1. Personal information means information about a living individual which can identify the individual by items such as their name and resident registration number (This includes information that alone may not identify a specific individual, but can easily be used to identify when combined with other information).
2. Samyang Holdings Pangyo ("www.smart-academy.com" hereinafter referred to as the “Company”) places great importance on the protection of users’ personal information and complies with relevant legal regulations on personal information protection, including the Act on the Promotion of Information and Communications Network Utilization and Information Protection and the Personal Information Protection Act, which must be observed by providers of information and communication services. Through this privacy policy, we inform users about how the personal information they provide is used and in what manner, as well as the measures taken to protect personal information.
3. The Company makes the privacy policy easily accessible to users by disclosing it on the first page of the website.
4. The Company has established procedures for amending the privacy policy to ensure continuous improvement and reserves the right to change the privacy policy to meet the needs of the Company and societal changes. In addition, when amending the privacy policy, the Company assigns a version number or other indicator to make it easy for users to identify the revised information.

1. The Company collects personal information through the following methods. The Company does not use personal information for purposes other than those stated below, and takes necessary measures such as obtaining separate consent if the purpose of the service provided by the Company changes.
2. The rights and responsibilities regarding personal information and posts voluntarily disclosed by the user during the use of services provided by the Company are the responsibility of the user. Voluntarily disclosed information is difficult to protect and may be collected or processed unauthorized by others. Please be mindful that any loss or issues arising from this are solely the responsibility of the user.

1. Information collected during use of service

1. We use cookie information for user convenience. Please refer to Article 11 of the Privacy Policy for related information.

The Company shall process the user’s personal information within the scope clarified in the Personal Information Processing Policy; the personal information shall not be provided to a third party except in the following cases:

1. When the user has consented to the processing
2. When falling under special regulations according to the law, such as Articles 17 and 18 of the Personal Information Protection Act
3. Personal information may be provided to relevant institutes without the consent of the data subject in emergencies, such as disasters, infectious diseases, accidents, and incidents that cause urgent risks to lives and the body and urgent loss of properties, according to the Personal Information Processing and Protection Guidelines in Emergencies jointly announced by relevant government departments.

The user’s personal information is managed by the following external company through consignment.

1. The Company shall destroy the personal information without delay when it is no longer necessary due to the expiration of the retention period for personal information or the achievement of the processing purpose.
2. If the personal information holding period agreed upon by the user has expired or the processing purpose has been achieved, but it is necessary to continue retaining the personal information according to other laws, the Company will transfer the relevant personal information to a separate database (DB) or to a separate table within the DB (in the case of paper, separate document storage) and retain it in a different storage location.
   1. The items of personal information retained and the basis for retention in accordance with other laws can be found in “2. Items of Personal Information Collected and Methods of Collection” and “4. Personal Information Retention and Use Period.”
3. The procedures and methods for the destruction of personal information are as follows:
   1. Destruction process
      1. The Company selects personal information for destruction when the reason for destruction arises, and with the approval of the Company’s data protection officer, the personal information is destroyed.
   2. Method of destruction
      1. The Company destroys personal information recorded or stored in electronic file format in a manner that makes it impossible to regenerate the record, and personal information recorded or stored on paper documents is shredded using a shredder or incinerated for destruction.

1. Rights of Data Subjects and How to Exercise Them
   1. Users have the right to exercise their rights (hereinafter referred to as “Exercising Rights”) to access, correct, delete, stop processing, withdraw consent, refuse automated decisions, or request an explanation from the Company at any time.
      1. Requests for access to personal information of children under 14 years of age must be made directly by their legal guardian. If the data subject is a minor over 14 years of age, the minor can exercise the rights regarding their personal information, or the rights can be exercised through their legal guardian.
   2. You can exercise your rights towards the Company through writing, email, fax, or other means in accordance with Article 41 (1) of the Enforcement Decree of the Personal Information Protection Act, and the Company will promptly respond to your request.
      1. Users can always request refusal of automated decisions and explanations through the ‘Contact Us’ section on the website.
2. Obligations of Data Subjects and How to Exercise Them
   1. Exercising rights can also be done through a legal guardian or a representative who has been delegated by the user. In this case, you must submit a power of attorney form according to Annex No. 11 of the “Guidelines for Personal Information Processing Methods.”
   2. The right of users to request access to personal information and stop processing may be limited under Article 35 (4) and Article 37 (2) of the Personal Information Protection Act.
   3. If the personal information is specified as a subject of collection in other laws, you cannot request the deletion of such personal information.
   4. If the data subject has consented to automated decision-making or has been notified in advance through a contract, and if there are clear legal provisions, refusal of automated decisions may not be accepted, and only requests for explanation and review are allowed.
      1. Also, refusal or request for an explanation regarding automated decisions may be denied if there are legitimate reasons, such as concerns about unjustly infringing on another person’s life, body, property, or other benefits.
   5. The Company verifies whether the person exercising the rights is the individual oneself or a legitimate representative.
   6. Rights can be exercised at the following departments within the Company. The Company will make efforts to ensure that the rights of data subjects are promptly processed.
   1. Department for receiving and processing requests for access to personal information
      1. Department Name : Medical Aesthetics Business Team
      2. Email : yujin.hong@samyang.com
      3. Phone : +82-2-2157-9807
      4. Fax : +82-2-2157-9062

The company provides and entrusts the personal information collected from users of the service to overseas parties as outlined below. In principle, we maintain a full data backup for recovery in the event of data loss due to disasters or emergencies, so if you refuse the overseas transfer, you will not be able to use the service. If you do not wish for your data to be transferred overseas, you can either proceed with account termination on our website or request account termination through customer inquiries.

The Company has implemented the following technical and managerial measures to ensure the security of personal information in processing to prevent loss, theft, leakage, alteration, or damage of personal information.

1. Technical measures
   1. When storing personal information, we encrypt it using reliable encryption algorithms to prevent unauthorized leakage.
   2. When transmitting personal information over the network, we secure the transmission by encrypting it with SSL.
   3. The Company utilizes antivirus programs to prevent damages caused by computer viruses. The antivirus program is regularly updated, and in case of sudden emergence of a virus, the Company provides immediate updates to prevent any infringement of personal information.
   4. The Company has installed intrusion prevention systems and intrusion detection systems to protect the system against external intrusions such as hacking.
   5. The Company retains and manages access records to the personal information processing system for at least 1 year, ensuring that access records are not tampered with, stolen, or lost.
2. Administrative measures
   1. The Company has established and implemented an internal management plan for the secure handling of personal information.
   2. The Company restricts access to users’ personal information to processors within the personal information processing department.
   3. The Company conducts regular in-house training and external training for employees who handle personal information to acquire new security technologies and fulfill obligations for personal information protection.
   4. The handover of duties related to personal information by processors is strictly conducted under secure conditions, and responsibilities for personal information incidents are clearly defined upon employment and departure.
   5. The Company does not take responsibility for incidents resulting from the user’s mistakes or the inherent risks of the internet.
      Each member is responsible for appropriately managing their personal information to protect it and must take responsibility for it.
   6. In the event of loss, leakage, alteration, or damage of personal information due to the mistakes of internal administrators or incidents in technical management, the Company will immediately inform users of the facts and take appropriate measures and compensation.
3. Physical measures
   1. The Company has designated data processing rooms and data storage rooms as special protected areas and controls access to them.

The Company complies with the Personal Information Protection Act, its enforcement decree, enforcement rules, standards for ensuring the security of personal information, and other relevant laws and regulations.

1. The Company oversees the overall tasks related to personal information processing, takes responsibility, and has designated a person in charge of personal information protection to handle user complaints, damage relief, and other matters related to personal information processing.
   1. Data Protection Officer
      1. Name: Jung LEE
      2. Position : Team Leader
      3. Email : jung.lee@samyang.com
      4. Tel : +82-2-2157-9828
      5. Fax : +82-2-2157-9062
   2. Personal Information Protection Department
      1. Department Name : Medical Aesthetics Business Team
      2. Email : yujin.hong@samyang.com
      3. Tel : +82-2-2157-9807
      4. Fax : +82-2-2157-9062
   3. Samyang EU Data Protection Officer (DPO)
      1. Address : Samyang Corp. 295 Pangyo-ro, Bundang-gu, Seongnam-si Gyeonggi-do 13488, Korea
      2. Email : croquis@samyang.com
      3. Tel : +82-2-2157-9822
   4. Personal Information Protection Department
      1. Address : Samyang Hungary. Gödöllő, Bláthy Ottó utca, 2100, Hungary
      2. Email : sunwoo.kim@samyang.com
2. Users can contact the Data Protection Officer and the responsible department for any inquiries, complaints, damage relief, or other matters related to personal information protection arising from the use of the Company’s services.
   ※Phone consultations are available on weekdays from 09:00 to 18:00, and inquiries via email, fax, or mail will be promptly responded to and processed within 24 hours of receipt. If you need professional consultation or to report a privacy breach regarding personal information, please contact the following agency.
   1. Personal Information Infringement Report Center (Korea Internet & Security Agency)
      1. Phone: +82-118 (without area code)
      2. Website: http://privacy.kisa.or.kr
   2. Cyber Investigation Department of Supreme Prosecutor’s Office
      1. Phone: +82-1301 (without area code)
      2. Website: http://www.spo.go.kr
   3. Cyber Safety Guardian of Korean National Police Agency
      1. Phone: +82-182 (without area code)
      2. Website: https://www.police.go.kr/www/security/cyber.jsp

If there are any additions, deletions, or modifications to the current privacy policy due to changes in government policies or security technologies, we will notify you through the website at least 7 days in advance.

1. 1. Date of change to the privacy policy : 2024-11-15
   2. Effective date of the privacy policy: 2024-11-22

[Automatic personal information collection devices installed and operated]

1. The Company uses "cookies" to store and periodically retrieve user information in order to provide individualized services and convenience.
2. Cookies are small pieces of information sent by the server (http) of a website to the user’s browser and stored on the data subject’s PC or mobile device.
3. Users can allow or block cookies by configuring their web browser settings.
   However, if you refuse to store cookies, it may cause difficulties in using personalized services.
   1. Allowing/Blocking Cookies in a Web Browser
      1. Chrome: Web browser Settings > Privacy and Security > Clear browsing data
      2. Edge: Web browser Settings > Cookies and site permissions > Manage and delete cookies and site data
   1. Allowing/Blocking Cookies in Mobile Browsers
      1. Chrome: Mobile browser Settings > Privacy and Security > Clear browsing data
      2. Safari: Mobile device Settings > Safari > Advanced > Block All Cookies
      3. Samsung Internet: Mobile browser Settings > Internet usage records > Clear browsing data

[Information on the collection, use, provision, refusal of behavioral information, etc]

1. In order to provide users with optimized personalized services, benefits, and targeted online advertisements during the service usage process, the Company collects and utilizes behavioral information through cookies without identifying individuals.
2. The Company collects behavioral information on the website it operates as follows.

Legal basis	Items of behavioral information collected	Methods of collecting behavioral information	Purpose of collecting behavioral information	Retention and usage period
Article 15 (1) 1 of the Personal Information Protection Act	Logging of website visits and key actions	Automatically collected using Google Analytics when users visit the website, a web analysis tool provided by Google.	Utilized for website service management, statistics, and analysis of user behavior.	Up to 38 months(destroyed after retention period)

3. Information subjects can inquire about matters related to behavioral information, exercise their right to refuse, and report damages through the following contact information.
   1. Personal Information Protection Department
      1. Department : Medical Aesthetics Business Team
      2. Email : yujin.hong@samyang.com
      3. Phone : +82-2-2157-9807
      4. Fax : +82-2-2157-9062

1. Personal information means information about a living individual which can identify the individual by items such as their name and resident registration number (This includes information that alone may not identify a specific individual, but can easily be used to identify when combined with other information).
2. Samyang Holdings Pangyo ("smart-academy.co.kr" hereinafter referred to as the “Company”) places great importance on the protection of users’ personal information and complies with relevant legal regulations on personal information protection, including the Act on the Promotion of Information and Communications Network Utilization and Information Protection and the Personal Information Protection Act, which must be observed by providers of information and communication services. Through this privacy policy, we inform users about how the personal information they provide is used and in what manner, as well as the measures taken to protect personal information.
3. The Company makes the privacy policy easily accessible to users by disclosing it on the first page of the website.
4. The Company has established procedures for amending the privacy policy to ensure continuous improvement and reserves the right to change the privacy policy to meet the needs of the Company and societal changes. In addition, when amending the privacy policy, the Company assigns a version number or other indicator to make it easy for users to identify the revised information.

1. The Company collects personal information through the following methods. The Company does not use personal information for purposes other than those stated below, and takes necessary measures such as obtaining separate consent if the purpose of the service provided by the Company changes.
2. The rights and responsibilities regarding personal information and posts voluntarily disclosed by the user during the use of services provided by the Company are the responsibility of the user. Voluntarily disclosed information is difficult to protect and may be collected or processed unauthorized by others. Please be mindful that any loss or issues arising from this are solely the responsibility of the user.

1. Information collected during use of service

1. We use cookie information for user convenience. Please refer to Article 11 of the Privacy Policy for related information.

The Company shall process the user’s personal information within the scope clarified in the Personal Information Processing Policy; the personal information shall not be provided to a third party except in the following cases:

1. When the user has consented to the processing
2. When falling under special regulations according to the law, such as Articles 17 and 18 of the Personal Information Protection Act
3. Personal information may be provided to relevant institutes without the consent of the data subject in emergencies, such as disasters, infectious diseases, accidents, and incidents that cause urgent risks to lives and the body and urgent loss of properties, according to the Personal Information Processing and Protection Guidelines in Emergencies jointly announced by relevant government departments.

The user’s personal information is managed by the following external company through consignment.

1. The Company shall destroy the personal information without delay when it is no longer necessary due to the expiration of the retention period for personal information or the achievement of the processing purpose.
2. If the personal information holding period agreed upon by the user has expired or the processing purpose has been achieved, but it is necessary to continue retaining the personal information according to other laws, the Company will transfer the relevant personal information to a separate database (DB) or to a separate table within the DB (in the case of paper, separate document storage) and retain it in a different storage location.
   1. The items of personal information retained and the basis for retention in accordance with other laws can be found in “2. Items of Personal Information Collected and Methods of Collection” and “4. Personal Information Retention and Use Period.”
3. The procedures and methods for the destruction of personal information are as follows:
   1. Destruction process
      1. The Company selects personal information for destruction when the reason for destruction arises, and with the approval of the Company’s data protection officer, the personal information is destroyed.
   2. Method of destruction
      1. The Company destroys personal information recorded or stored in electronic file format in a manner that makes it impossible to regenerate the record, and personal information recorded or stored on paper documents is shredded using a shredder or incinerated for destruction.

1. Rights of Data Subjects and How to Exercise Them
   1. Users have the right to exercise their rights (hereinafter referred to as “Exercising Rights”) to access, correct, delete, stop processing, withdraw consent, refuse automated decisions, or request an explanation from the Company at any time.
      1. Requests for access to personal information of children under 14 years of age must be made directly by their legal guardian. If the data subject is a minor over 14 years of age, the minor can exercise the rights regarding their personal information, or the rights can be exercised through their legal guardian.
   2. You can exercise your rights towards the Company through writing, email, fax, or other means in accordance with Article 41 (1) of the Enforcement Decree of the Personal Information Protection Act, and the Company will promptly respond to your request.
      1. Users can always request refusal of automated decisions and explanations through the ‘Contact Us’ section on the website.
2. Obligations of Data Subjects and How to Exercise Them
   1. Exercising rights can also be done through a legal guardian or a representative who has been delegated by the user. In this case, you must submit a power of attorney form according to Annex No. 11 of the “Guidelines for Personal Information Processing Methods.”
   2. The right of users to request access to personal information and stop processing may be limited under Article 35 (4) and Article 37 (2) of the Personal Information Protection Act.
   3. If the personal information is specified as a subject of collection in other laws, you cannot request the deletion of such personal information.
   4. If the data subject has consented to automated decision-making or has been notified in advance through a contract, and if there are clear legal provisions, refusal of automated decisions may not be accepted, and only requests for explanation and review are allowed.
      1. Also, refusal or request for an explanation regarding automated decisions may be denied if there are legitimate reasons, such as concerns about unjustly infringing on another person’s life, body, property, or other benefits.
   5. The Company verifies whether the person exercising the rights is the individual oneself or a legitimate representative.
   6. Rights can be exercised at the following departments within the Company. The Company will make efforts to ensure that the rights of data subjects are promptly processed.
   1. Department for receiving and processing requests for access to personal information
      1. Department Name : Medical Aesthetics Business Team
      2. Email : yujin.hong@samyang.com
      3. Phone : +82-2-2157-9807
      4. Fax : +82-2-2157-9062

The company provides and entrusts the personal information collected from users of the service to overseas parties as outlined below. In principle, we maintain a full data backup for recovery in the event of data loss due to disasters or emergencies, so if you refuse the overseas transfer, you will not be able to use the service. If you do not wish for your data to be transferred overseas, you can either proceed with account termination on our website or request account termination through customer inquiries.

The Company has implemented the following technical and managerial measures to ensure the security of personal information in processing to prevent loss, theft, leakage, alteration, or damage of personal information.

1. Technical measures
   1. When storing personal information, we encrypt it using reliable encryption algorithms to prevent unauthorized leakage.
   2. When transmitting personal information over the network, we secure the transmission by encrypting it with SSL.
   3. The Company utilizes antivirus programs to prevent damages caused by computer viruses. The antivirus program is regularly updated, and in case of sudden emergence of a virus, the Company provides immediate updates to prevent any infringement of personal information.
   4. The Company has installed intrusion prevention systems and intrusion detection systems to protect the system against external intrusions such as hacking.
   5. The Company retains and manages access records to the personal information processing system for at least 1 year, ensuring that access records are not tampered with, stolen, or lost.
2. Administrative measures
   1. The Company has established and implemented an internal management plan for the secure handling of personal information.
   2. The Company restricts access to users’ personal information to processors within the personal information processing department.
   3. The Company conducts regular in-house training and external training for employees who handle personal information to acquire new security technologies and fulfill obligations for personal information protection.
   4. The handover of duties related to personal information by processors is strictly conducted under secure conditions, and responsibilities for personal information incidents are clearly defined upon employment and departure.
   5. The Company does not take responsibility for incidents resulting from the user’s mistakes or the inherent risks of the internet.
      Each member is responsible for appropriately managing their personal information to protect it and must take responsibility for it.
   6. In the event of loss, leakage, alteration, or damage of personal information due to the mistakes of internal administrators or incidents in technical management, the Company will immediately inform users of the facts and take appropriate measures and compensation.
3. Physical measures
   1. The Company has designated data processing rooms and data storage rooms as special protected areas and controls access to them.

The Company complies with the Personal Information Protection Act, its enforcement decree, enforcement rules, standards for ensuring the security of personal information, and other relevant laws and regulations.

1. The Company oversees the overall tasks related to personal information processing, takes responsibility, and has designated a person in charge of personal information protection to handle user complaints, damage relief, and other matters related to personal information processing.
   1. Data Protection Officer
      1. Name: Jung LEE
      2. Position : Team Leader
      3. Email : jung.lee@samyang.com
      4. Tel : +82-2-2157-9828
      5. Fax : +82-2-2157-9062
   2. Personal Information Protection Department
      1. Department Name : Medical Aesthetics Business Team
      2. Email : yujin.hong@samyang.com
      3. Tel : +82-2-2157-9807
      4. Fax : +82-2-2157-9062
   3. Samyang EU Data Protection Officer (DPO)
      1. Address : Samyang Corp. 295 Pangyo-ro, Bundang-gu, Seongnam-si Gyeonggi-do 13488, Korea
      2. Email : croquis@samyang.com
      3. Tel : +82-2-2157-9822
   4. Personal Information Protection Department
      1. Address : Samyang Hungary. Gödöllő, Bláthy Ottó utca, 2100, Hungary
      2. Email : sunwoo.kim@samyang.com
2. Users can contact the Data Protection Officer and the responsible department for any inquiries, complaints, damage relief, or other matters related to personal information protection arising from the use of the Company’s services.
   ※Phone consultations are available on weekdays from 09:00 to 18:00, and inquiries via email, fax, or mail will be promptly responded to and processed within 24 hours of receipt. If you need professional consultation or to report a privacy breach regarding personal information, please contact the following agency.
   1. Personal Information Infringement Report Center (Korea Internet & Security Agency)
      1. Phone: +82-118 (without area code)
      2. Website: http://privacy.kisa.or.kr
   2. Cyber Investigation Department of Supreme Prosecutor’s Office
      1. Phone: +82-1301 (without area code)
      2. Website: http://www.spo.go.kr
   3. Cyber Safety Guardian of Korean National Police Agency
      1. Phone: +82-182 (without area code)
      2. Website: https://www.police.go.kr/www/security/cyber.jsp

If there are any additions, deletions, or modifications to the current privacy policy due to changes in government policies or security technologies, we will notify you through the website at least 7 days in advance.

1. 1. Date of change to the privacy policy : 2024-10-02
   2. Effective date of the privacy policy: 2024-10-11

[Automatic personal information collection devices installed and operated]

1. The Company uses "cookies" to store and periodically retrieve user information in order to provide individualized services and convenience.
2. Cookies are small pieces of information sent by the server (http) of a website to the user’s browser and stored on the data subject’s PC or mobile device.
3. Users can allow or block cookies by configuring their web browser settings.
   However, if you refuse to store cookies, it may cause difficulties in using personalized services.
   1. Allowing/Blocking Cookies in a Web Browser
      1. Chrome: Web browser Settings > Privacy and Security > Clear browsing data
      2. Edge: Web browser Settings > Cookies and site permissions > Manage and delete cookies and site data
   1. Allowing/Blocking Cookies in Mobile Browsers
      1. Chrome: Mobile browser Settings > Privacy and Security > Clear browsing data
      2. Safari: Mobile device Settings > Safari > Advanced > Block All Cookies
      3. Samsung Internet: Mobile browser Settings > Internet usage records > Clear browsing data

[Information on the collection, use, provision, refusal of behavioral information, etc]

1. In order to provide users with optimized personalized services, benefits, and targeted online advertisements during the service usage process, the Company collects and utilizes behavioral information through cookies without identifying individuals.
2. The Company collects behavioral information on the website it operates as follows.

Legal basis	Items of behavioral information collected	Methods of collecting behavioral information	Purpose of collecting behavioral information	Retention and usage period
Article 15 (1) 1 of the Personal Information Protection Act	Logging of website visits and key actions	Automatically collected using Google Analytics when users visit the website, a web analysis tool provided by Google.	Utilized for website service management, statistics, and analysis of user behavior.	Up to 38 months(destroyed after retention period)

3. Information subjects can inquire about matters related to behavioral information, exercise their right to refuse, and report damages through the following contact information.
   1. Personal Information Protection Department
      1. Department : Medical Aesthetics Business Team
      2. Email : yujin.hong@samyang.com
      3. Phone : +82-2-2157-9807
      4. Fax : +82-2-2157-9062