uPrism.io (https://uprism.io) (hereinafter referred to as the "Service") operated by uPrism (hereinafter referred to as "Company") is a law, individual, etc. We comply with the personal information protection regulations of related laws and regulations to be followed by information and communication service providers such as the information protection law, and have the following processing policies to protect the user's information by setting the personal information processing policy according to the related laws and regulations.

"Company" will notify (or individual notice) on the website when the privacy policy is revised.

○ This policy will be effective from January 25, 2019.

1. Purpose of processing personal information

"Company" processes personal information for the following purposes. The processed personal information will not be used for any purpose other than the following purposes, and if the purpose of use is changed, prior consent will be obtained.

① Registration and management of membership Personal information is processed for the purpose of identification and certification of membership system, maintenance and management of membership, verification of identity due to limited identity verification system, and prevention of fraudulent use of service.

② Purpose of process personal information We process personal information for the purpose of verifying your identity, verifying complaints, contacting and notifying you for fact investigation, and notification of processing results.

③ Providing services or products We process personal information for the purpose of providing services, delivering goods, payment, settlement, identity verification, personalized service provision, content provision, and sending news.

④ Application to marketing and advertising Personal information is processed for the purpose of developing new services (products), providing customized services, providing events and advertisements information and providing opportunities for participation, validating services, identifying access frequency, or statistics on members' use of services.

2. Scope of collection of personal information

- Personal information items: email, password, login ID, date of birth, name, service usage history, access IP information, access log, cookies, payment information, payment history, social ID when social login, unique key value. - How to collect: homepage, written form, telephone/fax, event - Retention basis: Terms of service - Retention period: 5 years - Relevant laws and regulations: records on the collection, processing and use of credit information (3 years), records of consumer complaints or disputes (3 years), records of payment and supply of goods (5 years), records of contract or withdrawal of subscriptions (5 years)

3. Retention Period of Personal Information and Processing

① “Company” processes and retains personal information within the period of possession and use of personal information pursuant to the law or within the period of possession and use of personal information agreed to when collecting personal information from the information subject. ② Each personal information processing and retention period is as follows. One). Homepage membership and management purpose Personal information related to “homepage membership registration and management” will be retained and used for the above purposes for up to 5 years from the date of agreement on collection and use. -Basis for possession: service provision -Related laws a. Record on collection / processing and use of credit information: 3 years b. Record of consumer complaints or disputes: 3 years c. Record on payment and supply of goods: 5 years d. Record on contract or withdrawal of subscription: 5 years

4. Items related to the provision of personal information to third parties ① The “Company” shall provide personal information only to third parties only in accordance with Article 17 and 18 of the Personal Information Protection Act, including the consent of the information subject and the special provisions of the law. ② The “Company” provides personal information to third parties as follows. -Company that receive personal information: JTNET (Payment Gateway) -Purpose of use of personal information of recipients: e-mail, company phone number, company name, credit card information, bank account information -Retention and use period of the recipient: 1 year

5. Entrusted with the processing of personal information

① The "Company" entrusts the processing of personal information as follows in order to facilitate the processing of personal information. -Recipient (Consignee): JTNET -Details of the work entrusted: purchase and payment / identity verification -Consignment period: When the service withdraws or the contract is terminated (2) The Company shall, in accordance with Article 25 of the Personal Information Protection Act, prohibit the processing of personal information, technical and administrative protection measures, restriction on reconsignment, management and supervision of the trustee, and compensation for damages when the consignment contract is concluded. Is specified in documents such as contracts and supervised whether trustees handle personal information securely. ③ If the contents of the consignment service or the consignee changes, we will disclose it through this personal information processing policy without delay.

6. User have the following rights, obligations, and method of exercise of information subjects

① The information subject may exercise his / her right for protection of personal information at any time with respect to the Company. 1) Request for viewing personal information 2) Request for correction in case of error 3) Request to removal 4) Request to stop processing ② The exercise of rights under Paragraph 1 can be done in writing, e-mail or FAX on the "Company" and the "Company" will take action without delay. ③ The exercise of rights under Paragraph 1 can be done through the legal representative of the information subject or a representative such as a person who has been delegated. In this case, you must submit a power of attorney according to Form 11 of the Enforcement Regulations of the Personal Information Protection Act. ④ Requests for viewing and suspension of personal information may be restricted by the subject of information subject to Article 35 (5) and Article 37 (2) of the Personal Information Protection Act of Korea. ⑤ A request for correction or deletion of personal information cannot be requested for deletion if the personal information is specified for collection in other laws and regulations. ⑥ “Company” confirms whether the person who made the request, the request for correction or deletion, or the request for suspension of processing according to the information subject's right is the person or the rightful agent.

8. Destruction of personal information

In principle, the “Company” shall destroy the personal information without delay when the purpose of processing personal information is achieved. The procedures, deadlines and methods of destruction are as follows.

- Destruction procedure The information entered by the user is transferred to a separate DB (separate documents in the case of paper) after accomplishing the purpose, and stored or destroyed immediately for a period of time according to internal policies and other relevant laws. At this time, the personal information transferred to the DB will not be used for other purposes unless required by law.

- Braking deadline If the personal information of the user becomes unnecessarily within five days of the end of the retention period when the retention period of the personal information has elapsed, the personal information becomes unnecessary, such as achieving the purpose of processing the personal information, abolishing the service, or terminating the business. The personal information will be destroyed within 5 days from the date when the processing is deemed unnecessary.

-How to destroy Information in the form of electronic files uses a technical method that cannot reproduce the record.

-In the case of dormant members (or dormant accounts), the processing is as follows. > A dormant member (or dormant account) is a member (account) who has not used the Company's services for one year. > Related Law: Article 29 of the Act on Promotion of Information and Communication Network Utilization and Information Protection, etc. and Article 16 of the Enforcement Decree of Korea. > Unused Criteria: Based on the date of login through the website or app to the “Company” > Instructions for dormant members: 30 days in advance via email > Personal information processing for dormant members: separate from other member information > Account Activation: You can activate your dormant account by logging into the website within 4 years after the inactivity date. > Destroy: All personal information will be deleted if 4 years have passed since the account was inactive. > If your personal information has been destroyed since your inactivity, you will need to re-enroll.

9. Retention and use period of personal information under other laws

Customer's personal information is managed according to the privacy policy while the customer uses the services provided by the company. In principle, the customer's personal information will be destroyed when the purpose of collection and the purpose of receiving it is achieved, but the personal information will be retained only in the following cases when it is necessary to preserve it according to the laws and regulations.

- In accordance with Article 85-3 of the National Tax Service Act (the preservation and preservation of books, etc.) the books and documentary evidences concerning all transactions shall be preserved for 5 years from the date of the legal declaration period elapsed. - In accordance with Article 26-2 of the Basic Tax Law (period of enactment of the tax department), the preservation documents for credit processing are preserved for 5 years after the expiration of the civil law (three years). -Preservation for five years from the date on which the reporting deadline has passed, according to Article 112 of the Corporate Tax Law (bookkeeping / bookkeeping). -Proof of documents for all transactions shall be retained for five years from the date when the reporting period has passed, pursuant to Article 116 of the Corporate Tax Law (receipt and storage of documents for expenditure). -If there is a necessity to preserve the tax invoice or receipt issued with the books for five years from the date of final declaration, or the provisions of the Commercial Act, etc., pursuant to Article 31 (Capital) of the VAT Act, And minimal basic information. -During the promised retention period if the retention period is notified to the customer in advance and the retention period has not elapsed and if the customer's consent is obtained individually.

10. Personal Information Protection Officer

① "Company" is responsible for the handling of personal information, and appoints the person in charge of personal information protection as follows to deal with complaints and damages of information subjects related to the processing of personal information. ▶ Personal Information Protection Officer Name: Technical Support Team Leader Position: Team Leader Contact: 070-4077-0100, support@uprism.com ※ You will be connected to the department in charge of personal information protection. ▶ Privacy Department Department Name: Technical Support Team Contact Person: Technical Support Team Leader Contact: 070-4077-0100, support@uprism.com

② User may inquire the personal information protection officer and the department in charge regarding all personal information protection related inquiries, complaint handling, and damage relief that occurred while using the service (or business) of the “Company”. The “Company” will respond promptly to the information subject's inquiries.

11. Change the Privacy Policy

This Privacy Policy will be applied from the effective date, and if there are any additions, deletions, or corrections in accordance with laws and policies, we will notify you through the notice 7 days before the enforcement of the changes.

12. How to ensure the safety of personal information

In accordance with Article 29 of the Personal Information Protection Act of Korea, the “Company” takes the technical, administrative and physical measures necessary to secure safety as follows.

① Conducting regular self-audits In order to ensure the stability of handling personal information, we conduct self-audit on a regular basis (once a quarter).

② Minimization and training of employees handling personal information We have implemented measures to manage personal information by designating employees who handle personal information and limiting it to those in charge.

③ Establishing and implementing an internal management plan We have established and implemented an internal management plan for the safe handling of personal information.

④ Technical measures against hacking, etc. In order to prevent the leakage or damage of personal information by hacking or computer virus, the Company installs security program, updates and checks periodically, installs the system in the area where access is controlled from outside, and monitors and blocks technical and physical There is.

⑤ Encryption of personal information The user's personal information is stored and managed by encrypting the password, so only the user can know it, and important data uses separate security functions such as encrypting files and transmission data or using file locking.

⑥ Storage of access records and prevention of forgery and alteration We keep and manage the records of access to the personal information processing system for at least 6 months and use the security function to prevent the access records from being forged, stolen or lost.

⑦ Restriction on access to personal information We take necessary measures to control access to personal information by granting, modifying and erasing the access right to the database system that handles personal information, and use intrusion prevention system to control unauthorized access from outside.

⑧ Using a lock for document security Documents containing personal information and auxiliary storage media are stored in a safe place with a lock.

⑨ Access control for unauthorized persons We have established and operated access control procedures for physical storage where personal information is stored separately.