Privacy Policy

The Company collects the following personal information for service provision: • Required: Email address, name (nickname) • Optional: Profile image (via OAuth login) • Automatically collected: IP address, access time, browser type, API call records • Payment-related: Payment method information is processed directly by TossPayments; the Company does not store original payment credentials.

Collected personal information is used for the following purposes: • Service provision and account management: User identification, service access management • Fee processing: Subscription management, usage-based billing, invoice issuance • Customer support: Inquiry response, service disruption notification • Service improvement: Usage statistics analysis, service quality enhancement • Legal compliance: Record retention as required by applicable laws

The Company retains and uses personal information until the User withdraws their membership. However, the following records are retained for the specified periods as required by applicable laws: • Records of contracts or subscription withdrawal: 5 years (Electronic Commerce Act) • Records of payment and goods supply: 5 years (Electronic Commerce Act) • Records of consumer complaints or dispute resolution: 3 years (Electronic Commerce Act) • Records of access logs: 3 months (Protection of Communications Secrets Act)

The Company does not provide personal information to third parties as a general rule. However, the following exceptions apply: • TossPayments and PG partners: For payment processing purposes (payment method information, payment history) • Requests by law: Lawful requests by investigative agencies following proper procedures • With prior consent of the User

The Company outsources personal information processing for service operation as follows: • Cloud infrastructure provider: Server operation and data storage • Payment processing: TossPayments — Subscription payment and billing management Changes to outsourced tasks or contractors will be announced through this Privacy Policy.

Users may exercise the following rights regarding personal information protection at any time: • Request to access personal information • Request correction of errors • Request deletion (except where retention is required by law) • Request suspension of processing • Withdraw consent Rights may be exercised through the account page or by contacting xand.master01@gmail.com. The Company will take action without delay.

The Company takes the following measures to ensure the security of personal information: • Password encryption: bcrypt hashing algorithm applied • Data transmission encryption: HTTPS (TLS 1.2 or higher) applied • API key security: SHA-256 hashing storage (original not stored) • Access control: Role-based access control and IP-based request limiting • Security headers: HSTS, X-Content-Type-Options, X-Frame-Options applied

The Company uses cookies for the following purposes: • Session management: Maintaining login status (NextAuth.js session cookies) • Locale settings: Maintaining language preferences Users may refuse cookie storage through browser settings; however, this may limit access to services requiring login.

The Company designates the following Privacy Officer responsible for personal information processing: • Email: xand.master01@gmail.com For reports or consultations regarding personal information violations, please contact: • Personal Information Infringement Report Center (privacy.kisa.or.kr / 118) • Supreme Prosecutors' Office Cyber Investigation Division (spo.go.kr / 1301) • National Police Agency Cyber Bureau (ecrm.police.go.kr / 182)

This Privacy Policy is effective as of March 1, 2026.