The creamunion
Privacy Policy

Article 1 (Purpose of Processing Personal Information)

The Company collects personal information only to the minimum extent necessary to provide its services smoothly.

1. ① The Company processes personal information for the following purposes. Personal information is not used for any purpose other than those below; if the purpose changes, the Company will obtain separate consent under Article 18 of the Personal Information Protection Act and take other necessary measures.

   Category	Purpose of Processing	Collection Method
   Advertising inquiry	Responding to general inquiries regarding advertising services	Electronic collection via email
   Recruitment inquiry	Responding to inquiries regarding job applications and hiring
   Online/offline events, promotions, prize delivery, customer support	Granting opportunities to participate in events/promotions, delivering prizes, and responding to customer inquiries	Electronic collection via event/promotion pages

2. ② When users access the Company’s website or other services, the Company collects generated information such as usage logs, access logs, and IP addresses.

Article 2 (Retention and Use Period of Personal Information)

1. ① The Company processes and retains personal information within the retention/use period prescribed by law, or within the period consented to by the data subject at the time of collection.
2. ② The retention and use period for each type of personal information is as follows.

   Personal information retention period for service provision

   Category	Reason for Retention	Retention Period
   Advertising inquiry	Responding to general inquiries regarding advertising services	Destroyed immediately upon completion of consultation/guidance
   Recruitment inquiry	Responding to inquiries regarding job applications and hiring
   Events, promotions, prize delivery, customer support	Granting participation opportunities, delivering prizes, and customer support	Destroyed within one month (30 days) of completing prize delivery

   However, in the following cases the retention period extends until the matter is resolved:

   1. Until conclusion of investigation/proceedings, when an investigation or inquiry is in progress for violation of relevant laws.
   2. Until settlement of remaining claims and debts arising from website use.

   Retention required by law for the provision of goods or services

   Category	Applicable Law	Retention Period
   Records of contracts or subscription withdrawals	Act on Consumer Protection in Electronic Commerce, etc.	5 years
   Records of payment and supply of goods		5 years
   Records of consumer complaints or dispute resolution		3 years
   Records of display/advertising		6 months
   Records of identity verification	Act on Promotion of Information and Communications Network Utilization and Information Protection	6 months
   Records of access (visits)	Protection of Communications Secrets Act	3 months

Article 3 (Provision of Personal Information to Third Parties)

1. ① The Company processes personal information only within the scope specified in “Article 1 (Purpose of Processing)”, and provides personal information to third parties only with the consent of the data subject or in cases corresponding to Articles 17 and 18 of the Personal Information Protection Act.
2. ② When obtaining consent from the data subject, the Company notifies the following before providing personal information to a third party:
   1. The recipient of personal information.
   2. The purpose of use of personal information by the recipient.
   3. The items of personal information to be provided.
   4. The retention/use period by the recipient.
   5. The fact that consent may be refused and the disadvantages, if any, of such refusal.

Article 4 (Entrustment of Personal Information Processing)

1. ① The Company entrusts certain tasks essential to service provision to external companies, and supervises them to ensure compliance with applicable laws.
2. ② The companies entrusted with personal information processing are as follows:

   Trustee	Entrusted Work	Use Period
   T-Scientific Co., Ltd.	Event prize delivery on behalf of the Company	Destroyed within 15 days of completing prize delivery

Article 5 (Rights and Obligations of the Data Subject and Legal Representative)

1. ① The data subject may at any time exercise rights such as requesting access, correction, deletion, or suspension of processing of personal information.
2. ② The rights in Paragraph 1 may be exercised by the data subject through written notice, email, or facsimile (FAX) under Article 41(1) of the Personal Information Protection Act. The Company will respond without delay.

   1) Department accepting and processing access requests

   Department	Contact	Phone	Email	Fax
   Campaign Idea Division	Hyungju Lee	02-3446-1886	dndska_hj@crea-m.com	02-3446-1887

3. ③ The rights in Paragraph 1 may be exercised through a representativesuch as the data subject’s legal representative or authorized agent. In such cases, a power of attorney in Form No. 11 attached to the Enforcement Rules of the Personal Information Protection Act must be submitted.
4. ④ The right to request access to or suspension of processing of personal information may be restricted under Articles 35(5) and 37(2) of the Personal Information Protection Act.
5. ⑤ A request for correction or deletion of personal information cannot be made if the personal information is specified as a collection target under other laws.
6. ⑥ The Company verifies whether the person making the request for access, correction/deletion, or suspension of processing is the data subject or a legitimate representative.

Article 6 (Items of Personal Information Processed)

1. ① The Company processes the following items of personal information:

   Category	Items Collected
   Advertising and recruitment inquiries	[Required] Name, phone number [Optional] Email, inquiry contents
   Online/offline events, promotions, prize delivery, customer support	[Required] Name, mobile number, SNS ID [Optional] Email, other items required for event/promotion participation

Article 7 (Destruction of Personal Information)

1. ① The Company destroys personal information without delay when it becomes unnecessary due to expiration of the retention period, achievement of the processing purpose, or similar reasons.
2. ② The procedure and method for destruction are as follows:

   1) Destruction procedure

   • The Company identifies the personal information subject to destruction and destroys it with the approval of the Privacy Officer.

   2) Destruction method

   • Personal information stored in electronic file form is destroyed so that the records cannot be reproduced.
   • Personal information recorded on paper is destroyed by shredding or incineration.

Article 8 (Technical and Administrative Safeguards)

1. ① The Company adopts the following technical and administrative measures to ensure the safety of personal information against loss, theft, leakage, alteration, or damage.

   1) Internal management plan

   The Company establishes and implements an internal management plan for the safe management of personal information.

   2) Encryption of personal information

   The Company transmits members’ personal information through encrypted communication channels. For consultation requests, the Company does not collect separate user IDs or passwords.

   3) Measures against hacking

   The Company does its utmost to prevent leakage or damage of members’ personal information due to hacking or computer viruses. Data is backed up regularly, the latest anti-virus programs are used to prevent leakage or corruption of user information, encrypted communication is employed for safe transmission over networks, and intrusion prevention systems are operated to control unauthorized external access. The Company strives to equip every possible technical measure to ensure systemic security.

   4) Minimization of personnel and training

   Personnel handling personal information are limited to designated officers. Separate passwords are issued and regularly updated, and frequent training emphasizes compliance with this Privacy Policy.

   5) Operation of a dedicated privacy organization

   Through an internal privacy organization, the Company verifies implementation of this Privacy Policy and compliance by personnel, correcting any issues found immediately.

   However, the Company shall not be liable for any issues arising from leakage of personal information due to the user’s own negligence or problems on the internet.

Article 9 (Privacy Officer and Grievance Department)

1. ① To protect users’ personal information and handle privacy-related complaints, the Company designates the following department and Privacy Officer:

   Privacy Officer	Privacy Department
   Name: Joongseok Sun Title: Head of UI/UX Phone: 02-3446-1886 Email: sun@crea-m.com	Department: Management Strategy Phone: 02-3446-1886 Email: contact@crea-m.com

2. ② Users may direct any privacy-related complaints arising from the use of the Company’s services to the Privacy Officer or department above. The Company will respond promptly and thoroughly.

Article 10 (Remedies for Infringement of Rights)

① For redress, consultation, or other matters concerning infringement of personal information, you may contact the following organizations:

Article 11 (Miscellaneous)

① The Company may provide links to other companies’ websites or materials. In such cases, the Company has no control over the external sites or materials and cannot be held responsible for or guarantee the usefulness, truthfulness, or legality of the services or materials provided therefrom. When you click a link included by the Company and move to a page on another site, please check that site’s privacy policy, as it is unrelated to the Company’s policy.

Article 12 (Changes to the Privacy Policy)

① Any addition, deletion, or modification of this Privacy Policy will be announced via the website’s ‘Notices’ at least 7 days before the effective date. However, for significant changes to user rights — such as the collection and use of personal information or provision to third parties — the announcement will be made at least 30 days in advance.