Privacy Policy (DPA included)

RAD Lab Co., Ltd. (hereinafter referred to as "the Company") complies with relevant Korean laws and regulations on personal information protection as an information and communication service provider, actively safeguarding the rights of clients, members, and customers concerning their personal data, including the right to self-determination of personal information.

This Privacy Policy applies to the Bleepy service (hereinafter referred to as "the Service") provided by the Company.

Clients and members (hereinafter referred to as "Users"), who are the actual data subjects using the Company's services, are deemed to have consented to the Company's collection, use, and provision of personal information pursuant to this Privacy Policy by clicking the "Sign Up" button during registration or the "Agree" button in other relevant circumstances after reviewing this policy.

---

1. Definitions

1. "Client" means an individual or corporate entity that enters into a service use agreement pursuant to these terms and uses the services provided by the Company.

2. "Member" refers to an individual authorized by a business entity, such as an employee or agent, who directly uses the platform to perform work such as communicating with customers on behalf of the business. Actions taken by a manager under these terms legally bind the business entity.

3. "Customer" refers to the users who utilize the Client’s services.

2. Collected Information

• Purpose of Collection

The Company collects the minimum personal information necessary to provide the Service, and may collect members’ personal data for marketing information provision based on the member’s consent. Separate consent will be obtained for any other purposes.

• Items of Personal Information Collected

1. Upon Client’s ‘Registration’

Category	Collected Personal Information	Purpose of Collection
Mandatory	Name of person in charge, Mobile phone number of person in charge, Email address of person in charge, Password of person in charge	Creation and management of company account, provision and improvement of the Service, communication and support for members and their affiliated clients

1. Upon Client’s ‘Business Verification’

Category	Collected Personal Information	Purpose of Collection
Mandatory	Personal or corporate business registration certificate, Business trade name, Representative phone number	Verification of eligibility for service subscription

Refusal to consent to the collection and use of mandatory information may result in limitations on applying for business verification and use of the Service.

1. Upon Member’s ‘Registration’

Category	Collected Personal Information	Purpose of Collection
Mandatory	Name, Email address, Password, Mobile phone number	Creation and management of company account, provision and improvement of the Service, communication and support for members and their affiliated clients

Refusal to consent to the collection and use of mandatory information may limit the application and use of the Service.

1. Information Collected During Service Use

Category	Collected Information	Purpose of Collection
Mandatory	Visit records (IP address, access time), Game records (score, level, gift/reward issuance info), Cookies, Browser type and device information (model, OS, device name)	Service improvement
Optional	Card name, Card number, Card expiry date	Registration and modification of automatic payment card for service usage fees

Information collected as above may be considered personal information if linked to identifiable data; otherwise, it is not regarded as personal information.

3. Installation and Operation of Cookies for Web-Based Service Provision

What are Cookies?

Cookies are small text files sent by a website to a user’s browser and stored on the user’s device when the user accesses the website.

Purpose of Use

Cookies are used to store and frequently retrieve user information in order to provide personalized and customized services. When a user revisits the website, the server reads the cookies stored on the user’s device to maintain the user’s preferences and provide customized services. Cookies help users access the website as configured and use it conveniently. Additionally, cookies are used to provide optimized advertisements and other personalized information based on the user’s website visit history and usage patterns.

Refusal of Cookie Collection

Users have the option to refuse the installation of cookies. Users can manage cookie acceptance or refusal through their web browser settings, typically found at ‘Settings > Privacy & Security > Cookies and other site data’. However, refusing cookies may cause inconvenience in web usage and restrict access to some services requiring login.

The Company does not disclose cookie information to third parties without valid legal procedures.

Methods of Collection

Cookies and personal information are collected by: (1) direct input from users during registration or service use via the website, and (2) receiving personal information from third parties who have already obtained the user’s consent for processing personal data.

Please note that this Privacy Policy does not apply to personal information collected by third parties who have obtained user consent independently and provided the data to the Company.

Customized Advertising

To deliver customized advertisements to customers, the Company collects and uses cookies from web browsers. The Company automatically collects customer service usage history via cookies and provides this information to [*]. [*] uses it to serve personalized advertisements to customers. Cookies collected by the Company are not linked to other personal information and do not identify individuals. Users may opt out of receiving such personalized advertisements at any time, in which case generic advertisements will be displayed instead.

4. Use of Collected Personal Information

The Company collects and uses personal information for service provision and improvement, development of new services, and provision of marketing information.

• Methods of Use

Personal Information	Use
Email address, Mobile phone number	User authentication, service provision, notification delivery, confirmation of user intent, complaint handling, communication channels, updates on new services or events

• Retention Period

The Company retains users’ personal information throughout the period of service use and utilizes it to provide convenient services.

However, if the user requests modification or deletion of personal information, the Company will delete the information according to its policies, rendering it inaccessible or unusable thereafter.

• Use of Pseudonymized Data

The Company may pseudonymize collected personal information to prevent identification of specific individuals and use such pseudonymized data for statistics, scientific research, and public record preservation. Pseudonymized data is managed separately from additional information that could enable re-identification, with appropriate technical and administrative safeguards in place.

• Processing of Personal Information of Children Under 14

The Company does not permit the registration of children under the age of 14 without the consent of a legal guardian.

5. Provision of Personal Information

The Company does not provide users’ personal information to external parties without prior consent. However, the Company may disclose personal information to third parties without user consent in the following cases as permitted by applicable laws:

1. When requested by investigative agencies or other government bodies through lawful procedures.

2. When required by other laws or regulations.

6. Retention Period and Destruction of Personal Information

The Company generally processes personal information in accordance with the prescribed retention and usage periods. However, the following information is retained for the periods specified below based on internal policies or legal requirements:

Retention Periods Based on Company Internal Policies

Item to be Retained	Retention Period
Information provided during service inquiry	1 year from the inquiry date
Membership registration information in the admin page	Until service withdrawal or withdrawal of consent to personal information collection and use
Information collected during service usage	Until service withdrawal or deletion request

Retention Periods Based on Applicable Laws

Item to be Retained	Governing Law	Retention Period
Records relating to contracts or withdrawal of subscription	Act on Consumer Protection in Electronic Commerce, etc.	5 years
Records relating to payment and supply of goods or services	Act on Consumer Protection in Electronic Commerce, etc.	5 years
Records of user complaints or dispute resolution	Act on Consumer Protection in Electronic Commerce, etc.	3 years
Accounting books and supporting documents related to all transactions as stipulated by tax law	Framework Act on National Taxes	5 years
Records of electronic financial transactions	Electronic Financial Transactions Act	5 years
Location information handling ledger	Act on the Protection and Use of Location Information	6 months
Service visit records	Communications Privacy Protection Act	3 months

The Company destroys users’ personal information without delay once the purpose of collection and use is achieved (meaning withdrawal requests, service contract expiration, or withdrawal). However, if internal policies or relevant laws require retention, personal information is stored separately and destroyed after the specified retention period. Personal information moved to separate databases is not used beyond the originally consented purposes, except where required by law.

Personal information printed on paper is destroyed by shredding or incineration, and electronic records are deleted using technical methods that make recovery impossible.

Personal information of long-term inactive users (no usage for one year after last service use) is separately managed securely, and such users will be notified via email at least 30 days before data retention processing. If retention is legally required, information will be kept for the legally stipulated period.

The Company faithfully complies with personal information retention regulations under the Act on Promotion of Information and Communications Network Utilization and Information Protection, the Electronic Financial Transactions Act, and other relevant laws.

7. Entrustment of Personal Information Processing and International Transfer

For improving management efficiency and service quality, the Company entrusts some business tasks to external specialized companies or third parties, permitting them to collect, store, process, use, provide, manage, and destroy users’ personal information and customer data as necessary. Details of entrusted parties and tasks are as follows:

Entrusted Company	Entrusted Task	Retention and Use Period
Channel Corporation Co., Ltd.	Channel Talk service	Until member withdrawal, service termination, or end of contract
NHN KCP Co., Ltd.	Payment agency	Until member withdrawal, service termination, or end of contract
AWS (Seoul Region)	Server operation for service provision	Until member withdrawal, service termination, or end of contract

If users do not use services related to entrusted companies, their personal information will not be provided to those companies.

The Company sets regulations and supervises entrusted parties to ensure safe processing of personal information in accordance with the Personal Information Protection Act.

If additional entrustment to third parties is necessary, the Company will amend this Privacy Policy and notify users as required by law.

The Company does not provide personal information to foreign business operators. However, for contract fulfillment and user convenience in information communication services, the Company entrusts personal information processing overseas as follows. If the related service is not used, users’ personal information will not be transferred.

Entrusted Company	Data Protection Officer & Contact	Purpose of Transfer	Transferred Personal Data	Destination Country	Date and Method of Transfer	Retention and Use Period
Google (Google Analytics)	googlekrsupport@google.com	Usage analysis	Cookie information	United States	Transferred via network upon each service use	Until member withdrawal, service termination, or end of contract

8. Rights and Obligations of Data Subjects and Legal Representatives, and How to Exercise Them

Data subjects may exercise their rights to access, correct, delete, or suspend processing of their personal information at any time by contacting the Company via email or other communication channels. The Company will promptly take necessary measures upon receiving such requests. However, if other laws require retention of specific personal information, deletion requests may not be granted.

These rights can also be exercised by a legal representative or a delegated agent by submitting a power of attorney as prescribed in the “Notification on Methods of Processing Personal Information (No. 2020-7), Annex 11.”

Data subjects are responsible for protecting their personal information. The Company is not liable for damages caused by loss, transfer, lending, or careless handling of email addresses, passwords, access devices, or by hacking or other methods beyond the Company’s reasonable control despite security efforts. Data subjects must keep their information accurate and updated; responsibility for problems arising from inaccurate information lies with the user. Use of another person’s personal information or stolen email addresses for registration or payment processing may result in membership loss and legal penalties.

9. Technical and Administrative Measures to Protect Personal Information

The Company endeavors to prevent leakage or damage of users’ personal information caused by hacking, viruses, or other malicious attacks.

The Company regularly backs up data, uses up-to-date antivirus programs to protect user information, and secures network transmission through encryption. It controls unauthorized external access via intrusion prevention systems and employs all possible technical measures to ensure security.

Only authorized employees handle personal information, who are assigned separate passwords regularly updated and receive ongoing training to comply with the Company’s privacy policies.

However, the Company is not responsible for personal information leaks caused by user negligence. Users are advised to take care in protecting their personal data.

10. Miscellaneous

Remedies for Infringement of Data Subject Rights

The Company collects and addresses user opinions and complaints regarding privacy protection. Users may report grievances to the Company’s personal information officer or designated department, and the Company will respond promptly and adequately. Additionally, users can seek resolution through government agencies operating independently, including:

1. Personal Information Dispute Mediation Committee: 1833-6972 (no area code) — www.kopico.go.kr

2. Personal Information Infringement Report Center: 118 (no area code) — privacy.kisa.or.kr

3. Supreme Prosecutors’ Office: 1301 (no area code) — www.spo.go.kr

4. Police Agency: 182 (no area code) — ecrm.cyber.go.kr/minwon/main

Personal Information Protection Officer

The Company is committed to securely managing users’ valuable information. In case of incidents contrary to notified privacy terms, the designated personal information officer will take necessary follow-up measures. The Company has appointed the following officer responsible for privacy management and complaint handling:

Role	Personal Information Protection Officer
Name	Sunho Han
Contact	hello@radlab.kr

If changes to laws, policies, or security technologies require amendments to this Privacy Policy, the Company will notify users at least 7 days prior to enforcement through the service.

11. Country-specific Provisions

11-1. [GDPR Addendum] For Users in the European Union (EU) / European Economic Area (EEA)

This clause applies to clients and customers residing in the European Union (EU) or the European Economic Area (EEA). The Company provides the following additional rights and information in compliance with the GDPR (General Data Protection Regulation):

1. Legal Basis for Personal Data Processing

The Company processes personal data based on the following legal grounds:

• Consent of the data subject

• Performance of a contract

• Compliance with a legal obligation

• Protection of vital interests of the data subject or another person

• Legitimate interests of the Company (e.g., service improvement, security)

1. Cross-border Data Transfers

The Company may transfer personal data to countries outside the EU (such as South Korea, the United States, etc.) for service operation purposes. In such cases, the Company ensures appropriate safeguards, such as Standard Contractual Clauses (SCC) pursuant to Article 46 of the GDPR, to securely process the data.

1. Rights of Data Subjects

Data subjects have the right to:

• Access, rectify, erase, restrict processing, object to processing, and request data portability of their personal data

• Withdraw consent at any time without affecting processing before withdrawal

1. Contact for GDPR-related Requests

Requests to exercise GDPR rights can be made via email to hello@radlab.kr.

11-2. [CCPA/CPRA Addendum] For Users in the State of California, USA

This clause applies to clients and customers residing in California, USA. The Company complies with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

1. Purpose of Collection and Processing

• Providing services, customer support, and personalized content

• The types of personal data collected are detailed in Article 2 of the Privacy Policy.

1. Consumer Rights

California residents have the following rights:

• Right to know what personal information is collected

• Right to request deletion of personal information

• Right to opt-out of the sale of personal information ("Do Not Sell My Personal Information")

• Right to protection against discrimination for exercising privacy rights

1. Sale of Personal Information

The Company does not sell clients’ or customers’ personal information. If any activity meets the CCPA definition of a ‘sale,’ prior notice and consent will be obtained.

1. How to Exercise Rights

• Email: hello@radlab.kr

• Identity verification procedures may be required upon request.

11-3. [Other Country-specific Provisions] For Users Outside Korea

The Company also respects and complies with applicable privacy laws in other countries (e.g., Singapore PDPA, Japan APPI) for users in those jurisdictions. Data subjects may request the following measures according to their country’s law:

1. Key Rights (may vary by country)

• Access, correction, deletion, restriction of processing

• Withdrawal of consent

1. Cross-border Transfer Notice

Personal data may be transferred abroad via cloud services (e.g., AWS, Google Analytics), and the Company complies with protective measures required by each country.

1. Contact and Requests

• Email: hello@radlab.kr

• Official requests may require country-specific forms.

12. Supplementary Provisions; Changes to the Privacy Policy

This Privacy Policy shall take effect from March 1, 2024. Previous versions of the Privacy Policy can be reviewed below.

---

Data Processing Agreement (DPA)

This Data Processing Agreement (“Agreement”) is entered into by and between:

• Processor: RADLab Co., Ltd.

• Controller: Shopline Client

Article 1 (Purpose)

This Agreement sets forth the terms and conditions to ensure that the Processor processes personal data on behalf of the Controller in compliance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), and other relevant privacy laws.

Article 2 (Purpose and Scope of Processing)

• Purpose of Processing:

  • Providing marketing and service functions offered by the Controller to its customers

  • Automation and integration of Shopline store operations

• Data Items Processed:

  • Customer identifiers (IDs), service usage logs

  • Shopline Store Information:

    • Store name, store ID, store domain, product listings, product categories, order history, customer information, etc.

    • All store data integrated via Controller’s API or system configuration

• Scope of Processing:

  • Collection, storage, analysis, integration, deletion, API utilization, reporting, and additional processing as requested by the Controller

  • Prohibition of use beyond the specified purposes and no modification without prior approval

Article 3 (Security Measures and Confidentiality Obligations)

• The Processor shall implement appropriate technical and organizational measures pursuant to Article 32 of the GDPR, including but not limited to:

  • Data encryption, access control, integrity verification, access logging and monitoring, data backups

• All personnel with access to personal data are bound by written confidentiality obligations.

• In case of any personal data breach, the Processor shall notify the Controller without undue delay and cooperate with appropriate remedial actions within 72 hours.

---

Article 4 (Sub-processors)

• The Processor shall notify the Controller in advance and obtain written or general approval before engaging any sub-processor (e.g., Google, AWS).

• The Processor shall require sub-processors to enter into contracts imposing data protection obligations equivalent to those under Article 28 of the GDPR.

---

Article 5 (Cross-border Data Transfers)

• Where personal data is transferred outside the EU, the Processor shall ensure appropriate safeguards such as Standard Contractual Clauses (SCC) under Article 46 of the GDPR or other adequate protections.

Article 6 (Assistance with Data Subject Rights)

• The Processor shall promptly assist the Controller in responding to data subject requests for access, rectification, erasure, restriction, and data portability.

• The Processor shall cooperate with Data Protection Impact Assessments (DPIAs) and consultations with supervisory authorities pursuant to Article 35 of the GDPR.

Article 7 (Post-termination Actions)

• Upon termination of this Agreement or at the Controller’s request, the Processor shall delete or return all personal data without undue delay.

• The Processor shall document and report the completion of deletion or return to the Controller.

Article 8 (Audit and Information Provision)

• The Controller has the right to audit the Processor’s data processing activities regularly or as needed, and the Processor shall cooperate as required by law.

• Upon request, the Processor shall provide all records and documentation related to personal data processing to the Controller or supervisory authorities.

Article 9 (Indemnification and Liability)

• The Processor shall indemnify and hold the Controller harmless for damages arising from the Processor’s willful misconduct or gross negligence resulting in personal data breaches or other harm, in accordance with applicable laws.

Article 10 (Breach Notification and Prohibition of Modification)

• The Processor shall notify the Controller immediately upon becoming aware of any GDPR violation.

• The Processor shall not modify the purpose or means of processing without prior written consent from the Controller.

Article 11 (Record Keeping)

• The Processor shall maintain written records of all personal data processing activities pursuant to Articles 28 and 30 of the GDPR and make such records available upon request.

Article 12 (CCPA/CPRA Obligations)

The Processor shall comply with the following obligations under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

1. Prohibit retention, use, or disclosure of personal information beyond the purposes defined in this Agreement.

2. Acknowledge that ownership and control of the data reside with the Controller.

3. Act on consumer rights requests only upon Controller’s instruction.

---

Supplementary Provisions

This Agreement is executed together with the Controller’s service usage agreement and shall become effective upon electronic signature or consent by both parties.