and Article 37 (Suspension of Processing of Personal Information) of the 「Personal Information Protection Act」 may file an administrative appeal as prescribed by the Administrative Appeals Act.

   • Central Administrative Appeals Commission: (no area code) 110 (www.simpan.go.kr)

14. Changes to the Privacy Policy

1. The Company posts the contents of this privacy policy, the company name and CEO's name, the address of the business office, e-mail address, business registration number, mail-order business report number, and the name of the Chief Privacy Officer through a link.

2. When a user signs up for membership, the Company informs the user that the act of signing up constitutes consent to the privacy policy and allows the user to view the contents of the privacy policy through a link.

3. The Company may amend this privacy policy to the extent that it does not violate relevant laws.

4. When the Company amends the privacy policy, it will specify the reason for the amendment and post the current and revised privacy policies on the service's bulletin board for public notice from 7 days before the effective date of the revised policy until the day before the effective date. The revised content will also be sent to each member's email 7 days before the effective date.

5. This privacy policy is effective from the enforcement date. If there are any additions, deletions, or corrections to the content due to changes in laws, government policies, or internal company policies, we will notify you through a public notice at least 7 days before the implementation of the changes. If a user does not express an objection to the Company from 7 days before the application of the privacy policy until the day before the application date, they will be deemed to have consented to the revised privacy policy.

• Walla complies with the Google API Services User Data Policy, including the Limited Use requirements, when using and transferring to any other app information received from Google APIs.