Privacy Policy

Effective Date: April 2, 2026

Article 1. Items and Methods of Personal Information Collection

1. Items Collected

Category	Items Collected
Member Information	Email address, mobile phone number, password
Payment Information	Card information (cardholder name, expiration date)
Passport Information	Name, passport number, date of birth
Device Information	Smart device information (OS, language, region)
Usage Data	Access IP, service usage records, access time

2. Methods of Collection

• Directly entered by users during registration and use of the Service
• Automatically generated and collected during use of the Service (device information, usage data, etc.)

Article 2. Purpose of Collection and Use of Personal Information

Purpose	Details
Member management and identity verification	Registration, identity verification and authentication, prevention of unauthorized use
Electronic financial transaction services	Payment authorization and processing, payment result notification, refund and settlement processing
Customer support and complaint handling	Transaction history verification, complaint response, dispute resolution
Service improvement	Service usage analysis, detection and resolution of technical issues

Article 3. Retention and Use Period of Personal Information

Personal information of users is destroyed without delay once the purpose of collection and use has been achieved. However, where retention is required by applicable laws, the information shall be retained for the period prescribed by such laws.

Category	Retention Period	Legal Basis
Member information (member management and complaint handling)	Until membership withdrawal	-
Electronic financial transaction records	5 years	Enforcement Decree of the Electronic Financial Transactions Act, Article 12
Tax invoices and accounting records	5 years	Framework Act on National Taxes / Value-Added Tax Act

Article 4. Provision of Personal Information to Third Parties

The Company provides personal information to third parties only with the consent of the data subject or where specifically required by applicable laws, in accordance with Articles 17 and 18 of the Personal Information Protection Act.

Recipient	Purpose	Items Provided	Retention Period
Hyundai Duty Free	Identity verification for duty-free purchases	Passport information (name, passport number, date of birth), mobile phone number	Until the purpose of provision is fulfilled

Article 5. Entrustment of Personal Information Processing

The Company does not currently entrust the processing of personal information to any external parties for the provision of the Service.

Should any entrustment occur in the future, the details and the entrusted party will be disclosed through this policy.

Article 6. Procedures and Methods for Destruction of Personal Information

The Company destroys personal information without delay when the retention period has expired or the purpose of processing has been achieved. However, information that must be retained pursuant to applicable laws shall be securely stored for the required period before destruction.

Methods of Destruction

• Electronic files: Permanently deleted using technical methods that prevent recovery
• Paper documents: Shredded or incinerated

Article 7. Rights and Obligations of Data Subjects and How to Exercise Them

Data subjects may exercise the following rights with respect to the Company at any time:

• Request to access personal information
• Request to correct or delete personal information
• Request to suspend processing of personal information
• Withdraw consent

The above rights may be exercised by mail or email, and the Company will take action without delay.

• Mail: 1101, J&K Digital Tower, 111, Digital-ro 26-gil, Guro-gu, Seoul, 08390, Republic of Korea
• Email: app@eximbay.com

If a data subject requests correction of an error in personal information, the Company will not use or provide the relevant personal information to third parties until the correction is completed.

Rights may also be exercised through a legal representative or an authorized agent, in which case a power of attorney must be submitted.

Article 8. Measures to Ensure the Security of Personal Information

The Company implements the following protective measures to prevent loss, theft, leakage, alteration, or damage of personal information:

• Administrative measures: Establishment and implementation of internal management plans for personal information protection, minimization of access rights and regular audits
• Technical measures: Encrypted storage and transmission of personal information, operation of access control systems, installation and updating of security software
• Physical measures: Access control for areas where personal information is stored

Article 9. Privacy Officer and Contact Information

The Company has designated the following Privacy Officer to oversee personal information processing and handle inquiries and complaints:

Chief Privacy Officer

• Name: Hyunjin Kong, Executive Director
• Phone: 070-4044-4141
• Email: jennifer@eximbay.com

Privacy Manager

• Name: Taeyang Kim, Manager
• Email: sun@eximbay.com

For reports or consultations regarding personal information infringement, please contact the following organizations:

• Cyber Crime Report System, National Police Agency (https://ecrm.police.go.kr / 182)
• Cyber Investigation Division, Supreme Prosecutors' Office (http://www.spo.go.kr / 1301)
• Personal Information Infringement Report Center (https://privacy.kisa.or.kr / 118)
• Personal Information Dispute Mediation Committee (http://www.kopico.go.kr / 1833-6972)

Article 10. Changes to This Privacy Policy

This Privacy Policy may be updated due to changes in laws, policies, or security technologies. Any changes will be notified through the Service.

Announcement Date: April 2, 2026

Effective Date: April 2, 2026