Privacy Statement

This Privacy Statement is intended to ensure that UserHabit ("the Company") observes all personal information protection requirements for a telecommunication service provider, including the Act on Promotion of Information and Communications Network Utilization and Information Protection, the Protection of Communications Secrets Act, the Telecommunications Business Act, and the Personal Information Protection Act and handle the member grievances concerning privacy.
The Company shall notify its members of any revision of this Privacy Statement via announcements on the website (or individual notifications).
○ This Statement shall come into effect on June 25, 2015.

1. Purposes of Collecting and Using Personal Information

The Company collects and uses personal information for the purposes itemized below. The personal information collected and used by the Company shall not be used for any purpose other than specified below and if the purpose changes, the Company shall seek the member's consent.

A. Enrolling and Managing Service members
The Company may collect and use personal information to confirm a prospective member's intention to utilize the service, identify a member for member Service, maintain membership qualifications, identify a member for a limited identification system, prevent unauthorized use of the Service, provide notifications, handle grievances and preserve records for dispute resolution.

B. Provision of Goods and Services
The Company may collect and use personal information to provide its service, but send agreements and invoices, provide contents, provide customized services, identify a member, settle payments and collect debts, etc.

C. Handling of Grievances
The Company may collect and use personal information to identify the individual raising a grievance, confirm the grievance, and provide notification of any investigation and/or its outcome.

D. Utilizing Information for Marketing and Advertising
The Company may collect and use personal information to develop new services (products), provide customized services, provide information and opportunity to take part in events and advertising, provide customized services and advertisements, confirm service efficacy, understand access frequency and draw up statistics on the member's use of the Service.

2. Period of Managing and Storing Personal Information

① The Company shall manage and store personal information for the period specified by law or agreed to by the entity providing personal information.
② The period of managing and storing personal information will be until the member leaves the Service (terminates the Service Agreement) for personal information held to enroll and manage Service members, provide goods and services, handle grievances, or utilized for marketing and advertising. However, personal information may be held and used until the need expires or up to the time specified by law in any of the following situations:

1) Until the end of the investigation concerned for cases of a breach of law under investigation;
2) Until debts and liabilities are settled for cases of remaining liabilities arising from the use of the Service;
3) Records of transactions, e.g. labeling, advertising, agreement and performance as per the Act on the Consumer Protection in Electronic Commerce, etc.
- Records of labeling and advertisements: 6 months
- Records of agreements or withdrawal thereof, payment and supply of goods: 5 years
- Records of consumer complaints, disputes, collection/management/use of credit information: 3 years
4) Records of electronic financial transactions as per the Electronic Financial Transactions Act: 5 years
5) Records of transactions as per the Protection of Communications Secrets Act
- Records of the dates, start and end times of electronic communications, subscriber numbers, frequency of use, base stations and location tracking: 1 year
- Internet logs: 3 months
6) Records of identification as per the Act on Promotion of Information and Communications Network Utilization and Information Protection: 6 months

3. Consignment of Personal Information Management

The Company does not, in principle, consign personal information management to an external entity. If, however, the Company should decide to consign personal information management to a third party, this decision will be communicated to the members through this Privacy Statement.

[Notice of Keeping Privacy Information outside using overseas servers (Amazon)]
Itmes Shift Country Shift Shift method Recipient Changed
(Information manager)
Purpose of Use Retention and Period
Personal information collected after February 15, 2016 Amazon Web Services offerings
(USA, Canada, Germany, UK, Singapore, Australia, Korea, Japan, India, Brazil etc.)
Online transmission using security protocol (password) Amazon RDS Services, Inc.
(Stephen Schmidt, 1-206-266-1000)
Amazon Cloud Service 이용
(Physical operation environment consignment)
Until membership or contract termination

4. Provision of Personal Information to Third Parties

The Company shall collect and use the members' personal information within the scope specified in "1. Purposes of Collecting and Using Personal Information" and provide this information to a third party only if the information provider consents and specific regulations, including the Personal Information Protection Act, Articles 17 and 18, permit.

5. Rights and Duties of Information Principals and Exercise thereof

A member may exercise his/her rights as follows as an information principal.
① The information principal may at any time exercise his/her rights as listed below concerning the protection of personal information:
1) Attain access to his/her personal information;
2) Demand correction of errors, if any;
3) Demand that information be deleted;
4) Demand that management of data be stopped
② The member may exercise his/her rights by informing the Company by letter, e-mail or fax using the Supplement No. 8 form of the Enforcement Decree of the Personal Information Protection Act and the Company shall act accordingly without delay.
③ If an information principal demands his/her personal information be corrected or deleted, the Company shall stop using or providing the personal information concerned until the required correction or deletion is complete.
④ The rights specified in Paragraph ① may be exercised by a proxy, a legal representative, or an assigned agent of the information principal concerned. In this case, the member shall submit power of attorney using the Supplement No. 11 form of the Enforcement Decree of the Personal Information Protection Act.

6. Itemization of Personal Information to be Collected and Methods of Collection

A. Items of Personal Information to be Collected
- The Company collects a member's e-mail address and password when he/she initially joins.
- During a member's use of the Service, personal information as stated below may be generated and collected as well:

<Basic information collected>
IP address, cookies, MAC address, service use records, visit records, fraudulent use records, access logs, etc. <Information collected for paid services>
Credit card information and bank account information <Information collected during handling of grievances>
Company name, personal name, position, department, telephone number and mobile phone number

B. Methods of Collecting Personal Information The Company collects personal information in either of the following methods:
- Automatically as the member runs or uses a program related to the Service provided by the Company; or
- Information voluntarily provided by the member when he/she joins or uses the Service.

7. Delete an inactive member's account

In order to protect the privacy of members, the Company manages the membership account separately from the use account and the inactive account. If the user did not logged in the Company's website or used it for a year, it is classified as an inactive account for the protection of personal information of the member and the personal information is kept separately.

8. Procedure and Methods of Discarding Personal Information

The Company shall, in principle, discard personal information as soon as its management purposes have been accomplished. The procedure, timing and methods of discarding personal information are as follows:

A. Procedure for Discarding Information
The information that a member provides shall be moved to a separate DB (paper documents shall be moved to separate documents) after its purposes have been accomplished, and stored for a specific period of time as per the Company's internal policy and relevant laws, or immediately discarded. Such personal information shall not be used for any purpose than as specified unless required by law.

B. Timing of Discarding of Information A member's personal information shall be discarded within 5 days after the period for storing it expires, termination of the Service, termination of business and/or other causes which make the personal information unnecessary.

C. Methods of Discarding Information
- Technical method that does not allow any data on an electronic file to be restored; or
- Shredding or burning personal information contained in paper documents.

9. Measures to Protect the Security of Personal Information

The Company will take technical/administrative and physical measures as below to ensure the security of information as per the Personal Information Protection Act, Article 29:

A. Minimizing the Number of Staff Managing Personal Information and Providing Training
- The Company designates staff in charge of personal information and limits the management rights of the personal information on hand to designated staff only.

B. Encryption of Personal Information
- The member's personal information and password are encrypted when saved and managed and are only available to that member. Critical data is also encrypted in a file or in data transfer or locked with a file locking function.

C. Technical Preparedness against Hacking
- The Company installs security programs and regularly updates and maintains them to prevent information leakage or corruption by hacking or computer viruses, and sets up a security system at an access-restricted area and monitors and restricts access to it both technically and physically.

D. Restriction of Access to Personal Information
- The Company takes all necessary measures to restrict access to personal information by properly granting, modifying and cancelling access to the DB system processing personal information and uses an intrusion control system to restrict unauthorized access from outside.

E. Storage of Access Logs and Prevention of Corruption Thereof
- The Company stores and manages the access logs to the personal information processing system and uses security functions to prevent corruption, theft or loss of the logs.

F. Use of Locks to Ensure Security of Documents
- The Company stores documents and storage media containing personal information at a safe location secured by locks.

10. Privacy Officer

① The Company has assigned the Privacy Officer below to be in charge of privacy affairs, handle grievances of information principals regarding information management and provide relief.

▶ Privacy Officer
Name: Hyeonjong Jung Position: CEO
Contact: 010-2620-4450, jung@userhabit.io

▶ Privacy Director
Name: Jake Yoon
Dept.: Development Team
Contact: 010-4708-5825, jake@userhabit.io

② An information principal may contact the Privacy Officer and Privacy Director with any question, complaint or request for relief for any privacy breach issue arising from the use of the Company's Service. The Company is committed to responding to and resolving any issue raised by an information principal without delay.

11. Request for Viewing Personal Information

A member may request to view his/her personal information at the following department. The Company is committed to responding immediately to such a request made by an information principal.

▶ Request for viewing personal information should be made to:
Dept.: Development Team
Representative: Jake Yoon
Contact: 010-4708-5825, jake@userhabit.io

12. Notification of Privacy Statement

① If there is an addition, deletion or modification to the current Privacy Statement, it shall be communicated (along with an explanation of the reason for the change) on the Service website 7 days before the effective revision date. If, however, a significant modification to the members' rights in connection with the collection and utilization of personal information is proposed, it shall be communicated 30 days prior to the effective revision date.
② The Company shall, when use of information that exceeds a member's consent or consignment of information management to a third party is required, contact individual members by letter, e-mail or telephone to advise him/her.
③ The Company shall, when wishing to consign the collection, storage, processing, use, provision or discarding of personal information, inform the member via the Service Terms, Privacy Statement, etc.
④ The Company shall, when obtaining consent of a legal guardian for collecting and using personal information of children under 14 or providing it to a third party, inform the legal guardian by telephone, fax, mail or having the child provide his/her legal guardian with the notice concerned or by e-mailing the guardian a link (hyperlink) to this Privacy Statement or by other reasonable means.

13. Relief for Breach of Rights

A member may contact the following agencies for relief or counseling for any breach of rights. The agencies below are entities separate and unrelated to the Company and should be contacted when the member is not satisfied with the Company's handling of grievances or relief measures or wishes to seek further assistance.

▶ Privacy Breach Report Center (operated by KISA)
Responsibility: Receiving reports on breach of rights and/or requests for advice
Website: privacy.kisa.or.kr
Telephone: (No code required) 118
Address: (138-950) Privacy Breach Report Center of KISA, 135 Jungdae-ro, Songpa-gu, Seoul

▶ Privacy Dispute Mediation Committee (operated by KISA) Responsibility: Receiving privacy dispute mediation requests and group dispute mediation requests (civil cases) Website: privacy.kisa.or.kr Telephone: (No code required) 118 Address: (138-950) Privacy Breach Report Center of KISA, 135 Jungdae-ro, Songpa-gu, Seoul

▶ Cyber Crime Investigation Dept. Supreme Prosecution Office
02-3480-3573 (www.spo.go.kr)

▶ Cyber Terrorism Response Center 1566-0112 (www.netan.go.kr)

▶ e-Privacy Committee
02-580-0533~4 (www.eprivacy.or.kr)

14. Modifications of Privacy Statement

This Privacy Statement shall come into effect on the effective date and if it requires any addition, deletion or modification, it shall be communicated 7 days before taking effect via announcements on the website or individual notifications.

Announced on: March 14, 2017
Enforced on: March 21, 2017
Revised on: April 6, 2017