The Privacy Policy of Atomy Co., Ltd. outlines the purposes for which personal information is collected, as well as the policy and system-level security measures in place to protect such information. This policy is designed to safeguard the fundamental rights of Atomy members—including privacy, freedom, and the confidentiality of communication—and to prevent human rights violations caused by information leakage.

In accordance with Article 30 of the Personal Information Protection Act, Atomy Co., Ltd. has established and publicly discloses this Privacy Policy to protect the personal information of data subjects and to ensure that any related complaints are handled promptly and efficiently. Through this policy, Atomy informs its members how their personal information is used and what measures are in place to protect it.

If there are any changes or amendments to this Privacy Policy, Atomy will provide appropriate notice through announcements on its website (or individual notifications). We encourage members to regularly visit the Atomy website to review any updates to the policy.

Article 1 – Items of Personal Information Collected and Purposes of Use

Atomy Co., Ltd. uses the personal information it collects for the following purposes. The personal information being processed will not be used for purposes other than those specified below. If the purpose of use changes, Atomy will take necessary measures—such as obtaining separate consent—in accordance with Article 18 of the Personal Information Protection Act.

1. Membership Registration

Category	Required	Optional
Personal Info Items	Name, Date of Birth, Password, Guest Password, Mobile Number	Bank Account Info, Phone Number, Address, Email
Purpose	Identity verification and customer identification
Legal Basis	Consent of data subject

2. Commission Payment and Tax Reporting

Category	Required	Optional
Personal Info Items	Resident Registration Number (or Alien Registration Number), Bank Account Info, Business Registration Number	None
Purpose	Reporting and payment of various taxes such as income tax and resident tax, payment of commissions, and issuance/provision of cash receipts and tax invoices
Legal Basis	Enforcement Decree of the Framework Act on National Taxes Article 68, Income Tax Act Article 145, Value-Added Tax Act Article 16

3. Product Purchase – Shipping Information – Member Orders

Category	Required	Optional
Personal Info Items	Customer Info (Name, Mobile Number, Address, Email, Sender Name), Delivery Info (Name, Mobile Number, Address)	Phone Number, Delivery Message
Purpose	Product delivery, after-sales service (A/S), and complaint handling
Legal Basis	Consent of data subject

4. Product Purchase – Member Payment Information – Credit Card

Category	Required
Personal Info Items	Credit Card Number
Purpose	Payment processing
Legal Basis	Consent of data subject

5. Identity Verification

Category	Required
Personal Info Items	Name, Date of Birth, Mobile Phone Number, Gender, Mobile Carrier, Identity Verification Values (CI, DI)
Purpose	Orderer identity verification, adult authentication, and prevention of unauthorized use
Legal Basis	Consent of data subject

6. Information Update

Category	Required
Personal Info Items	Password, Bank Account Information, Affiliated Center, Guest Password, Telephone Number, Mobile Phone Number, Address, Email
Purpose	Identity verification and customer identification
Legal Basis	Consent of the data subject

7. Marketing Participation (Members and Non-members) – Event Entry, Survey Participation, Promotional Campaigns

Category	Required
Personal Info Items	Member: Name, Member ID, Phone Number, Email Non-member: Name, Email, Mobile Phone Number Shipping Information: Name, Mobile Phone Number, Address
Purpose	Event entry and result notification, prize delivery, survey participation
Legal Basis	Consent of data subject

* Identity Verification Values

• CI (Connecting Information): Personally identifiable information issued by the identity verification agency

• DI (Duplication Information): A unique identifier developed to prevent duplicate registrations

When using services provided by Atomy Co., Ltd. through third-party accounts (e.g., Naver, Apple, Google, Facebook), only the user identification data and personal information for which consent has been obtained from the user will be provided by the respective company and will be processed strictly within the scope of the agreed purpose.

Atomy Co., Ltd. collects personal information through the following methods:

• Website, mobile app, telephone, and customer inquiry board

Users may refuse to consent to the collection and use of their personal information. However, refusal to provide required information may result in the inability to use services such as product purchases and payments. Refusal to provide optional information does not prevent membership registration but may limit access to certain services or benefits that rely on that information.

Article 2 – Retention and Use Period of Personal Information

While a member is using the services provided by Atomy Co., Ltd., their personal information will be retained and used for the purpose of service provision.

However, if the purpose of collection or provision has been fulfilled, or if the member requests withdrawal according to the procedures outlined in Article 47 of Atomy’s Membership Management Regulations, or if the member’s qualification is terminated based on the reasons specified in Article 48, the relevant personal information will be deleted using irreversible technical methods. Once deleted, the information will be rendered inaccessible and unusable for any purpose.

Nonetheless, in accordance with the Commercial Act and other applicable laws, certain data may be retained for a specified period to confirm rights and obligations related to transactions, as detailed below:

• Records related to contracts or withdrawal of subscription: 5 years

• Records related to payments and supply of goods or services: 5 years

• Records related to consumer complaints or dispute resolution: 3 years

• Information retained to prevent re-registration within 1 year of withdrawal and to identify individuals not eligible as Atomy members under internal policy: 3 years

• Automatically collected information during internet service usage: 3 months

• Survey/research data: Deleted 3 months after completion

• Records related to marketing and promotional events: Until the purpose is fulfilled

• 1:1 customer inquiries from non-members: Upon completion of consultation

Article 3 – Provision and Sharing of Personal Information

As a general rule, Atomy Co., Ltd. does not provide or share members’ personal information with third-party companies or institutions that are unrelated to the services provided to members. However, personal information may be provided without the member’s consent in the following exceptional cases:

1. When it is reasonably determined that personal information must be disclosed in order to take legal action against individuals who have violated Atomy’s membership regulations, caused harm to others through the use of Atomy’s services, or committed unlawful acts that violate public order or morals.

2. When required by law or upon request from investigative authorities, in accordance with the procedures and methods prescribed by applicable laws for investigative purposes.

3. For the purpose of providing the Atomy PP service, Atomy Co., Ltd. provides the following personal information to a third party:

• Recipient: Atomy Aza Co., Ltd.

• Purpose of Provision: Login to Atomy Aza Co., Ltd. services

• Personal Information Provided: Name, Date of Birth, Member ID, Phone Number, Email

• Retention Period: Until the member withdraws from Atomy

Article 4 – Outsourcing of Personal Information Processing and Provision to Contractors

To improve service quality, Atomy Co., Ltd. may entrust the collection, handling, and management of personal information to third-party contractors. In accordance with relevant laws, Atomy includes strict provisions in its outsourcing contracts to ensure that personal information is securely managed.

1. For the efficient handling of personal information tasks, the company entrusts certain services as follows:

① Operation of Call Center Services

• Contractor (Service Provider): CJ Telenix (Digital-ro, Guro-gu, Seoul)

• Entrusted Tasks: Responding to member inquiries by phone, providing information on departments and staff, etc.

• Shared Information: Name, Date of Birth, Member ID, Phone Number, Mobile Number, Shipping Address, Order History

2. Atomy Co., Ltd. provides personal information to the following service providers only within a limited scope necessary for the fulfillment of designated services.

Contractor	Task	Retention & Use Period
Direct Selling Compensation Fund	Performing tasks necessary for the establishment, maintenance, execution, and management of consumer damage compensation insurance contracts	Atomy AZA Co., Ltd.	Identity verification for AZA Mall
Identity verification and order inquiry for the PP service
CJ Logistics	Product delivery
Korea Credit Card Payment Co., Ltd.	Credit card payment
KMAC (Korea Management Association Consulting)	Customer satisfaction & marketing surveys
WooSoo Tax Corporation	Tax consultation and related outbound/inbound calls
Spectra	Chat cloud service provision
Amazon Web Services, Inc	Handling of Personal Information in Cloud Environments

3. When entering into an outsourcing contract, Atomy Co., Ltd. specifies, in accordance with Article 25 of the Personal Information Protection Act, that the contractor is prohibited from processing personal information beyond the scope of the delegated task. The contract also includes technical and administrative safeguard requirements, restrictions on subcontracting, supervision and management of the contractor, and liability for damages. Atomy monitors whether the contractor is processing personal information safely.

4. If the content of the outsourced task or the contractor is changed, such changes will be promptly disclosed through this Privacy Policy.

Article 5 – Procedures and Methods for Destruction of Personal Information

① Procedures and Methods for the Destruction of Personal Information by Atomy Co., Ltd.

② Destruction Procedure

1. Atomy Co., Ltd. promptly destroys customers' personal information without delay once the purpose of retention, as specified in the retention and use period, has been fulfilled.

2. In accordance with Article 39-6 of the Personal Information Protection Act, Atomy deletes or stores separately the personal information of members who have not used the service for one year.

- This does not apply where another law prescribes a different retention period or where the data subject has requested a different period.

- At least 30 days prior to expiration, Atomy will notify members of the fact that their personal information will be destroyed or stored separately, the expiration date, and the details of the relevant information.
(Pursuant to Article 48-5 of the Enforcement Decree of the Personal Information Protection Act, such notice will be given by one of the following means: email, written notice, fax, telephone, or other similar methods.)

- If the personal information is retained rather than destroyed, it will be stored separately from other data and files in a logically isolated manner. Unless otherwise required by the Personal Information Protection Act or another law, the retained information will not be used or provided for any other purpose.

③ Destruction Method

- Personal information printed on paper is destroyed by shredding or incineration. Personal information stored in electronic file format is permanently deleted using methods that make restoration impossible. In this context, "irreversible" refers to methods that, based on current technological standards and general social consensus, would require a level of cost and effort that renders data recovery impractical.

- If the processing of such personal information has been delegated to a third party, Atomy ensures that the contractor is no longer able to access or process the relevant personal information.

Article 6 – Rights and Obligations of Data Subjects and Methods of Exercising Them

1. Data subjects may exercise the following rights related to personal information protection at any time with respect to the company:

① Request to access personal information

② Request correction of any errors

③ Request deletion

④ Request suspension of processing

2. The rights listed in Paragraph 1 may be exercised by submitting a request to the company via written document, telephone, email, fax, or other means. The company will respond without undue delay.

3. If a data subject requests the correction or deletion of personal information due to an error, the company will not use or provide the relevant personal information until the correction or deletion is completed.

4. The rights under Paragraph 1 may also be exercised through a legal representative or an authorized agent. In such cases, a power of attorney must be submitted using Form No. 11 of the Enforcement Rules of the Personal Information Protection Act.

5. Data subjects must not violate the Personal Information Protection Act or other applicable laws by infringing on their own or others’ personal information and privacy being processed by the company.

Article 7 – Technical and Administrative Safeguards

① Technical Measures

Atomy Co., Ltd. implements the following technical measures to ensure the security of personal information and to prevent its loss, theft, leakage, alteration, or damage during handling:

• Members’ personal information is protected by passwords. Important data is protected using additional security measures, such as encryption of files and transmitted data or file locking functions.

• Atomy uses antivirus software to prevent damage caused by computer viruses. The antivirus software is regularly updated, and in the event of a virus outbreak, updates are immediately applied to prevent any compromise of personal information.

• Atomy adopts secure transmission protocols (such as SSL or SET) using encryption algorithms to transmit personal information safely over networks.

• Each server is equipped with intrusion prevention systems and vulnerability analysis systems to guard against external threats such as hacking.

② Administrative Measures

• Access to members’ personal information is limited to the minimum number of authorized personnel. Employees who handle personal data are provided with regular internal and outsourced training on new security technologies and their responsibilities under data protection laws.

• Upon employment, all employees sign a confidentiality agreement to prevent human-caused data breaches in advance. Atomy has also established internal procedures to monitor compliance with its privacy policy.

• The handover of duties related to personal information is conducted under secure conditions, and responsibility for personal data incidents is clearly defined both during and after employment.

• Atomy is not responsible for any incidents resulting from users’ own negligence or the inherent risks of using the internet. Each member is responsible for properly managing their own ID and password to protect their personal information.

• In the event of a personal data breach due to internal management error or technical issues, Atomy will promptly notify the affected member(s) and take appropriate measures.

Article 7-1. Matters Related to the Collection, Use, Provision, and Rejection of Behavioral Information

Atomy Co., Ltd. does not collect, use, or provide behavioral information for purposes such as personalized online advertising.

Article 8 – Management of Member ID and Password

The member ID and password used by the member are, in principle, intended for use only by the member.

Atomy Co., Ltd. shall not be held liable for any issues arising from the theft, misuse, or unauthorized use of a member’s ID or password, unless such incidents are caused by Atomy’s intentional misconduct or gross negligence.

Under no circumstances should a member disclose their password to others. Members must exercise special caution to ensure that their personal information is not exposed to others while logged in.

If it is found that someone has used another person’s personal information to register or make a purchase, the membership contract may be unilaterally terminated. In such cases, the offender may be subject to criminal penalties under the Resident Registration Act, including imprisonment of up to three years or a fine of up to KRW 10 million.

Article 9 – Protection of Personal Information of Children Under Age 14

Atomy Co., Ltd. only allows individuals aged 20 and over to register as members.

Article 10 – Personal Information Protection Officer

Atomy Co., Ltd. is fully responsible for overseeing tasks related to the processing of personal information and has designated the following Personal Information Protection Officer and staff to handle complaints and provide remedies related to personal data processing.

For any inquiries, complaints, or matters related to the protection of personal information arising from the use of Atomy’s services (or business), you may contact the Personal Information Protection Officer or the responsible department below.

Atomy is committed to providing prompt and sufficient responses to all inquiries from data subjects.

① Personal Information Protection Officer

• Name: Choi Seung-gon

• Position: Chief Executive Officer (CEO)

• Phone: +82-2-1544-8580

• Email: atomy@atomypark.com

※ This email connects to the department in charge of personal information protection.

② Personal Information Protection Manager (Operational Staff)

• Department: Information Security Team, DX Division

• Name: Chae Jeong-yeop

• Phone: +82-2-1544-8580

• Email: jychae@atomypark.com

Article 11 – Remedies for Infringement of Rights

Data subjects may contact the following organizations for inquiries related to the infringement of personal information. These organizations are independent from the company, and if you need to report or seek consultation on a personal data breach, please contact one of the institutions listed below.

▶ Personal Information Infringement Report Center & Dispute Mediation Committee(Operated by the Korea Internet & Security Agency – KISA)

• Services: Reporting of personal data breaches, consultation requests, and dispute mediation

• Website: https://privacy.kisa.or.kr

• Phone: 118 (toll-free, within Korea)

▶ Supreme Prosecutors’ Office – Cybercrime Investigation Division

• Website: https://www.spo.go.kr

• Phone: 1301 (toll-free, within Korea)

▶ Korean National Police Agency – Cyber Bureau

• Website: https://cyberbureau.police.go.kr

• Phone: 182 (toll-free, within Korea)

For additional consultation related to personal data breaches or damages, you may also contact the Personal Information Infringement Report Center at KISA: https://privacy.kisa.or.kr / Phone: 118

Article 12 – Installation, Operation, and Refusal of Automatic Data Collection Devices (Cookies)

1. What is a Cookie?

- The company uses "cookies" to store and retrieve users’ information in order to provide personalized and customized services.

- A cookie is a very small text file sent by the server used to operate the website to the user’s browser, and it is stored on the hard drive of the user's computer. When the user revisits the website, the server reads the contents of the stored cookie to maintain user preferences and provide a customized experience.

- Cookies do not automatically or actively collect information that personally identifies individuals, and users may refuse or delete cookies at any time.

2. Purpose of the Company’s Use of Cookies

Cookies are used to remember the login ID of users visiting Atomy’s websites.

3. Installation, Operation, and Refusal of Cookies

- Users have the right to choose whether to allow cookies. Accordingly, users can configure their web browser settings to allow all cookies, to notify them each time a cookie is stored, or to block all cookies.

- However, if cookies are disabled or rejected, some services on Atomy’s website that require login may not function properly.

- How to configure cookie settings (for Internet Explorer):

① Click the [Tools] menu and select [Internet Options]

② Click the [Privacy] tab

③ Set your desired level of privacy using the privacy settings slider

Article 13 – Installation and Operation of Video Surveillance Equipment (CCTV)

① Atomy Co., Ltd. installs and operates video surveillance equipment (CCTV) as follows:

1. Legal Basis and Purpose of Installation:

To ensure facility safety and prevent fires at Atomy Co., Ltd.

2. Number of Devices, Installation Locations, and Coverage Areas:

A total of six (6) cameras are installed throughout the Atomy Park building, including in the main lobby and the data center. The cameras cover all areas of the major facilities.

3. Manager, Responsible Department, and Authorized Personnel for Access:

o Manager in Charge: Deputy General Manager Lee Min-ju

o Department: Facility Management Team, Atomy Co., Ltd.

4. Recording Time, Retention Period, Storage Location, and Processing Method:

o Recording Time: 24 hours a day

o Retention Period: 30 days from the time of recording

o Storage Location and Processing Method: Stored and managed in the CCTV Control Room of the Facility Management Team

5. How and Where to Access Video Footage:

Requests must be submitted to the manager in charge (Facility Management Team).

6. Response to Data Subjects’ Requests to Access Video Footage:

A request form must be submitted for access or confirmation of personal video footage. Access will only be granted if the individual is the data subject or if it is clearly necessary to protect the data subject’s life, physical safety, or property.

7. Technical, Administrative, and Physical Safeguards for Video Data Protection:

Internal management plans are in place, including access control and restriction of permissions, secure storage and transmission technologies, logging of processing activities, anti-tampering measures, and the installation of secure storage facilities with locking mechanisms.

Article 14 – Changes to the Privacy Policy

• Version: v3.3

• Effective Date: December 01, 2022

The Privacy Policy of Atomy Co., Ltd. outlines the purpose of collecting personal information and the regulatory, policy, and system-based security measures implemented to protect it. This policy is designed to safeguard the fundamental rights of Atomy members—such as privacy, freedom, and the confidentiality of communications—and to prevent any human rights violations resulting from the leakage of personal information.

In accordance with Article 30 of the Personal Information Protection Act, Atomy Co., Ltd. has established and discloses this Privacy Policy to protect the personal information of data subjects and to ensure that any related grievances are handled promptly and efficiently. Through this policy, Atomy informs its members about how their personal information is used and what measures are taken to protect it.

If this Privacy Policy is revised or updated, Atomy will provide appropriate notice through website announcements (or individual notifications). We encourage members to visit the Atomy website regularly to stay informed of any changes.