Article 1 (Purpose)

UNIPORT ('the Company') establishes this Privacy Policy ('this Policy') to protect the privacy of individuals ('Users' or 'Individuals') who use the services provided by the Company ('the Company Service'). This is in compliance with the Personal Information Protection Act, the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. ('Information Communications Network Act'), and other relevant legislation, aiming to swiftly and efficiently address concerns related to the protection of personal information of service users.

Article 2 (Principles of Personal Information Processing)

In accordance with relevant laws and this Policy, the Company may collect personal information from users. Collected personal information may be provided to third parties with the individual's consent. However, in cases enforced by legal regulations, the Company may provide collected personal information to third parties without prior consent of the individual.

Article 3 (Disclosure of this Policy)

1. The Company discloses this Policy to ensure that users can easily access it at any time via the company's homepage or a linked screen from the homepage.
2. In disclosing this Policy as stated in clause 1, the Company employs user-friendly means such as font size and color to facilitate easy verification by users.

Article 4 (Amendment of this Policy)

1. This Policy may be amended due to changes in laws, regulations, guidelines, notifications, or changes in government or company service policies.
2. When amending this Policy as stated in clause 1, the Company notifies users by one or more of the following methods:
   • Posting on the notice section of the homepage of the internet website operated by the Company or through a separate window
   • Notifying users through written documents, fax, email, or similar methods
3. The announcement of amendments as mentioned in clause 2 will be made at least 7 days prior to the effective date of the amendment. However, in cases of significant changes affecting user rights, the announcement will be made at least 30 days in advance.

Article 5 (Information for Membership Registration)

The Company collects the following information for user registration to the Company Service:

• Required information: Email address and password

Article 6 (Information for Identity Verification)

The Company collects the following information for user identity verification:

• Required information: Email address, name, date of birth, gender, identity verification values (CI, DI), and nationality (domestic/foreign)
• Optional information: Passport image information, including country of birth
• Additional information: The Company may also collect facial data through face recognition technology for identity verification purposes. The collected facial data is securely stored and processed solely for identity verification and fraud prevention.

Article 7 (Information for Payment Services)

The Company collects the following information to provide payment services to users:

• Required information: Card number, card password, expiration date, first six digits of birthdate (yy/mm/dd), bank name, and account number

Article 8 (Information for Issuing Cash Receipts)

The Company collects the following information to issue cash receipts for users:

• Required information: Name of the cash receipt recipient, birthdate, address, mobile phone number, and cash receipt card number

Article 9 (Information for Providing Company Services)

The Company collects the following information to provide services to users:

• Required information: ID, email address, name, date of birth, and contact number
• Optional information:
  • For physical product delivery: Name, phone number, address
  • For mobile product delivery: Phone number
  • For withholding tax processing: Name, resident registration number, phone number, address, email address
  • For UNIPhone service usage: Domestic address, domestic mobile phone number, expected visit branch, expected branch visit time

Article 10 (Information for Service Use and Fraudulent Use Check)

The Company collects the following information for statistics, analysis of service use, and to confirm and analyze fraudulent use (Fraudulent use refers to acts such as re-registration after membership withdrawal, repeated purchase cancellations after buying products, and illegally receiving economic benefits such as discount coupons and event benefits provided by the Company, acts prohibited in terms and conditions, identity theft, etc.):

• Required information: Service usage records, cookies, access location information, and device information

Article 11 (Method of Collecting Personal Information)

The Company collects personal information of users in the following ways:

1. When users enter their personal information on the Company's website
2. Through services provided outside the Company's website, such as applications, where users enter their personal information
3. When users enter their personal information upon receiving emails sent by the Company
4. Through user input while utilizing the Company's services, such as during consultations at the customer center or activities on boards

Article 12 (Use of Personal Information)

The Company uses personal information, including face data, in the following cases:

1. Necessary cases for company operation, such as delivering announcements.
2. Cases for service improvement for users, such as replying to inquiries and handling complaints.
3. Cases for providing the Company's services, including identity verification using face data to enhance security and prevent fraud.
4. Cases for restricting the use of members who violate laws and Company terms, including measures against fraudulent use, acts that interfere with the smooth operation of services, and identity verification using face data.
5. Cases for new service development.
6. Cases for marketing, such as event and promotional notifications.
7. Cases for demographic analysis, analysis of service visits and usage records.
8. Cases for forming relationships between users based on personal information and interests.

Article 13 (Consent-Based Information Provision)

Despite the general prohibition on providing personal information to third parties, the Company may provide personal information to third parties if the user discloses it in advance or consents to the provision. However, even in this case, the Company shall provide the minimum necessary personal information within the scope of relevant laws and regulations.

• For the provision of domestic communication services through an agency when using the Service, including information collected for membership and use of the Service, to Woori Telecommunications (Force One Information & Communication)
• Provide information collected for membership registration and use of the Service to Gwanghwamun, an administrative agency corporation, for the provision of visa services through an agency when using the Service.

The Company will notify and obtain consent from the user in the same manner when there is a change in the third-party provision relationship described in the preceding clause or when the third-party provision relationship is terminated.

Article 14 (Retention and Use Period of Personal Information)

The Company retains and uses personal information for the period necessary to achieve the purpose of collecting and using personal information. Notwithstanding the previous clause, the Company stores records of fraudulent use for up to one year after membership withdrawal to prevent fraudulent registration and use, according to internal policies.

Article 15 (Retention and Use Period of Personal Information According to Laws)

The Company retains and uses personal information as follows according to related laws:

• Information and retention period according to the Act on Consumer Protection in Electronic Commerce, etc.
  • Records on contracts or withdrawal of offers: 5 years
  • Records on payment and supply of goods: 5 years
  • Records on consumer complaints or dispute resolution: 3 years
  • Records on advertisement: 6 months
• Information and retention period according to the Protection of Communications Secrets Act
  • Log record data of website visitors: 3 months
• Information and retention period according to the Electronic Financial Transactions Act
  • Records on electronic financial transactions: 5 years
• Information and retention period according to the Act on the Protection and Use of Location Information
  • Records on personal location information: 6 months

Article 16 (Principle of Destruction of Personal Information)

The Company, in principle, immediately destroys the information when personal information is no longer needed, such as when the purpose of processing personal information is achieved or the retention and use period has elapsed.

Article 17 (Procedure for Destruction of Personal Information)

• Information entered by users for membership registration, etc., is transferred to a separate DB after the purpose of information processing is achieved (in the case of paper, to a separate document box) and is stored for a certain period according to internal policies and other related laws (see retention and use period) before being destroyed.
• The Company destroys personal information upon occurrence of a destruction cause through the approval procedure of the personal information protection officer.

Article 18 (Method of Destruction of Personal Information)

The Company deletes personal information stored in electronic file formats using a technical method that cannot reproduce the records, and personal information printed on paper is destroyed by shredding or incineration.

Article 19 (Measures for Sending Commercial Information)

The Company obtains explicit prior consent from users when sending commercial information for profit-making purposes using electronic transmission media. However, prior consent is not required in the following cases:

• When the Company has directly collected the contact information of the recipient through the transaction of goods, etc., and sends commercial information for profit-making purposes related to goods of the same kind within 6 months from the end of the transaction
• When a telemarketer conducts telephone solicitation sales according to the Door-to-Door Sales Act and notifies the recipient of the source of personal information collection verbally

The Company does not send commercial information for profit-making purposes if the recipient has expressed refusal of receipt or withdrawn prior consent, and notifies the treatment result of refusal of receipt and withdrawal of consent.

The Company obtains separate prior consent from the recipient for sending commercial information for profit-making purposes using electronic transmission media from 9 PM to the next day 8 AM, despite the first clause.

When sending commercial information for profit-making purposes using electronic transmission media, the Company explicitly states the following information in the commercial information:

• Company name and contact information
• Indication of matters regarding the expression of refusal of receipt or withdrawal of consent

The Company does not take any of the following measures when sending commercial information for profit-making purposes using electronic transmission media:

• Measures to evade or obstruct the recipient's refusal of receipt or withdrawal of consent
• Measures to automatically generate contact information such as phone numbers and email addresses by combining numbers, symbols, or characters
• Measures to automatically register phone numbers or email addresses for the purpose of sending commercial information for profit-making purposes
• Various measures to conceal the identity of the sender of commercial information or the source of advertisement transmission
• Various measures to deceive recipients and induce replies for the purpose of sending commercial information for profit-making purposes

Article 20 (Protection of Children's Personal Information)

The Company allows membership registration only for users aged 14 and over to protect the personal information of children under 14 years old.

Despite the previous clause, if a user is a child under 14 years old, the Company obtains consent for the collection, use, and provision of the child's personal information from the child's legal representative.

In the case of the previous clause, the Company additionally collects the legal representative's name, date of birth, gender, duplicate registration check information (ID), mobile phone number, etc.

Article 21 (Inquiry and Withdrawal of Consent for Personal Information Collection)

Users and legal representatives can inquire or modify their registered personal information at any time and request withdrawal of consent for personal information collection.

Users and legal representatives can withdraw their consent for the collection of their registration information by contacting the personal information protection officer or the person in charge by written document, phone, or email, and the Company will take immediate action.

Article 22 (Correction of Personal Information, etc.)

Users can request correction of errors in personal information to the Company through the method mentioned in the previous article.

Before completing the correction of personal information, the Company does not use or provide the personal information, and if the wrong personal information has already been provided to a third party, the Company will immediately notify the third party of the correction processing results to ensure the correction is made.

Article 23 (User's Obligation)

Users are responsible for keeping their personal information up to date and bear the responsibility for problems arising from inaccurate information entered by the user.

In the case of member registration using another person's personal information, the user may lose their membership or be punished according to relevant personal information protection laws.

Users are responsible for maintaining the security of email addresses, passwords, etc., and cannot transfer or lend them to third parties.

Article 24 (Company's Personal Information Management)

The Company takes necessary technical and managerial protective measures to ensure the safety of personal information to prevent loss, theft, leakage, alteration, or damage.

Article 25 (Treatment of Deleted Information)

The Company processes personal information that has been terminated or deleted at the request of the user or the legal representative according to the "Retention and Use Period of Personal Information" collected by the Company, and ensures that it is not viewed or used for any other purposes.

Article 26 (Encryption of Passwords)

User passwords are stored and managed after being encrypted one-way, and personal information confirmation or modification is only possible by the person who knows the password.

Article 27 (Measures Against Hacking, etc.)

The Company strives to prevent leakage or damage of users' personal information due to hacking or computer viruses.

The Company prevents leakage or damage of users' personal information or data using the latest antivirus programs.

The Company does its best to ensure security using intrusion prevention systems in case of an emergency.

The Company safely transmits personal information on the network through encrypted communication, etc., especially if sensitive personal information is collected and stored.

Article 28 (Minimization and Training of Personal Information Processing)

The Company limits the number of personal information handlers to a minimum and emphasizes compliance with laws, internal policies, etc., through educational and managerial measures for personal information handlers.

Article 29 (Protection of Personal Information Transferred Overseas)

The Company does not enter into international agreements that violate the Personal Information Protection Act and related regulations concerning personal information.

The Company obtains consent from users to provide, entrust processing, or store (hereinafter referred to as "transfer") users' personal information overseas, including viewing. However, if all the matters of each clause of Article 3 are disclosed according to the Personal Information Protection Act and related regulations or informed to users by email or a method prescribed by Presidential Decree, the consent process for personal information processing entrustment and storage may not be necessary.

When seeking consent according to the main text of Article 2, the Company notifies users in advance of all the following matters:

• Items of personal information being transferred
• Country, date and time, and method of transfer of personal information
• Name of the recipient of personal information (if a corporation, its name and contact information of the information management officer)
• Purpose of use and retention and use period of the recipient of personal information

When transferring personal information overseas with consent according to the main text of Article 2, the Company takes protective measures according to the Presidential Decree of the Personal Information Protection Act and related regulations.

Article 30 (Installation, Operation, and Rejection of Automatic Personal Information Collection Devices)

The Company uses cookies, which are automatic personal information collection devices, to store and retrieve usage information from time to time to provide individualized customized services to users. Cookies are small amounts of information sent by the server (http) used to operate the website to the user's web browser (including PCs and mobile devices) and may also be stored on the user's storage space.

Users have the option to install cookies. Therefore, users can allow all cookies by setting options in the web browser, verify each time cookies are saved, or refuse to store all cookies.

However, if you refuse to store cookies, there may be difficulties in using some services of the Company that require login.

Article 31 (Cookie Installation Allowance Setting Method)

You can set cookie allowance, cookie blocking, etc., through web browser option settings.

• Edge: Settings menu on the top right of the web browser > Cookies and site permissions > Manage and delete cookies and site data
• Chrome: Settings menu on the top right of the web browser > Privacy and security > Cookies and other site data
• Whale: Settings menu on the top right of the web browser > Privacy protection > Cookies and other site data

Article 32 (Designation of the Company's Personal Information Protection Officer)

The Company designates the related department and the personal information protection officer as follows to protect users' personal information and handle complaints related to personal information.

• Personal Information Protection Officer
  • Name: Hyeokchan Kang
  • Position: CTO
  • Phone number: 01098328991
  • Email: khc981212@gmail.com

Article 33 (Remedy for Rights Infringement)

The information subject can apply for dispute resolution or consultation regarding personal information infringement to the Personal Information Dispute Mediation Committee and the Korea Internet & Security Agency's Personal Information Infringement Report Center. For other reports and consultations on personal information infringement, please contact the following agencies:

• Personal Information Dispute Mediation Committee: 1833-6972 (without a country code) (www.kopico.go.kr)
• Personal Information Infringement Report Center: 118 (without a country code) (privacy.kisa.or.kr)
• Supreme Prosecutors' Office: 1301 (without a country code) (www.spo.go.kr)
• Police Agency: 182 (without a country code) (ecrm.cyber.go.kr)

The Company guarantees the information subject's right to self-determination of personal information and strives to provide consultation and remedy for damages caused by personal information infringement. If you need to report or consult, please contact the department responsible mentioned in the previous clause.

If a person has suffered damage to rights or interests due to a disposition or omission by the head of a public institution according to the provisions of Article 35 (Access to Personal Information), Article 36 (Correction·Deletion of Personal Information), and Article 37 (Suspension of Processing Personal Information, etc.) of the Personal Information Protection Act, the person may file for administrative adjudication according to the Administrative Appeals Act.

• Central Administrative Appeals Commission: 110 (without a country code) (www.simpan.go.kr)

Article 34 (Collection and Use of Face Data)

1. Purpose of Collection: The Company collects and uses face data for identity verification, fraud prevention, and security enhancement when users interact with the Company's services or applications.
2. Methods of Collection: Face data is collected when users utilize services that require identity verification, such as logging into the app, registering for services, or accessing specific features that require enhanced security.
3. Consent: The Company obtains explicit consent from users before collecting face data. Users will be notified of the purpose and use of their face data, and they have the option to decline the use of face data. If a user declines, they may be restricted from accessing certain services requiring this verification.
4. Retention: The Company retains face data only as long as necessary to fulfill the identity verification purpose or as required by relevant laws. Once the purpose has been achieved or upon user withdrawal, the face data is securely deleted.
5. Disclosure and Sharing: The Company does not share face data with third parties except in cases where:
   • The user has provided explicit consent.
   • It is required by law or regulation for investigative purposes by relevant authorities.

Addendum

This Policy shall be implemented from March 1, 2024.