legal/privacy

Astroah Inc. (hereinafter referred to as the "Company") establishes and discloses this Privacy Policy in accordance with Article 30 of the Personal Information Protection Act to protect the personal information of data subjects and to promptly and smoothly handle related grievances. This Privacy Policy applies to all services (websites, mobile applications, etc.) provided by the Company and contains the following: 1. Purpose of collection and use of personal information 2. Items and methods of personal information collected 3. Retention and use period of personal information 4. Provision of personal information to third parties 5. Entrustment of personal information processing 6. Rights and obligations of data subjects and exercise methods 7. Destruction procedures and methods of personal information 8. Technical, administrative, and physical safety measures for personal information protection 9. Person responsible for personal information protection and staff 10. Request for viewing personal information 11. Methods of remedy for rights infringement 12. Installation, operation, and refusal of automatic personal information collection devices 13. Changes to privacy policy

The Company processes personal information for the following purposes. The personal information being processed will not be used for purposes other than those stated below, and if the purpose of use changes, necessary measures such as obtaining separate consent will be implemented in accordance with Article 18 of the Personal Information Protection Act. 1. Member Registration and Management - Confirming intention to register as a member - Identifying and authenticating members in providing membership services - Maintaining and managing member status - Preventing fraudulent use of services - Various notifications and notices - Handling grievances - Preserving records for dispute resolution 2. Service Provision - Providing community posts and comments services - Providing subtitle generation services - Content provision - Providing customized services - Points accumulation and management - Analysis of service usage records and access frequency 3. Service Improvement and New Service Development - Development of new services and provision of customized services - Service provision and advertisement placement according to statistical characteristics - Verification of service effectiveness - Understanding access frequency 4. Measures to Restrict Use of Members Who Violate Laws and Terms of Service - Prevention and sanctions for fraudulent use and actions that interfere with the smooth operation of services and unauthorized actions 5. Advertising Service Provision - Providing personalized advertisements - Measuring and analyzing advertising effectiveness - Advertising revenue settlement

1. The Company processes the following personal information items: A. Required Collection Items - Email address: Member registration, identity verification, account recovery - Password: Member authentication (encrypted and stored) - Nickname (username): Identification when using services B. Optional Collection Items - Profile image - Self-introduction C. Automatically Collected Items - Service usage records: Posts, comments, voting history - Access logs: Access time, IP address - Cookies: Auto-login, language settings, etc. - Device information: Device model name, OS version, app version - Network information: Carrier information, network environment D. Advertising-Related Automatic Collection Items - Advertising identifier (Android: ADID, iOS: IDFA) - Advertising interaction data (clicks, impressions, etc.) - Device information (screen size, language, timezone, etc.) 2. Personal Information Collection Methods - Directly provided by users during member registration and service use - Automatic collection through information generation collection tools - Automatically generated and collected during service use 3. Processing of Personal Information of Children Under 14 The Company does not collect personal information of children under 14 years of age, and children under 14 cannot register as members.

1. The Company processes and retains personal information within the retention and use period according to laws or consented by the data subject when collecting personal information. 2. The processing and retention period for each personal information is as follows: A. Member registration and management: Until membership withdrawal However, in the following cases, until the end of the reason: - When investigation or inquiry is in progress due to violation of relevant laws: Until the end of the investigation or inquiry - When debt-credit relationship remains from service use: Until settlement of the debt-credit relationship B. Service provision: Until membership withdrawal - Posts and comments: Until directly deleted by member or membership withdrawal - Subtitle generation records: 30 days after generation or until membership withdrawal - Backup data: Deleted after 90 days 3. When it is necessary to preserve according to relevant laws, the Company retains member information for a certain period prescribed by relevant laws: A. Preservation according to Act on Consumer Protection in Electronic Commerce - Records on labeling and advertising: 6 months - Records on contract or withdrawal of subscription: 5 years - Records on payment and supply of goods: 5 years - Records on consumer complaints or dispute resolution: 3 years B. Preservation according to Protection of Communications Secrets Act - Website visit records: 3 months C. Preservation according to Electronic Financial Transactions Act - Records on electronic financial transactions: 5 years 4. If a member does not use the service for 1 year (dormant account), based on Article 29 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, the Company will notify the member in advance and store and manage personal information separately.

The Company processes personal information of data subjects only within the scope specified in Article 2 (Purpose of Processing Personal Information), and provides personal information to third parties only when it corresponds to Articles 17 and 18 of the Personal Information Protection Act, such as the consent of the data subject or special provisions of law. The Company does not provide personal information to third parties except in the following cases: 1. When separate consent is obtained from the data subject 2. When there are special provisions in laws or it is unavoidable to comply with legal obligations 3. When the data subject or their legal representative is unable to express intent or prior consent cannot be obtained due to unknown address, etc., and it is clearly recognized as necessary for the urgent benefit of life, body, or property of the data subject or third party 4. When providing personal information in a form that cannot identify a specific individual for the purpose of statistical compilation and academic research 5. When there is a purpose of criminal investigation or there is a request from the Information and Communication Ethics Committee 6. When there are special provisions in other laws

1. The Company entrusts personal information processing tasks as follows for smooth personal information processing: A. Firebase (Google LLC) - Entrusted tasks: Member authentication, database management, cloud storage - Personal information retention and use period: Until membership withdrawal or termination of entrustment contract - Items of personal information processed: Email address, nickname, service usage records - Trustee location: United States - International transfer of personal information: Stored in data centers in the United States B. Google AdMob (Google LLC) - Entrusted tasks: Mobile advertising provision and advertising effectiveness measurement - Personal information retention and use period: Until termination of advertising service use - Items of personal information processed: Advertising identifier, device information, advertising interaction data - Trustee location: United States - International transfer of personal information: Stored in data centers in the United States 2. When concluding an entrustment contract, the Company specifies in documents such as contracts matters related to prohibition of processing personal information other than the purpose of performing entrusted tasks, technical and administrative protection measures, restrictions on re-entrustment, management and supervision of trustees, and responsibilities such as compensation for damages in accordance with Article 26 of the Personal Information Protection Act, and supervises whether the trustee safely processes personal information. 3. If the contents of entrusted tasks or the trustee change, it will be disclosed without delay through this Privacy Policy. 4. Notice regarding international transfer - The Company transfers personal information to the United States for use of Firebase service. - Items of personal information transferred: Email address, nickname, service usage records - Country of transfer: United States - Purpose of transfer: Member authentication and data storage - Retention period: Until membership withdrawal - Transfer method: Transmission through network (encrypted)

1. Data subjects may exercise the following personal information protection rights against the Company at any time: A. Request to view personal information B. Request for correction if there are errors in personal information C. Request for deletion of personal information D. Request to stop processing personal information E. Exercise right to data portability (data download) 2. The exercise of rights under Paragraph 1 can be made to the Company by the following methods: A. Request in writing or by email B. Direct modification through account settings page within the service C. Contact the person responsible for personal information protection The Company will take action without delay and notify the result within 10 days. 3. If a data subject requests correction or deletion of errors in personal information, the Company will not use or provide the personal information until the correction or deletion is completed. 4. The exercise of rights under Paragraph 1 can be done through a legal representative of the data subject or an agent who has been delegated. In this case, a power of attorney according to Form No. 11 attached to the "Notice on Personal Information Processing Methods (No. 2020-7)" must be submitted. 5. Data subjects shall not infringe on the personal information and privacy of themselves or others processed by the Company by violating the Personal Information Protection Act and other related laws. 6. Membership Withdrawal and Data Deletion Request Methods User data can be requested for deletion through the following two methods: Method 1: Membership Withdrawal - Go to Profile > Customer Support in the app. - Tap the "Withdraw Membership" button at the bottom. - Enter your password and confirm. Method 2: Submit an Inquiry - Go to Profile > Customer Support in the app. - Select "Submit Inquiry". - Select "Account Related" as the inquiry type. - Write your data deletion request in the title and content, then submit. Upon membership withdrawal or data deletion request, all personal information is immediately deleted and cannot be recovered except when retention is necessary according to relevant laws.

1. The Company destroys personal information without delay when it becomes unnecessary, such as when the retention period of personal information has elapsed or the purpose of processing has been achieved. 2. If personal information must continue to be preserved according to other laws even though the retention period consented by the data subject has elapsed or the purpose of processing has been achieved, the personal information is moved to a separate database (DB) or stored in a different storage location. 3. The procedures and methods for destroying personal information are as follows: A. Destruction Procedure - Information entered by users is moved to a separate DB (separate documents in case of paper) after achieving the purpose and stored for a certain period according to internal policies and other related laws or destroyed immediately. - Personal information moved to DB is not used for other purposes unless required by law. - Personal information subject to destruction is destroyed after obtaining approval from the person responsible for personal information protection. B. Destruction Method - Information in electronic file format is deleted using technical methods that cannot reproduce records. - Personal information printed on paper is destroyed by shredding or incineration. - Permanently deleted from database, and backup data is treated the same way within 90 days. 4. Timing of Destruction - Upon membership withdrawal: Immediate destruction (except when retention is necessary according to laws) - Backup data: Destroyed within 90 days - When personal information validity period expires: Within 30 days after expiration of validity period - When collection and use purpose is achieved: Within 5 days after achieving purpose

The Company takes the following measures to ensure the safety of personal information in accordance with Article 29 of the Personal Information Protection Act and the "Standards for Ensuring Safety of Personal Information" (Notice No. 2020-2): 1. Administrative Measures - Establishment and implementation of internal management plan - Minimization and training of personal information handling staff - Regular self-audits - Designation and operation of person responsible for personal information protection - Raising awareness of personal information handlers and disseminating compliance matters 2. Technical Measures - Access rights management for personal information processing systems: Access control to personal information by granting, changing, and revoking access rights to database systems that process personal information - Installation of access control systems: Installation and operation of firewalls to control unauthorized access from outside - Encryption of personal information: Passwords are encrypted and stored, and important data encrypts file and transmission data or uses file lock function - Technical measures against hacking: Installation of security programs and regular updates and checks to prevent leakage and damage of personal information by hacking or computer viruses - Access restriction to personal information: Necessary measures for access control to personal information by granting, changing, and revoking access rights to database systems that process personal information - Retention and forgery prevention of access records: Access records to personal information processing systems are retained and managed for at least 1 year, and security functions are used to prevent forgery, theft, and loss of access records 3. Physical Measures - Access control to computer rooms and data storage rooms - Documents and auxiliary storage media containing personal information are stored in safe places with locking devices - Entry control for unauthorized persons 4. Response to Personal Information Leakage Incidents - Immediate notification to data subjects when personal information leakage incident occurs - Report to Korea Internet & Security Agency (KISA) Personal Information Infringement Report Center - Emergency measures to minimize damage

1. The Company has designated a person responsible for personal information protection as follows to oversee the work related to personal information processing and to handle complaints and remedy damages related to personal information processing. ▶ Person Responsible for Personal Information Protection - Name: Personal Information Protection Officer - Contact: Available through customer center within the service - Email: [email protected] ▶ Personal Information Protection Department - Department name: Personal Information Protection Team - Contact: Customer center within the service 2. Data subjects can inquire to the person responsible for personal information protection and the department regarding all matters related to personal information protection, complaint handling, damage remedy, etc. that occurred while using the Company's services. The Company will respond and handle inquiries from data subjects without delay. 3. If you need to report or consult on other personal information infringement, please contact the following organizations: - Personal Information Infringement Report Center (operated by Korea Internet & Security Agency) · Phone: 118 (without area code) · Website: privacy.kisa.or.kr - Personal Information Dispute Mediation Committee · Phone: 1833-6972 (without area code) · Website: www.kopico.go.kr - Supreme Prosecutors' Office Cyber Crime Investigation Unit · Phone: 02-3480-3573 · Website: www.spo.go.kr - National Police Agency Cyber Safety Bureau · Phone: 182 (without area code) · Website: cyberbureau.police.go.kr

Data subjects can make a request for viewing personal information according to Article 35 of the Personal Information Protection Act to the following department. The Company will strive to process requests for viewing personal information from data subjects promptly. ▶ Department for Receiving and Processing Personal Information Viewing Requests - Department name: Personal Information Protection Team - Contact: Customer center within the service Data subjects can also make a request for viewing personal information through the Ministry of the Interior and Safety's 'Personal Information Protection Comprehensive Support Portal' website (www.privacy.go.kr) in addition to the above department. ▶ Ministry of the Interior and Safety Personal Information Protection Comprehensive Support Portal → Personal Information Complaints → Request for Viewing Personal Information, etc. When requesting viewing, please include the following: 1. Name and contact information of data subject 2. Content of personal information requested for viewing 3. Application purpose

Data subjects can apply for dispute resolution or consultation to the Personal Information Dispute Mediation Committee, Korea Internet & Security Agency Personal Information Infringement Report Center, etc. to receive remedy for personal information infringement. For other reports and consultations on personal information infringement, please contact the following organizations: 1. Personal Information Infringement Report Center (operated by Korea Internet & Security Agency) - Jurisdiction: Report personal information infringement facts, apply for consultation - Website: privacy.kisa.or.kr - Phone: 118 (without area code) - Address: 3F Personal Information Infringement Report Center, 9 Jinheung-gil, Naju-si, Jeollanam-do (58324) 2. Personal Information Dispute Mediation Committee - Jurisdiction: Application for personal information dispute mediation, collective dispute mediation (civil resolution) - Website: www.kopico.go.kr - Phone: 1833-6972 (without area code) - Address: 4F, Government Complex-Seoul, 209 Sejong-daero, Jongno-gu, Seoul (03171) 3. Supreme Prosecutors' Office Cyber Crime Investigation Unit - Phone: 02-3480-3573 - Website: www.spo.go.kr 4. National Police Agency Cyber Safety Bureau - Phone: 182 (without area code) - Website: cyberbureau.police.go.kr In addition, persons whose rights or interests have been infringed by actions or omissions made by the head of a public institution in response to requests from data subjects for viewing, correction, deletion, or suspension of processing of personal information may file an administrative appeal in accordance with the Administrative Appeals Act. ▶ Central Administrative Appeals Commission - Phone: 110 - Website: www.simpan.go.kr

1. What are Cookies? The Company uses 'cookies' that store and retrieve user information from time to time to provide personalized and customized services. A cookie is a very small text file sent by the server used to operate a website to the user's browser and is stored on the user's computer hard disk. 2. Purpose of Using Cookies - Auto-login function - Language setting storage - Analysis of service usage records, visit records, access frequency, etc. to understand users' tastes and areas of interest for service improvement - Shopping cart function - Providing customized advertisements 3. Installation, Operation, and Refusal of Cookies - Users have the right to choose cookie installation. - You can refuse to store cookies through settings in Tools > Internet Options > Privacy menu at the top of your web browser. - For mobile, you can set through Settings > Privacy > Limit Ad Tracking. 4. Refusing to store cookies may cause difficulties in using customized services. 5. Use of Similar Technologies - Local storage: Store app settings and user preferences - Session storage: Store temporary data (deleted when browser closes)

The Company collects and uses behavioral information for online customized advertising as follows. 1. Behavioral Information Collected - App/web visit history, search history - Advertising click and interaction records - Interest and preference information 2. Behavioral Information Collection Methods - Automatic collection through Google AdMob SDK - Use of cookies and similar technologies 3. Purpose of Behavioral Information Collection - Providing personalized advertisements - Measuring advertising effectiveness 4. Behavioral Information Retention and Use Period - 1 year from the date of collection 5. How to Refuse Behavioral Information Collection - App Settings > Privacy > Disable Personalized Ads - Reset advertising ID or limit tracking in device settings - iOS: Settings > Privacy > Tracking > Disable "Allow Apps to Request to Track" - Android: Settings > Google > Ads > "Reset advertising ID" or "Opt out of Ads Personalization" 6. Consequences of Refusing Behavioral Information Collection - General advertisements will be displayed instead of personalized advertisements. - There will be no restrictions on service use.

The Company may transfer users' personal information abroad, and in this case, discloses the following matters in accordance with Article 39-13 of the Personal Information Protection Act. 1. Items of Personal Information Transferred - Email address, nickname, service usage records 2. Country to Which Personal Information is Transferred, Transfer Date and Method - Transfer country: United States (Firebase service use) - Transfer date: At the time of member registration and service use - Transfer method: Transmission through network (encryption applied) 3. Name of the Recipient of Personal Information (in case of corporation, its name and contact information of information management officer) - Recipient: Google LLC (Firebase) - Information management officer: Firebase Support - Contact: https://firebase.google.com/support 4. Purpose of Use and Retention Period of Personal Information by the Recipient - Purpose of use: Member authentication, database management - Retention period: Until membership withdrawal 5. Rights of Users Regarding Personal Information Transfer - Users can withdraw consent for personal information transfer or request deletion of personal information at any time. - Service use may be restricted when withdrawing consent or requesting deletion.

The Company may process pseudonymized information without the consent of data subjects for statistical compilation, scientific research, public record preservation, etc. 1. Purpose of Processing Pseudonymized Information - Service usage statistical analysis - Research for new service development - Service quality improvement 2. Items of Pseudonymized Information Processed - Age group, gender, service usage records, access logs 3. Retention and Use Period of Pseudonymized Information - 3 years after collection or until achievement of processing purpose 4. Safety Measures When Processing Pseudonymized Information - Separate storage of pseudonymized information and original information - Access rights restriction - Technical measures to prevent re-identification

The Company conducts a Personal Information Impact Assessment in the following cases and submits the results to the Personal Information Protection Commission: 1. Construction and operation of personal information files involving processing of sensitive information or unique identification information for 50,000 or more data subjects 2. Construction and operation of personal information files for 1 million or more data subjects 3. When changing the operation system of personal information files such as personal information search system after receiving a Personal Information Impact Assessment The results of the Personal Information Impact Assessment will be disclosed on the Company's website.

1. The Company takes the following measures to protect the personal information of children under 14 years of age: - Restricts membership registration of children under 14 years of age. - Verifies age through date of birth input during membership registration. - Membership registration is not possible if confirmed to be under 14 years of age. 2. If it is confirmed that personal information of a child under 14 years of age has been collected, the Company immediately deletes the information. 3. For children under 14 years of age to use the service, the consent of a legal representative is required, and in this case, the personal information and consent form of the legal representative are separately collected.

1. This Privacy Policy is effective from January 1, 2025. 2. Previous Privacy Policies can be found below. - Not applicable (first enactment) 3. If there are additions, deletions, or modifications according to changes in laws, policies, or security technologies, the changed Privacy Policy will be announced through notices within the service at least 7 days before the implementation of the changed Privacy Policy. 4. However, for important changes in user rights such as collection and use of personal information, provision to third parties, etc., it will be announced at least 30 days in advance, and user consent may be obtained again if necessary. 5. The changed Privacy Policy takes effect from the effective date.