PRIVACY POLICY

CTK Co., Ltd (“Company”) highly values the personal information of user (client or member, hereinafter collectively referred to as “Member”) of the CTKCLIP (“CLIP”) and makes every effort to protect the personal information of the Member. In compliance with Article 30 of the Personal Information Protection Act of Korea, the Company has established and implemented this privacy policy (“Privacy Policy”) as stated herein. This Privacy Policy is a basic guideline established to protect personal information and may be modified from time to time following the internal policy of the Company. In such case, the modified version may be posted on the Company or CLIP’s website (www.ctkclip.com).

Article 1 (Consent to the Collection and Use of Personal Information)

CLIP operates as a website managed by the Company. Users can access most of the services provided by CLIP by completing the membership registration process, such as creating an ID and password, and logging in. Users can indicate their consent to the collection of personal information during the membership registration process, and if they agree, it is considered that they have consented to the collection of personal information.

Article 2 (Personal Information Items to be Collected)

The Company collects following information related to an individual (“Personal Information”) in providing the Company’s goods and services.

1. Website Membership Registration and Management

(1) Required Items: name, email address (ID), password, country, language, company or brand name, business type.

(2) Optional Items: contact number, homepage address, how to find the Website.

2. The Provisions of Goods or Services

(1) Required Items: address, name, company or brand name, contact number, email address, business registration number, payment information (For payment by remittance: name of bank, account holder’s name, remitter’s name

(2) For payment by credit card: payment information including card company name, card number or etc.)

Article 3 (The Purpose of Processing Personal Information)

The Company processes only the minimum extent of the Personal Information required for providing services when a user registers as Member. Except for the following cases, the Company will not use the Personal Information for other purposes. The Company will obtain consent from the Member if there is any change in the purpose of use.

1. Performance of Contract in regard to Provision of Services

(1) Supplying products, services, placing orders, or making payments.

(2) Submission of consent forms, contracts, or other documents or information

(3) Shipping of goods or sending invoices

(4) Individual identification for financial transactions

(5) Requesting assistance with purchase inquiries

2. Membership Management

(1) Identification by service use

(2) Provision of age-restricted services

(3) Customer service such as handling consumer complaint or inquiries

(4) Securing communication channels such as delivering notifications

(5) Resetting lost or forgotten password

(6) Records for dispute resolution

(7) Prevention of illegal or unauthorized use of a bad member

(8) Verification of duplicated registration

3. New Services and Use of Marketing

(1) Notifications of new services and events

(2) Provision of customized services

(3) Preparation of analysis data according to demographic characteristics, provision of services, and posting advertisement

Article 4 (Processing Personal Information and Retention Period)

1. In principle, the Company destructs Personal Information of the Member without delay when the purposes of its collection and use have been achieved; provided that, the following information may be retained for a specified period for the reasons stated as follows:

(1) Retained Items: ID and password, name, date of birth, address, contact number, phone number, SMS receipt status, email address, newsletter receipt status, login date, PC specifications, records on use of services, a legally official representative, PC IP

(2) Retain basis: For the purposes of handling with consumer complaint and dispute resolution when the Member withdraws from the Website: 90 days

(3) Records on the website visit: 3 years

(4) In case of obtaining consent by the Member, then until the consented date: 30 days after the withdrawal upon the consent of the Member

2. Website Membership Registration and Management: Until the withdrawal of business/entity membership on the website (However, in cases where the following reasons apply, until the date when the retain basis is completed).

(1) If an investigation is in progress due to a violation of the relevant laws and regulations, then until the relevant investigation is completed.

(2) If the bond/debt remains in relation to use of the Website, then until the settlement of the relevant bond/debt relationship is resolved.

(3) Provision of goods or services: Until the supply of goods and services is completed, and the payment and settlement of the fee is completed.

(4) Records on fair labeling and advertising: 6 months

(5) Telecommunication date and time, start/end time, membership number, frequency of use, tracking data of location: 1 year

(6) Computer communications, Internet log record data, access destination tracking data: 3 months

3. After the purposes of collection are achieved, the Member’s Personal Information may be retained for a certain period of time as stated below if it is necessary to preserve it in compliance with the laws such as the Consumer Protection Act, the Personal Information Protection Act, the Commercial Act, and the Framework Act on National Taxes.

Information to be retained	Retain basis	Retention Period
Records on a contract or revocation of offer	Act on the Consumer Protection in Electronic Commerce, etc.	5 years
Records on payment and supply of goods	Act on the Consumer Protection in Electronic Commerce, etc.	5 years
Records on electronic financial transactions over 10,000 Won(KRW) per case	Electronic Financial Transactions Act	5 years
Records on consumer complaint or dealing dispute	Act on the Consumer Protection in Electronic Commerce, etc.	3 years
Records on electronic financial transactions less than 10,000Won(KRW) per case	Electronic Financial Transactions Act	1 year
Records on personal identification	Act on Promotion of Information and Communications Network Utilization and Information Protection	6 months

Article 5 (Entrusting Processing Work of Personal Information)

1. The Company may outsource the management of Member’s Personal Information to an external professional agency for the purpose of service enhancement and other related activities. In the event of outsourcing Personal Information processing tasks, the Company will make a written agreement specifying the prohibition of processing Personal Information beyond the intended purpose of the outsourcing task. Additionally, the Company will regulate matters pertaining to the technical and administrative protective measures for the management and supervision of Personal Information, ensuring safe management of the Personal Information.

2. The entrusted party and the details of the tasks for which Personal Information processing is outsourced are as follows:

Entrusted Party	Details of Personal Information Processing Tasks
Wylie	System reconstruction and website maintenance services

※ "Outsourcing of Personal Information Processing Tasks" refers to entrusting personal information to external third parties for the purpose of achieving the objectives of the personal information processor (such as call centers, after-sales service centers, and cloud services). ※

※ When conducting operations involving the use of domestic customers' databases by overseas corporations, it falls under the outsourcing of personal information processing due to overseas transfer (data storage, call center support, etc.) ※

Article 6 (Providing Personal Information to Third Party)

1. Except for the following cases, the Company generally does not disclose the Personal Information of the Member to a third party:

(1) Upon prior consent by the Member

(2) Need for fee settlement in relation to providing services; or

(3) In compliance with the provisions of relevant laws and regulations, such as the Framework Act on Telecommunications and the Telecommunications Business Act, or in accordance with the procedures and methods prescribed by statutes for the purpose of investigation.

2. The Company provides at a minimum extent of the Personal Information to the third party upon approval by the Member as follows:

Entrusted Company	Purpose to Provide	Items to be provided	Retention and Use period
CJ Logistics	Collection of delivery information for ordered products and provision of delivery service	Name, address, phone number, email address	Purpose of Collecting and Processing Personal Information is fulfilled
Colosseum corporation
Korea Post
Simple Postage, Inc.
EasyPost
CTK USA
NHN KCP Corporation	Simple Postage, Inc.	Payment agent service (PG) Name, address, card number, account number
Eximbay
PayPal Pte. Ltd
Mixpanel	Marketing Analysis	Device Information, User Behavior Data, Event Data,Session Information,Identifiers	During the marketing analysis period
PLATEER	Providing AI chatbot-based customer consultation and response services	Chat history, connection logs (IP address, cookies, etc.), member identification values	Until membership withdrawal or termination of the entrustment contract

3. The Company may provide the Personal Information to related institutions without the Member’s approval subject in the event of emergency such as a disaster, an infectious disease, and urgent life or physical risk, or an urgent property loss.

Article 7 (Matters concerning the Installation, Operation, or Refusal of an Automatic Personal Information Collection Device)

1. In order to provide specialized and customized services to the Member, the Company operates a “cookie (access information file)” that stores and finds the Member’s information from time to time.

2. The Company identifies the Member’s computer with regard to cookie operation but does not identify the Member personally.

3. The Member has an option for cookie installation. So the Member may allow all cookies by checking [Tool] > [Internet Option] > [Security] > [Custom] in the web browser, make each cookie checked whenever it is saved, or refuses all cookies to be saved; Provided however, if the Member rejects to install cookies, it may be restricted from using a part of the services provided by the Company.

Article 8 (Matters concerning the Collection, Use, Refusal of Behavioral Information)

1. In the process of using the service, the Company collects and uses behavioral information to provide customized services, benefits, and online customized advertisements to the Member.

2. The Company collects behavioral information as follows.

(1) Items of behavioral information to be collected: the member’s website/application service visit history, search history, purchase history.

(2) Behavioral information collection method: automatically collect when the Member visits/runs the websites and application.

(3) Purpose of collecting behavioral information: to provide personalized product recommendation services (including advertisements) based on the Member' interests and tendencies.

(4) Period of retention/use and the method of processing information afterwards: Until the purpose of the work is achieved.

3. The Company collects only the minimum behavioral information necessary for online customized advertisements and does not collect sensitive information, such as beliefs, family and relatives, educational/medical history, and other social activities, which may clearly infringe on the individual’s rights or privacy.

4. The Company does not collect behavioral information from the children under age 14 or from the online service in which major users are under age 14 for customized advertising purposes. The Company does not provide customized advertisements to the children under the age of 14.

5. The Company collects and uses advertisement identifiers for online customized advertisements in mobile applications. The Member can block and allow customized advertisements of the application by changing the settings in the mobile phone.

‣ Blocking/Allowing Advertising Identifiers on Smartphones

(1) (Android) Settings → Personal Information Protection → Advertising → Reset Advertising ID or Delete Advertising ID

(2) (iPhone) Settings → Personal Information Protection → Tracking → Turn off the allow button of tracking

※ The menu and method may vary slightly depending on the OS version.

6. The Member can block/allow customized online advertisements collectively by changing Cookie settings in their web browser. However, changing cookie settings may impact in using the part of services such as automatic website login.

‣ Block/allow customized advertisements through a web browser.

(1) Internet Explorer (Internet Explorer 11 for Windows 10)

- In Internet Explorer, select the Tools button, and then select Internet Options.

- Select the Privacy tab, select Advanced under Settings, and then select Block or Allow Cookies.

(2) Microsoft Edge

- Top right '…' on edge…' Click Show, and then click Settings.

- Click 'Personal Information, Search and Services' on the left side of the settings page and select whether or not to 'Prevent Tracking' and the level in the 'Prevent Tracking' section.

- Select whether 'Always use 'Strict' Tracking Protection when searching for InPrivate'.

- In the "Personal Information" section below, select "Send No Tracking Request".

(3) Chrome browser

- In Chrome, click Show '⋮' in the upper right corner (Chrome Customization and Control), and then click Show Settings.

- Click "Show Advanced Settings" at the bottom of the Settings page and click Content Settings in the "Privacy" section.

- In the Cookies section, select the checkbox for Block third-party cookies and site data.

Article 9 (Measures to Ensure Stability of Personal Information)

The Company takes all managerial, technical, and physical measures that are necessary to ensure safety as prescribed in Article 29 of the Personal Information Protection Act so that the personal information may not be lost, stolen, divulged, forged, altered, or damaged.

1. Managerial measures: Establish and execute internal management plan, regular education of employees, establish and execute of the Company’s regulations or manual on the Personal Information protection.

2. Technical measures: Managing access rights to the Personal Information processing systems, installation of access control of Personal Information process system, installation of encryption of unique identification information, installation of security programs, etc.

3. Physical measures: Control of access to computer rooms or to data storage rooms, etc. Only a registered server administrator is allowed to access the computer room. General executives and employees are not allowed to access the room.

Article 10 (Chief Privacy Officer (CPO))

The Chief Privacy Officer (CPO) and a department responsible for privacy protection and handling complaints are as follows:

1. Chief Privacy Officer (CPO)

Name	Email Address	Contact
Ian Chung	it@ctkclip.com	+82-2-6283-7200

2. Personal Information Protection Department

Department	Email address
IT Team	it@ctkclip.com

Article 11 (Infringement on Rights and Remedies)

1. Regarding the management of members' personal data: The Member has a right to withdraw its consent to collect Personal Information by clicking [My Profile > Delete Account] on the website or in writing, or by phone call or email to the Chief Privacy Officer. In such case, the Company makes sure of the Member’s identity and then takes measures to destruct the Personal Information unless the relevant laws are regulated differently; however, if Personal Information is destructed due to the withdrawal, any relevant information generated and accumulated while using the services on the website may be destroyed all together.

2. The Member has a right to access or correct Personal Information of its own by clicking an account information tab on the Website and the Company thereafter takes necessary measures.

3. If a representative of a member visits the Company to request access or correction of information, the Company will verify whether the individual is the true representative of the member. In such cases, the Company may request the presentation of evidence indicating the relationship.

4. If there is a legitimate reason to refuse to allow accessing or correcting all or part of the Personal Information of the Member, the Company must notify the Member without delay and explain the reason.

5. Modification of required items provided by the Member at the time of signing up for membership, such as name, date of birth, email address, may cause errors in the Company’s services so in relation to such modification, the Company may request a separate procedure to the Member in order to provide a smooth and stable services.

6. The Member may inquire to the following institutions for damage relief and counseling for the Personal Information infringement.

(1) Personal Information Infringement Reporting Center: 118 (privacy.kisa.or.kr)

(2) Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)

(3) Prosecution Service: 1301 (www.spo.go.kr)

(4) National Police Agency: 182 (ecrm.cyber.go.kr)

Article 12 (Processing Personal Information of Children Under Age 14)

1. The Company provides B2B services and does not take membership applications from the children under age 14 due to the Personal Information Protection Act and contract issues.

2. Anyone who desires to register on the website must provide a legal date of birth and check the field of “age 14 or over.” The Company shall not be legally responsible for any liabilities caused by incorrect or false information provided by the Member.

Article 13 (Procedure and Method of Destruction of Personal Information)

1. The Company destructs the Personal Information of the Member immediately after the purpose of use is achieved or the Member requests to terminate the services; however, the information may be retained if the relevant laws and regulations require.

2. In principle, the Company destroys the Member’s Personal Information in a way that cannot be restored when the retention period is elapsed, or the purpose of use is achieved. Electronic file types are safely deleted using technical methods that cannot be recovered and restored, and the Personal Information printed on paper is destroyed by shredding or incineration.

Article 14 (Rights and Obligations of the Member and Authorized Agent, and Methods of Exercise)

1. The Member may exercise the following rights as an individual; however, in such cases, use of all or a part of services may be restricted.

(1) Request to Cease Providing or Use Beyond the Purposes: If the Personal Information of the Member is provided or used beyond the scope of the agreed purposes, the Member may request for immediate cessation of use.

(2) Withdrawal of Consent in relation to Collection, Use, View, and Provision for Marketing Purposes: After the Member agrees to the marketing purposes, the Member may withdraw (reject marketing) or refuse to receive a marketing call. The Company will notify the Member of the results of the action against the withdrawal (reject marketing) or refusal to receive a call within ten (10) days.

(3) Denial of Receiving Commercial Information: The Member may refuse to receive commercial information such as text messages, emails etc.

(4) Right to View/Access and Correction/Deletion: The Member may anytime view and access to the own Personal Information retained by the Company. If there is incorrect information, the member may request for correction or deletion. After receiving the requests by the Member, the Company immediately processed the matters and in case the Personal Information has already been entrusted or provided, the results of the processing will be notified without delay so that the correction or destruction can be made.

(5) Right to Withdrawal from collection, access, use and provision of Personal Information and Personal Credit Information: The Member may withdraw its consent on collecting, viewing, using or providing the Personal Information and Personal Credit Information; however, the Member may not withdraw for the purpose of evaluating an individual’s creditworthiness by providing it to a credit inquiry company or a credit information center, and if the Member withdraws its consent to provide information due to contract maintenance, management, counseling, or other consignment, the Member must clarify that you will not receive the service.

(6) Right to Request Notification of Provision: In case where the Company provides the Member’s Personal Information to a third party, then you may request to be notified of the fact that the information is provided.

2. The Member may exercise the rights under paragraph 1 of this Article by writing, email, or facsimile in accordance with Article 41, Paragraph 1 of the Enforcement Decree of the Personal Information Protection Act and the Company will take measures without delay.

3. Member’s rights under paragraph 1 of this Article may be exercised through the Member’s legal representative or delegates. In this case, you must submit a power of attorney in accordance with Form 11 of the “Notification of the method of processing Personal Information (No. 2020-7)”.

4. A request for correction or deletion of the Personal Information is not allowed if the other laws and regulations specify that the information is subject to collection.

5. The Company will verify the person who requests to access, correction/deletion, suspension of processing is the person himself or authorized agent.

Article 15 (Department which Collects and Handles Requests for Access to the Personal Information)

The Member may request to the following department about accessing the Personal Information in accordance with Article 35 of the Personal Information Protection Act:

Department	Name	Contact
Department which collects and handles requests for access to the Personal Information
IT Team	Do Hyoung Kim	+82-2-6283-7200

Article 16 (Amendment of the Privacy Policy)

This Privacy Policy will be effective as of January 30, 2026.

Article 17 (Duty to Notify)

This Privacy Policy may be modified from time to time in accordance with the amendment of the regulations or security technology and the Company will notify the Member of such changes and reasons on its website or by means of sending emails before the effective date of the latest version.