Introduction

Enhans Co., Ltd. (hereinafter referred to as "the Company") establishes and discloses this privacy policy to protect the personal data of users who use the services of Enhans (hereinafter referred to as "the Service") in accordance with relevant laws and to promptly and smoothly handle related complaints.

‍

Purpose of Processing Personal Data

The Company processes personal data for the following purposes:

• Membership registration and management: Confirmation of membership registration intention, identity authentication, age verification, maintenance and management of membership qualifications, prevention of fraudulent use of services, various notification
• Provision of goods or services: Delivery of goods, provision of basic/customized services, issuance of contract invoices, identity authentication, age verification, fee payment and settlement, debt collection
• Handling of complaints: Verification of user identity, confirmation of complaints, contact notification for fact-finding, notification of processing results
• Marketing and advertising utilization: Provision of customized advertisements, provision of event and advertising information, provision of participation opportunities
• Service improvement and development: Improvement of existing services and development of new services, development of customized services
• Utilization of pseudonymous information: Pseudonym processing and utilization of pseudonymous information for statistical analysis, scientific research, and public record preservation, etc.

‍

Types of Personal Data to be Processed

The Company collects and processes the following personal data of service users:

• Basic collection types at the time of membership registration: Email address, password, name, phone number
• Information collected when using paid services:
  • When paying by credit card: Credit card information such as card issuer and card number
  • When paying by bank transfer: Bank account information such as account holder's name, account number, and bank holding the account
  • When paying by mobile phone number: Payment information such as mobile phone number and telecommunication company
• Personal data automatically collected during the service usage process: IP address, cookies, service usage records (visit and usage records, records of improper use, etc.), device information (mobile phone model name, OS name and version information), advertising identifier
• When handling complaints: Necessary types among the above information from users and separate types necessary for handling complaints

‍

Period of Processing and Retention of Personal data

The Company deletes and destroys the collected information of users without delay when users withdraw from the service or lose their eligibility, even without a separate request. However, the Company retains the following information for the reasons stated below, even in the case of withdrawal of membership or loss of user eligibility:

• Until the end of investigations such as investigations due to violation of related laws
• Until settlement of outstanding debts or liabilities remaining from app usage
• For the prevention of fraudulent re-registration and service misuse, service misuse records are retained for one year after cancellation according to the terms of service

Despite the preceding paragraph, the Company retains the following information until the end of the respective periods for the reasons below:

• Personal data related to service use (log records): Retained for 3 months according to the "Act on the Protection of Communications Secrets"
• Records related to contracts or withdrawal of subscriptions, payment of fees, and supply of goods: Retained for 5 years according to the "Act on Consumer Protection in Electronic Commerce"
• Records of consumer complaints or dispute resolution: Retained for 3 years according to the "Act on Consumer Protection in Electronic Commerce"
• Records of displayed advertisements: Retained for 6 months according to the "Act on Consumer Protection in Electronic Commerce"
• Ledger and documentary evidence related to all transactions regulated by tax laws: Retained for 5 years according to the "National Tax Basic Act"

The Company separately stores or deletes the personal data of users who have not used the service for 1 year or for a period specified by the user.

‍

Provision of Personal data to Third Parties

The Company provides personal data to third parties only when the user has consented or when there are special provisions in the Personal data Protection Act or other laws.

‍

Outsourcing of Personal data Processing

The Company entrusts the following personal data processing tasks for smooth operation:

• Outsourced party (delegatee) & Details of entrusted tasks Amazon Web Services, Inc. Operation and management of cloud servers

The Company also outsources personal data processing tasks to third parties overseas as follows:

• Amazon Web Services, Inc.
  • Personal data types transferred: ID, password, email address
  • Country of transfer: United States
  • Date and method of transfer: From August 1, 2022, transferred via information network as needed
  • Contact information of recipient: aws-korea-privacy@amazon.com
  • Purpose of recipient's use of personal data: Operation and management of cloud servers
  • Retention and use period of recipient: Matches the retention and use period stated in Article 3

‍

Use and Provision of Personal data within Reasonably Related Scope to Collection Purpose

The Company may use or provide personal data to third parties without the user's consent within a reasonable scope related to the original collection purpose, considering the following criteria:

• Relevance to the original collection purpose: Considering whether the original collection purpose and additional use/provision purposes are related in nature or tendency
• Predictability of additional use or provision of personal data based on circumstances of collection or processing practices: Considering the relationship between the additional use/provision purposes and the relationship between the data controller and the user, technological level and pace of development, and established general circumstances (practices) over a considerable period
• Whether it unfairly infringes on the interests of users: Considering whether the user's interests are substantially infringed in relation to the additional use purpose and whether such infringement is unfair
• Whether necessary measures for security such as pseudonymization or encryption have been taken: Considering whether security measures are taken to prevent possible infringements

‍

Rights, Duties, and Methods of Exercise of Users and Legal Representatives

Paragraph 1 : Users may exercise rights such as access, correction, deletion, and processing suspension of personal Personal Data **** with the Company at any time.

Exercise of rights under paragraph 1 may be done through written forms, electronic mail, etc., and the Company will promptly take action upon receiving such requests.

The exercise of rights under paragraph 1 may be done through a legal representative or an authorized agent. In this case, you must submit a power of attorney confirming the delegation to the representative.

The exercise of rights such as access, correction, deletion, and processing suspension of personal data may be restricted in accordance with laws such as the Personal data Protection Act.

Requests for correction and deletion of personal data cannot be made if the personal data is specified as the subject of collection by other laws.

The Company confirms whether the requester for access, correction, deletion, or processing suspension is the individual or a legitimate representative.

‍

Destruction of Personal data

The Company promptly destroys personal data when it becomes unnecessary due to the expiration of the retention period of personal data or the achievement of the processing purpose.

If personal data must be retained continuously according to the laws specified in Article 3(2) despite the expiration of the consented retention period or the achievement of the processing purpose, the Company transfers the relevant personal data to a separate database (DB) or stores it in a different location.

The procedure and method of personal data destruction are as follows:

• Destruction procedure: The Company selects personal data for destruction when the reason for destruction occurs and destroys the personal data with the approval of the Company's personal data protection manager.
• Destruction method: The Company uses technical methods to ensure that electronically recorded personal data cannot be regenerated, and personal data recorded on paper is shredded or incinerated for destruction.

The Company converts the accounts of users who have not used the service for one year or for a period agreed upon by the user into dormant accounts and stores personal data separately. The separately stored personal data is destroyed after four years.

If you do not wish to convert to a dormant account, you can log in to the service before the account conversion. Additionally, even if your account has been converted to a dormant account, if you log in, you can restore the dormant account and use the service normally.

‍

Security Measures for Personal data

The company takes the following measures to ensure the security of personal data:

• Administrative Measures: Establishment and implementation of internal management plans, regular employee education, etc.
• Technical Measures: Technical measures to prepare for hacking, encryption of personal data, management of access rights to personal data processing systems, storage of access records, and prevention of tampering, etc.
• Physical Measures: Access control to server rooms, data storage rooms, etc.

‍

Tracking Cookies Data

The company uses 'cookies' to provide individualized custom services to users. Cookies are small pieces of information sent by a server operating a website to a user's computer browser and may be stored on the user's PC's hard disk.

• Purpose of using cookies: Analysis of user access frequency or visit times, tracking of user service usage patterns and traces, checking of security access status, management of security, service improvement, development of new services, provision of customized services and advertisements, etc.
• Installation, operation, and rejection of cookies: Service users have the right to choose whether to install cookies. Therefore, users can refuse to store cookies by changing the settings in the options of their web browser.
• If you refuse to store cookies, you may experience difficulty in using some services.

‍

Personal Data Protection Manager

The company is responsible for overall personal data processing and has designated a personal data protection manager for handling user complaints, damage relief, etc. related to personal data processing as follows:

Privacy Protection Manager:

• Name: Lee Seung-hyun
• Position: CEO
• Contact: 070-8676-0180, info@enhans.ai

Users can inquire about all matters related to personal data protection, complaints, damage relief, etc. while using the company's service (or business) to the personal data protection manager below:

• Name: Lee Seung-hyun
• Contact: 070-8676-0180, info@enhans.ai

‍

Changes to the Privacy Policy

The company may modify the privacy policy for purposes such as reflecting changes in laws or services. If the privacy policy is changed, the company will announce the changes at least 7 days before the effective date of the changes, and the changed privacy policy will take effect on the specified effective date. However, if there is a significant change in user rights, such as changes in the types of personal data collected or purposes of use, the company will notify users at least 30 days in advance.