Kiboko Privacy Policy

Effective Date: January 1, 2025

Kiboko ("Company") establishes and publishes the following privacy policy to protect the personal information of data subjects and to handle related complaints quickly and smoothly.

Article 1 (Purpose of Processing Personal Information)

The Company processes personal information for the following purposes. The personal information being processed will not be used for purposes other than the following, and if the purpose of use changes, necessary measures such as obtaining separate consent will be taken in accordance with Article 18 of the Personal Information Protection Act.

1. Membership Registration and Management

• Confirmation of membership registration intent
• Personal identification and authentication for membership services
• Maintenance and management of membership status
• Identity verification under limited identity verification system
• Prevention of fraudulent use of services
• Various notices and notifications
• Complaint handling

2. Service Provision

• Content delivery
• Customized service provision
• Identity authentication

3. Marketing and Advertising

• Development of new services (products) and provision of customized services
• Provision of event and advertising information and participation opportunities
• Service provision and advertisement placement based on demographic characteristics
• Service validity verification
• Statistics on access frequency or member service usage

Article 2 (Processing and Retention Period of Personal Information)

1. The Company processes and retains personal information within the retention and use period according to laws or the period consented to when collecting personal information from data subjects.

2. The processing and retention periods for each type of personal information are as follows:

Membership Registration and Management

• Retention Period: Until membership withdrawal
• However, until the end of the relevant reason in the following cases:
  • When investigation or inquiry is in progress due to violation of relevant laws: Until the end of such investigation
  • When credit/debt relationships remain from service use: Until settlement of such relationships

Records of Contracts, Withdrawal, Payment, and Supply in E-commerce

• Retention Period: 5 years
• Legal Basis: Act on Consumer Protection in Electronic Commerce

Records of Consumer Complaints or Dispute Resolution

• Retention Period: 3 years
• Legal Basis: Act on Consumer Protection in Electronic Commerce

Records of Display and Advertisement

• Retention Period: 6 months
• Legal Basis: Act on Consumer Protection in Electronic Commerce

Website Visit Records

• Retention Period: 3 months
• Legal Basis: Protection of Communications Secrets Act

Article 3 (Items of Personal Information Processed)

The Company processes the following personal information items:

1. During Membership Registration

• Required Items: Email, password, name (nickname)
• Optional Items: Profile photo
• Automatically Collected Items: IP address, cookies, service usage records, visit records

2. During Social Login (Google, Kakao, Naver)

• Collected Items: Email, name, profile photo, social account unique ID
• Information provided may vary according to each social login provider's policy.

3. Information Automatically Collected During Service Use

• IP address, cookies, visit time, service usage records, improper usage records

Article 4 (Provision of Personal Information to Third Parties)

1. The Company processes personal information only within the scope specified in Article 1 (Purpose of Processing Personal Information) and provides personal information to third parties only with data subject consent or when required by special provisions of laws under Articles 17 and 18 of the Personal Information Protection Act.

2. The Company provides personal information to third parties as follows:

   • Currently, no personal information is provided to third parties.

Article 5 (Entrustment of Personal Information Processing)

The Company entrusts personal information processing tasks as follows for smooth personal information business processing:

Cloud Services

• Entrusted Party: Supabase, Vercel
• Entrusted Tasks: Data storage and server operation
• Retention and Use Period: Until membership withdrawal or termination of entrustment contract

Article 6 (Rights and Obligations of Data Subjects and Legal Representatives and How to Exercise Them)

1. Data subjects may exercise rights such as requesting access, correction, deletion, or suspension of processing of personal information to the Company at any time.

2. The exercise of rights under Paragraph 1 may be done through written documents, email, or fax in accordance with Article 41, Paragraph 1 of the Enforcement Decree of the Personal Information Protection Act, and the Company will take action without delay.

3. The exercise of rights under Paragraph 1 may be done through a legal representative or authorized representative of the data subject.

4. Requests for access to personal information and suspension of processing may be restricted under Article 35, Paragraph 4 and Article 37, Paragraph 2 of the Personal Information Protection Act.

5. Requests for correction and deletion of personal information cannot be made if the personal information is specified as a collection target in other laws.

Article 7 (Destruction of Personal Information)

1. The Company destroys personal information without delay when it becomes unnecessary due to the expiration of the retention period or achievement of processing purposes.

2. When personal information must be preserved according to other laws despite the expiration of the retention period or achievement of processing purposes, the personal information is transferred to a separate database (DB) or stored in a different storage location.

3. The procedures and methods for destroying personal information are as follows:

   • Destruction Procedure: The Company selects personal information to be destroyed and destroys it with approval from the personal information protection officer.
   • Destruction Method: Information in electronic file format is destroyed using technical methods that cannot reproduce the records.

Article 8 (Measures to Ensure Security of Personal Information)

The Company takes the following measures to ensure the security of personal information:

1. Administrative Measures: Establishment and implementation of internal management plans, regular employee training, etc.
2. Technical Measures: Access control management for personal information processing systems, installation of access control systems, encryption of unique identification information, installation of security programs
3. Physical Measures: Access control for computer rooms, data storage rooms, etc.

Article 9 (Installation, Operation, and Refusal of Automatic Personal Information Collection Devices)

1. The Company uses 'cookies' that store and retrieve usage information to provide individual customized services to users.

2. Cookies are small pieces of information sent by the server (http) operating the website to the user's computer browser and may be stored on the hard disk of the user's PC.

3. Purpose of Cookie Use:

   • Used to provide optimized information to users by understanding visit and usage patterns, popular search terms, secure connection status, etc. for each service and website visited by users.

4. Installation, Operation, and Refusal of Cookies:

   • Cookie storage can be refused through Tools > Internet Options > Privacy menu option settings at the top of the web browser.
   • Refusing cookie storage may cause difficulties in using customized services.

Article 10 (Personal Information Protection Officer)

The Company designates a personal information protection officer as follows to oversee personal information processing tasks and handle complaints and damage relief related to personal information processing:

Personal Information Protection Officer

• Name: Jay Kim
• Position: Privacy Protection Team Leader
• Contact: jay@kiboko.ai

Data subjects may contact the personal information protection officer for all personal information protection-related inquiries, complaint handling, damage relief, etc. that occur while using the Company's services.

Article 11 (Request for Access to Personal Information)

Data subjects may request access to personal information under Article 35 of the Personal Information Protection Act to the following department:

Department for Receiving and Processing Personal Information Access Requests

• Department: Kiboko
• Person in Charge: Jay Kim
• Contact: jay@kiboko.ai

Article 12 (Remedies for Rights Infringement)

Data subjects may apply for dispute resolution or consultation to the Personal Information Dispute Mediation Committee, Korea Internet & Security Agency's Personal Information Infringement Report Center, etc. to receive relief from personal information infringement.

Personal Information Infringement Report Center

• 118 (no area code)
• privacy.kisa.or.kr

Personal Information Dispute Mediation Committee

• 1833-6972 (no area code)
• www.kopico.go.kr

Supreme Prosecutors' Office

• 1301 (no area code)
• www.spo.go.kr

National Police Agency

• 182 (no area code)
• ecrm.cyber.go.kr

Article 13 (Changes to Privacy Policy)

This privacy policy is effective from January 1, 2025, and any additions, deletions, or corrections due to changes in laws and policies will be notified through announcements 7 days before implementation.

---

Supplementary Provisions

This privacy policy shall be effective from January 1, 2025.