GYMTOC Privacy Policy WELLPEACH (hereinafter referred to as the "Company") complies with the relevant laws and regulations, such as the Personal Information Protection Act and the Act on Promotion of Information and Communication Network Utilization and Information Protection, which information service providers must adhere to regarding personal information protection. The Company has established a privacy policy to do its best to protect the rights and interests of users. The privacy policy applies to the use of the services provided by the company and related services (hereinafter referred to as "Services") and includes the following contents. Additionally, the company informs users about how their personal information is collected and used, as well as the measures taken by the company to protect personal information. Users may refuse consent regarding matters related to the collection, use, provision, and delegation of personal information. However, if the user refuses consent, they will be notified that they may not be able to use all or part of the services. 1. Purpose of Collection and Use of Personal Information Personal information refers to information about an individual that can identify the individual, including but not limited to, information such as date of birth, gender, name, mobile phone number, and personal identification key. The company utilizes the collected personal information for the following purposes: a. Service provision and fee settlement - Providing basic and specialized functions of the service, customized service provision, providing services based on demographic characteristics, item purchase and payment, notification services b. User management - Verification of identity for service use, user verification and identification related to service provision, prevention of misuse and unauthorized use by fraudulent members, confirmation of intent to join, confirmation of intent to withdraw, record keeping for self-verification and dispute resolution, complaint processing, notification of important information c. Utilization in the development of new services, advertising, and marketing - Development of new services and provision of customized services, provision of services and advertising based on demographic characteristics, confirmation of service effectiveness, provision of event and advertising information, opportunities for participation, understanding access frequency, statistical analysis of service use 2. Items and Methods of Collecting Personal Information a. Items of personal information collected 1) The company may collect the following information during self-authentication for optimized service provision: - Required: Date of birth, name, mobile phone number, carrier information, personal identification key 2) The following information may be collected during the process of using the service or business processing: - Required: Nickname, region, country, profile picture, photos and voice recordings uploaded by the user, messages written by the user, content created by the user, service usage records, access logs, records of misuse, payment records, device information (OS), push token - Optional: Introduction, gender, age, height, weight 3) Information automatically collected during advertising service provision - Advertising identifier (iOS: IDFA, Android: Advertising ID), IP address, device information, app usage data b. Methods of collecting personal information The company collects personal information through the following methods: - Website, application, written forms, fax, phone, consultation board, email, event participation - Provided by affiliated companies - Collection through information collection tools 3. Processing of Sensitive Information The company processes the following sensitive information to provide AI-based services. a. AI Medical Document Analysis Service - Collected items: Medical document images (health information) - Collection purpose: Analysis and organization of medical document content - Separate consent: Required (if you do not agree, you cannot use the service) b. Health Journal AI Analysis Service - Collected items: Diet records, medication intake records, diagnosis records, symptom records, subjective status information (health information) - Collection purpose: Health data pattern analysis and personalized health management advice provision - Separate consent: Required (if you do not agree, you cannot use the service) c. Medical Imaging Analysis Service - Collected items: Medical imaging images (X-ray, CT, MRI, Ultrasound, Endoscopy, etc. - health information) - Collection purpose: Analysis and interpretation support of imaging examination content - Separate consent: Required (if you do not agree, you cannot use the service) 4. Provision of Personal Information to Third Parties The company provides personal information to third parties as follows to provide services: a. AI-based service provision - Recipient: Google LLC - Provision purpose: AI medical document analysis, AI health journal data analysis, AI medical imaging analysis, AI image analysis, AI voice recording analysis - Provided items: Medical document images, health journal data (diet, medication, diagnosis, symptoms, subjective status), medical imaging images, general images, voice recordings - Retention and use period: Immediate deletion (after analysis completion) b. Advertising service provision - Recipient: Google LLC (Google AdMob) - Provision purpose: Advertising provision and performance measurement - Provided items: Advertising identifier, IP address, device information, app usage data - Retention and use period: According to Google's Privacy Policy (https://policies.google.com/privacy) 5. International Transfer of Personal Information The company transfers personal information overseas to provide services. a. AI-based service provision - Recipient: Google LLC - Transfer country: United States, etc. - Transferred items: Medical document images, health journal data (diet, medication, diagnosis, symptoms, subjective status), medical imaging images, general images, voice recordings - Purpose of use by the recipient: AI medical document analysis, AI health journal data analysis, AI medical imaging analysis, AI image analysis, AI voice recording analysis - Transfer date and method: HTTPS encrypted transmission upon user analysis request b. Advertising service provision - Recipient: Google LLC (Google AdMob) - Transfer country: United States and countries where Google servers are located - Transferred items: Advertising identifier, IP address, device information, app usage data - Purpose of use by the recipient: Advertising provision and performance measurement - Transfer date and method: Real-time network transmission during app usage 6. Provision and Sharing of Personal Information The company uses and provides personal information within the scope notified in the "Purpose of Collection and Use of Personal Information" and does not use or disclose it beyond that scope without the user's prior consent. However, it may use or provide personal information in the following cases: a. When the user has given prior consent - The company informs the user of the partner providing or collecting information, what information is needed, how long it will be stored, and obtains consent. If the user does not agree, no additional information will be collected or disclosed. b. When there are special regulations in the law or when requested by an investigative agency for investigation purposes according to the procedures and methods prescribed by the law 7. Retention and Use Period of Personal Information User personal information is generally destroyed without delay when the purpose of collecting and using personal information is achieved. However, the following information is retained and used for the reasons stated below, and is only used for the purpose of retention: a. Records related to contracts or withdrawal requests - Retention reason: Act on Consumer Protection in Electronic Commerce, etc. - Retention period: 5 years b. Records of payment and supply of goods, etc. - Retention reason: Act on Consumer Protection in Electronic Commerce, etc. - Retention period: 5 years c. Records of consumer complaints or dispute resolution - Retention reason: Act on Consumer Protection in Electronic Commerce, etc. - Retention period: 3 years d. Access logs - Retention reason: Telecommunications Privacy Act - Retention period: 3 months e. Information held according to the company's internal policy - Retention item: Records of misuse - Retention reason: Prevention of misuse - Retention period: 1 year 8. Personal Information Destruction Procedure and Method User personal information is transferred to a separate database after the purpose of collecting and using personal information is achieved, stored for a certain period according to internal policies and other relevant laws, and then destroyed. a. Destruction procedure - Information provided by users during service usage is transferred to a separate database after the purpose is achieved, stored for a certain period according to internal policies, and then destroyed. Unless otherwise provided by law, information that has been transferred to a separate database is not used or disclosed for purposes other than retention. b. Destruction method - Personal information on paper is destroyed by shredding or incinerating, and personal information stored in electronic file format is deleted using technical methods that cannot reproduce the records. 9. Rights of Users and Legal Representatives and How to Exercise Them Users and legal representatives can view or modify their registered personal information at any time. In addition, users can request termination of the service by using the "Withdrawal" option in the application settings. To view and modify personal information of users and legal representatives, click "Delete Account" through the platform operator or app store operator. If users want to confirm personal information that the company does not have, they should verify their identity by checking the membership information and providing personal information through the platform operator or app store operator. If users or legal representatives request correction of errors in personal information, the company will not use or provide the personal information until the correction is completed. Personal information that has been terminated or deleted at the request of users or legal representatives is processed according to the method specified in "7. Retention and Use Period of Personal Information." 10. Protection of Personal Information of Children Under 14 Years Old The company does not collect personal information of children under 14 years old. This service is available only to individuals who are at least 14 years old, and users must confirm that they are at least 14 years old when signing up. If it is confirmed that personal information of a child under 14 years old has been collected, the company will immediately destroy the personal information and restrict the use of the service. If legal representatives of children under 14 years old determine that their child is using the service inappropriately, please contact the personal information manager. 11. Outsourcing of Personal Information Processing The company outsources the handling of personal information to external companies for professional customer support and service provision. When entering into an outsourcing agreement, the company clearly stipulates protection-related instructions, non-disclosure of personal information, and responsibilities in the event of accidents, etc., to ensure the safety of personal information. - Outsourced tasks: In-app purchases - Retention and use period: Until withdrawal or termination of outsourcing agreement - Outsourced tasks: Operation of web services and information storage - Retention and use period: Until withdrawal or termination of outsourcing agreement - Outsourced tasks: Advertising provision and performance measurement - Retention and use period: According to Google's Privacy Policy 12. Installation/Operation and Refusal of Personal Information Automatic Collection Devices a. Cookies The company uses cookies to store and retrieve information about users to provide personalized and customized services. Cookies are very small text files sent by the server operating the website to the user's browser, stored on the user's computer's hard disk. When the user visits the website again, the website server reads the contents of the cookies stored on the user's hard disk to maintain the user's environment settings and provide customized services. Cookies do not actively or automatically collect information to identify individuals, and users can refuse or delete these cookies at any time. However, if users refuse to store cookies, they may not be able to use all or part of the services. How to specify whether to allow the installation of cookies (for Internet Explorer): Select "Tools" menu ⇒ Click "Internet Options" ⇒ Click "Privacy" tab ⇒ Set the privacy level b. Advertising Identifier The company collects device advertising identifiers to provide advertising services. Users can opt out of personalized advertising by: - iOS: Settings > Privacy & Security > Tracking - Android: Settings > Google > Ads > Opt out of Ads Personalization Even if you opt out of personalized advertising, ads will continue to be displayed, and there will be no impact on service usage. 13. Contact Information for Personal Information Management For all inquiries, complaints, advice, and other matters related to personal information protection during the use of the service, please contact the personal information protection officer and the relevant department. WELLPEACH is committed to listening to user feedback and providing prompt and sufficient responses. [Personal Information Management Officer] - Name: KIMDONGMIN - Affiliation and Position: CEO - Email: wellpeachmarket@gmail.com - Contact: 010-3996-4987 If you need to report or consult about other privacy breaches, please contact the following organizations: - Privacy Complaint Center (privacy.kisa.or.kr / 118 without area code) - Cyber Investigation Department, Supreme Prosecutors' Office (www.spo.go.kr / 1301 without area code) - Cyber Safety Bureau, National Police Agency (www.ctrc.go.kr / 182 without area code) [Supplementary Provisions] 1. If the company changes the privacy policy, it will notify users through the service at least 7 days before the effective date, along with the reasons for the change and the effective date. However, if there is a change in important matters related to user rights or obligations, the company will notify at least 30 days in advance. 2. If the company notifies the user of the changes and the user does not express their intention to refuse until the effective date of the change, it is considered that the user has agreed to the changes. 3. Even if the user agrees to the changes, if the company collects additional personal information or provides it to a third party, the company will go through a separate consent process. This privacy policy is effective from October 26, 2025.