Global Systems Co., Ltd. (hereinafter referred to as "the Company") processes personal information legally and manages it safely in compliance with the Personal Information Protection Act and related laws to protect the freedom and rights of data subjects. In accordance with Article 30 of the Personal Information Protection Act, we establish and disclose the following privacy policy to guide data subjects on procedures and standards for personal information processing and to enable prompt and smooth handling of related grievances.

1. Purpose of Personal Information Processing

The Company processes personal information for the following purposes. The personal information being processed will not be used for purposes other than those listed below, and if the purpose of use changes, necessary measures such as obtaining separate consent will be implemented by Article 18 of the Personal Information Protection Act.

• ① Customer Support Inquiries: Receiving customer inquiries and suggestions with data subject consent

2. Personal Information Processing and Retention Period

• ① The Company processes and retains personal information within the personal information retention and use period according to laws or the personal information retention and use period agreed upon when collecting personal information from data subjects.
• ② Personal information processing and retention periods are as follows:
  a. Customer Support Inquiries: (Required) Name, contact information, email, company name, position, (Retention period) 1 year after customer inquiry
• ③ Related laws: Records of consumer complaints or dispute resolution: 3 years, Records of credit information collection/processing and use: 3 years, Records of contracts or subscription withdrawal: 5 years, Records of advertising/promotion: 6 months

3. Processing of Personal Information of Children Under 14

The Company does not collect personal information from children under 14 years of age

4. Third-Party Provision of Personal Information

The Company does not provide data subjects' personal information to third parties.

5. Personal Information Destruction Procedures and Methods

• ① The Company destroys personal information without delay when it becomes unnecessary due to the expiration of the retention period, achievement of the processing purpose, etc.
• ② When personal information must continue to be preserved according to other laws despite expiration of the agreed retention period or achievement of the processing purpose, the relevant personal information is moved to a separate database (DB) or stored in a different location.
• ③ The Company destroys information without delay according to retention and use periods after achieving the purpose of use for collected personal information. Destruction procedures, methods, and timing are as follows:
  - Personal information entered by customers for service use is deleted or destroyed after the retention period, according to internal policies and information protection reasons under other related laws (refer to personal information retention and use period above), has elapsed, following achievement of use purposes such as service termination. Generally, personal information collected and managed by the Company in electronic file format is deleted immediately upon achieving the objective.
  - Personal information printed on paper is destroyed by shredding with a shredder, incineration, or dissolution through chemical treatment, and personal information stored in electronic file format is deleted using technical methods that make records irreproducible.

6. Data Subject Rights and Obligations and Exercise Methods

• ① Data subjects may exercise rights such as personal information access, correction, deletion, and processing suspension against the Company at any time.
• ② Rights may be exercised against the Company through written documents, email, fax, etc., by Article 41, Paragraph 1 of the Enforcement Decree of the Personal Information Protection Act, and the Company will take action without delay.
• ③ Rights may also be exercised through representatives such as legal representatives or authorized persons of data subjects. In this case, a power of attorney must be submitted according to Attached Form No. 11 of the "Notice on Personal Information Processing Methods (No. 2020-7)".
• ④ Personal information access and processing suspension requests may be limited according to Article 35, Paragraph 4, and Article 37, Paragraph 2 of the Personal Information Protection Act.
• ⑤ Requests for correction and deletion of personal information cannot be made when such personal information is specified as a collection target in other laws.
• ⑥ The Company verifies whether the person making requests for access, correction/deletion, or processing suspension according to data subject rights is the person themselves or a legitimate representative.

7. Personal Information Security Measures

The Company implements the following technical, administrative, and physical measures necessary to secure safety and prevent personal information from being lost, stolen, leaked, altered, or damaged.

• ① Establishment and implementation of internal management plans: Internal management plans are established and implemented for personal information protection.
• ② Minimization and education of personal information handlers: We designate and minimize personnel handling personal information and implement measures to manage personal information.
• ③ Encryption of personal information: Users' personal information passwords are encrypted and stored/managed so only the individual can know them, and essential data uses separate security functions such as encrypting files and transmission data or using file lock functions.
• ④ Technical measures against hacking: The Company's website installs security programs and conducts regular updates and inspections to prevent personal information leakage and damage due to hacking or computer viruses, and systems are installed in areas with controlled external access and monitored/blocked technically and physically.
• ⑤ Access control for unauthorized persons: Separate physical storage locations for personal information processing systems storing personal information are maintained, and access control procedures are established and operated.

8. Changes to Privacy Policy

• ① When there are additions, deletions, or modifications to this privacy policy, changes will be announced through the website 7 days before implementation.
• ② This privacy policy applies from May 1, 2025.