1. Items of personal information to collect and how to collect them

1.i. Items of personal information collected

1. First, the company collects the following minimum personal information as mandatory items at the time of initial member registration for membership registration, smooth customer consultation, and various services.
   1. [Sign Up]
   2. - Required items: ID, password, name, date of birth, gender, mobile phone number for registration, and legal representative information for children under 14 years of age (legal representative's name, ID, and mobile phone number are collected and saved until the children reach adulthood).
   3. - Optional: Emergency email address (you can register without one).
   4. [Group ID Sign Up]
   5. - Required items: Group ID, group name, corporate name (group name), representative name, location of business establishment, representative telephone number, manager ID, mobile number, team and position
   6. - Optional: Fax number (you can register without entering an option).
2. Second, the following information can be automatically generated and collected during the service use process or business process.
   1. - IP Address, cookie, date and time of visit, history, fault utilization history, device information
3. Third, the following information may be collected only for the users of the service when using the additional service and customized service or event application using the UTOP UBLESS Jeju Hotel ID.
   1. - In case of a further personal information collection agreement
4. Fourth, when using some services such as adult content, paid services / games, etc., the following information may be collected if the user's authentication is required to comply with relevant laws.
   1. - Name, date of birth, sex, duplicate entry confirmation information (DI), encrypted identifications (CI), mobile phone number (selected), Ipin number (if needed), and internal/foreign information
5. Fifth, the following payment information may be collected during the use of paid services.
   1. - When paying with a credit card: credit card name, card number, etc.
   2. - When paying via mobile payment method: mobile phone number, carrier, payment approval number, etc.
   3. - When transferring money: Bank name, account number, etc.
   4. - When using gift vouchers: gift voucher number

ii. How to collect personal information

The company collects personal information in the following ways

1. 1. - Homepage, written form, fax, telephone, consultation board, email, event application, delivery request
   2. - Provided by partner companies
   3. - Collection through the generation of the information collection tool

2. Purposes of Collection and Use of Personal Information

i. Fulfillment of the contract for the provision of services and settlement of the charges according to the provision of services

- Providing content and customized service, shipping goods or sending invoices, verifying identity, purchasing and charging payment, charging collection

i. Membership Management

- Membership service provision, personal identification, restriction of use of members who violate the Terms of Use of the company, restrictions on the smooth operation of services, restrictions on illegal use of services, confirmation of enrollment, confirmation of legal representative's consent at the time of collecting personal information of children under 14 years old, confirmation of legal representative's identity later, preservation of records for dispute settlement, handling complaints , delivering notification, confirmation of withdrawal of membership

ii. Developing new services and applying them to marketing and advertising

- Providing new services and customized services, providing services according to statistical characteristics, showing advertisements, validating services, providing event information and participation opportunities, providing advertisement information, identifying access frequency, and statistics on members‘ services usages

3. Sharing and Providing Personal Information

The company uses the users' personal information within the scope specified in "2. The purpose of collecting and using personal information" and does not use the personal information beyond the scope without prior consent of the users or, in principle, disclose the users' personal information to a third party. Exceptions are made in the following cases

1. i. If the user agreed beforehand.
2. ii. If there is a request from the investigating agency in accordance with procedures and methods prescribed by laws and ordinances for the purpose of an investigation

4. Commitment of Personal Information

The company entrusts personal information as follows to improve the service, and provides necessary information for the safe management of personal information upon consignment contracts in accordance with the relevant statutes.

5. Retention and Usage Period of Personal Information

In principle, the user's personal information is removed without delay when the purpose of collecting and using personal information is achieved. However, the following information shall be retained for the period specified for the reasons for preservation below.

i. Reasons for information retention according to the company's internal policy

1. Records of fraudulent use (records of unusual use of services such as fraudulent sign-up and disciplinary records)
   1. - Preservation items: Cell phone number for subscribed authentication, legal representative DI for members under 14 years of age
   2. - Reason for retention: Prevention of fraudulent sign-up and use
   3. - Retention period: 1 year
   4. ※ The 'Fraudulent Use Record' is a record that was restricted by the company due to a fraudulent subscription and preparation of postings that violate the operational principles.

ii. Reasons for information retention under the relevant statutes

In case it is necessary to preserve it in accordance with the provisions of the related statutes, such as the Commercial Act, the Electronic Commerce Act, etc., the company shall keep the member information for a certain period as prescribed under the pertinent statutes. In this case, the company uses the information to keep it for its purposes only, and the retention period is as follows

1. Records on contract or withdrawal
   1. - Reasons for retention: The Consumer Protection Act in Electronic Commerce, etc.
   2. - Retention period: 5 years
2. Record of payment and goods supply
   1. - Reasons for retention: The Consumer Protection Act in Electronic Commerce, etc.
   2. - Retention period: 5 years
3. Records on electronic financial transactions
   1. - Reason for retention: Electronic Financial Transactions Act
   2. - Retention period: 5 years
4. Records on consumer complaints or dispute handling
   1. - Reasons for retention: The Consumer Protection Act in Electronic Commerce, etc.
   2. - Retention period: 3 years
5. Website history
   1. - Reason for retention: Communication Confidentiality Protection Act
   2. - Retention period: 3 months

6. Disposal Procedure and Method of Personal Information

In principle, the user's personal information is removed without delay when the purpose of collecting and using personal information is achieved. The procedures and methods for eliminating the company's personal information are as follows.

i Process of disposal

1. 1. - The information entered by the user for membership registration is transferred to a separate database after the purpose is achieved (a separate document box for paper) and stored for a certain period of time for information protection reasons according to internal policies and other related statutes (see the retention and service period).
   2. - This personal information shall not be used for any other purposes other than those held under the Act.

i. Method of Elimination

1. 1. - The personal information printed on the paper is pulverized with a shredder or destroyed through incineration.
   2. - Personal information stored in the form of an electronic file is deleted using a technical method that prevents the recording from being played.

7. Rights of Users and Legal Representatives and How to Exercise Them

1. - Users and legal representatives can inquire or modify personal information of registered users or children under the age of 14 years at any time. If they do not agree to the company's handling of personal information, they can refuse to consent or request to delete the membership (membership withdrawal). However, in such cases, some or all of the services may not be available.
2. - To change the personal information of a user or a child under the age of 14 or modify it, click 'Change membership information' (or 'Edit membership information'). You can view, correct or withdraw directly after the procedure.
3. - Otherwise, contact the person in charge of personal information management by phone or email and we will take action without delay.
4. - In case a user requests the correction of personal information errors, the company shall not use or provide such personal information until the correction is completed. In addition, if the wrong personal information has already been provided to a third party, the third party will be notified about the correction result without delay so that the correction can be made.
5. - The company processes personal information that has been revoked or deleted at the request of the users or legal representatives as specified in "5. The retention and service period of personal information shall be processed as specified in "5. The company shall not access or use it for other purposes."

8. Information on Installation / Operation and Denial of Automated Collection Device for Personal Information

i. What are cookies?

1. 1. - In order to provide personalized and customized services, the company uses 'cookies' to store and retrieve information from users.
   2. - Cookies are stored on your computer's hard disk as very small text files that are sent to your browser by the server that runs the website. When a user visits a website, the website server is used to maintain user preferences and provide customized services by reading the contents of the cookies stored on the user's hard disk.
   3. - Cookies do not automatically/actively collect information identifying individuals, and users may at any time refuse to save or delete such cookies.

i. The purpose of the company's use of cookies

1. 1. The service and website usage, popular search terms, security access status, news editing, and user size of each service and website visited by the users are identified and optimized to provide users with customized information, including advertisements.

iii. Installing / operating cookies

1. 1. - Users have the option of installing cookies. As a result, the user may choose to allow all cookies by setting options in the web browser, check each time the cookies are saved, or refuse to save all cookies.
   2. - However, if you refuse to save cookies, some services at the UTOP UBLESS Jeju Hotel may be difficult to use.
   3. - Here's how to specify whether to allow cookies to be installed (for Internet Explorer)
      ① Select [Internet Options] from the [Tools] menu.
      ② Click [Privacy tab].
      ③ Set the [Privacy level].

9. Technical and Administrative Protection Measures of Personal Information

The company strives for the following technical and administrative measures to ensure safety so that personal information is not lost, stolen, leaked, tampered with or damaged in the handling of the users' personal information

i. Password encryption

1. 1. - The password of the user ID is stored and managed in encrypted form and is only known to the user. Confirmation and change of personal information can be done only by the person who knows the password.

ii. Countermeasures against hacking

1. 1. The company is doing its best to prevent members' personal information from being leaked or damaged by hacking or computer viruses.
      Data is backed up frequently in case of personal information corruption, and the latest vaccine program is used to prevent users from leaking or damaging personal information or data, and to enable secure transmission of personal information on the network through cryptographic communication.
      We use intrusion prevention systems to control unauthorized access from the outside, and we strive to equip all possible technical devices to ensure security in our systems.

iii. Minimization and training of handling staff

1. 1. The company's personal information handling staff is limited to the personnel in charge, and the staff is updated regularly by giving them a separate password. Through frequent training, the company always emphasizes compliance with the privacy policy of UTOP UBLESS Jeju Hotel Ltd.

ii. The operation of the Personal Information Protection Warfare Organization

1. 1. We also check the implementation and compliance of the privacy policy of UTOP UBLESS Jeju Hotel Ltd. and make efforts to correct any problems if found.
      However, the company shall not be held liable for damages not attributable to the company, such as negligence of the users or accidents in areas not managed by the company, as the company has performed its duty to protect.

10. Contact information of personal information manager and person in charge

You may declare any privacy complaints that may arise from your use of our company‘s services to your personal information manager or department. The company will respond promptly to the users' complaints.

11. Duty of Notification

If there is any addition, deletion or amendment of the current privacy policy, we will notify you through an 'Announcement' on the homepage at least 7 days before the amendment. However, if there is any significant change in user rights, such as the collection and use of personal information or the provision of third parties, we will notify you at least 30 days in advance.

1. 1. - Date of announcement: March 31, 2017
   2. - Effective date: April 7, 2017