NAVER Webtoon Corp. (hereafter referred to as “Company”) thoroughly abides by privacy protection regulations, which include the Act on the Promotion of Information and Communications Network Utilization and Information Protection, etc. (hereafter referred to as the “Information and Communications Network Act”) and the Personal Information Protection Act, as it is required for information communications service providers to comply with them. Through this Privacy Policy, the Company would like to give an overview of how users’ personal information is processed as simply as possible, and wishes to elucidate what types of efforts are being made in order to protect users’ personal information.

1. Collected Personal Information

The Company supports various types of social logins so that users can conveniently register as members and be provided service. These social logins also allow for minimal collection of the personal information required for initial use of the service. The Company collects identification values and nicknames for initial member identification when a user signs up with a Facebook or Google account, and, when the use signs up as a guest, the Company only collects a nickname.

Collection of additional personal information may take place for users who inquire into customer service or apply for events or gifts while using the service. If additional personal information is collected, the user is provided with guidelines regarding the information items collected in “collected personal information, the purpose of collecting and using personal information, and the period of retaining personal information” and is asked whether he or she accepts the terms of the collection and use of their information.

The previously mentioned personal information may be entered manually by users after they agree to the collection of personal information during the course of membership subscription or service use, or such information may be collected through web pages, emails, faxes, or phone calls during customer service support interactions.

In addition, information such as IP address, cookies, service use logs, and device information (country and language) may be automatically generated and collected during service use.

2. Use of the Collected Personal Information

The Company uses personal information only for the following purposes: managing members and developing, providing, and improving services.

- Personal information is used to identify user intent to subscribe to the Company’s services, verify the user’s age and obtain the consent of their legal representative, verify the identity of the user and their legal representative, identify the user, or confirm the user’s intent to unsubscribe from the Company’s services for the purpose of managing members.

- Personal information is used to restrict users who have violated the law, regulations, or the Company’s User Agreement from using the service; to prevent or limit actions that would interfere with the smooth operation of the service, including delinquency, account fraud, or other illegal transactions; deliver notices on agreement updates; store records for potential dispute resolution; and to handle complaints for the purpose of user protection and service operations.

- Personal information is used to provide information on events, opportunities for participation, for advertisements, and for other marketing or promotional purposes.

- Personal information is used to analyze service use records and access frequencies, calculate statistics on service use, analyze services, provide customized services based on statistics, and place advertisements.

- Personal information is used to give users peace of mind in circumstances involving security, privacy, or safety and to build a usable service environment.

3. Provision and Entrustment of Personal Information

As a rule, the Company does not provide personal information to any external third party without the consent of the user.

The Company does not provide personal information to any external party without the consent of the user. However, only after the user has personally agreed to the provision of their personal information, personal information may be provided for use by external partners’ services, when the Company is obligated to submit personal information in accordance with related laws and regulations, or to resolve emergency situations where the user’s life or safety has been confirmed to be in danger.

The Company entrusts the execution of certain tasks to external companies in order to provide better services. The Company specifies these necessary matters and manages/supervises them to ensure that the entrusted companies safely process personal information pursuant to the Information and Communications Network Act.

Entrusted Company	Entrusted Tasks	Retention and Use Period of Personal Information
Snow Corp.	Service development and operation and the management of infrastructure	Until the member unsubscribes or the termination of the entrustment agreement
NAVER Business Platform Corp.	System development and operation for providing services
NAVER Business Platform Asia Pacific	Data storage
Amazon Web Services Inc.	Operation and management of servers
QROAD Inc.	Service operation and customer service

The following provides the entrusted tasks that foreign branches carry out related to the entrustment of personal information.

The Company does not provide user’s personal information to other businesses abroad. However, the data storage and the service operations are entrusted to “NAVER Business Platform Asia Pacific” as set forth below.

Entrusted Company	NAVER BUSINESS PLATFORM ASIA PACIFIC PTE. LTD	Amazon Web Services Inc.
Location of Entrusted Company	Hong Kong (RM 1808. 18/F HARCOURT RD ADMIRALTY HONG KONG)	1200 12th Avenue South Suite 1200 Seattle, WA 98144 United States
Date and Method of Entrustment	Remote transmission through networks after March 15, 2019	Remote transmission through networks after March 15, 2019
Chief Privacy Officer’s Contact Information	nbpcc@naver.com	aws-korea-privacy@amazon.com
List of Personal Information Subject to this Entrustment	All data, including personal information, the Company collects and stores	All data, including personal information, the Company collects and stores
Entrusted Tasks	Data backup (storage) between countries for the safety of user data and its protection in case of disaster or accident	Server transmission and storage of game data
Period of preservation and use of personal information	Corresponds to the storage period described in this Privacy Policy	Corresponds to the storage period described in this Privacy Policy

4. Destruction of Personal Information

As a rule, the Company destroys personal information immediately after the user unsubscribes from services.

However, personal information may be stored safely for a designated period of time, even after the user unsubscribes, if the Company acquires separate consent from the user to store such personal information for a certain period of time or if the Company is under obligation pursuant to the law to store the information for a specific time period.

The statutes that require the Company to store information for a certain period of time are provided below. The Company stores personal information for the period prescribed by law and shall never use such information for any other purpose.

- Act on the Consumer Protection in Electronic Commerce

Records on subscription or withdrawal of subscription: Store for five (5) years

Records on payment settlements and supply of goods: Store for five (5) years

Records on customer complaints or dispute settlements: Store for three (3) years

- Electronic Financial Transactions Act

Records on electronic finance: Store for five (5) years

- Protection of Communications Secrets Act

Records on sign-in: Store for three (3) months

Personal information is immediately destroyed to a non-restorable state once the purpose of the information collection and storage has been fulfilled, which includes the user’s cancellation of their subscription to the service, service termination, or expiration of the personal information storage period that had been approved by the user. Personal information that has been stored due to obligations imposed by law shall be immediately destroyed to a non-restorable state once the required storage period ends.

Personal information stored in electronic files is safely deleted using technical methods and information printed on paper is shredded or incinerated to prevent it from being restored or regenerated.

5. User and Legal Representative’s Rights and How to Exercise Those Rights

Users can go to application settings to view or update their personal information at any time.

Users can withdraw their consent to the collection and use of personal information through cancellation of subscription.

If the user is a child under the age of 14, the child’s legal representative has the right to view and update the child’s personal information or to withdraw their consent to the collection and use of the child’s personal information.

If a user requests that errors in their personal information be corrected, the personal information that is to be corrected cannot be used or provided until the corrections are made. If incorrect personal information has already been provided to a third party, the corrected information will be immediately given to the third party to ensure that the necessary corrections can be made.

6. Technical/Managerial Protective Measures for Personal Information

The Company employs the following technical /managerial measures to secure the safety of personal information and prevent the loss, theft, leakage, alteration, or damage of any such information in the course of processing users’ personal information.

1) Technical Measures

- The Company protects users’ personal information through information protection measures pursuant to relevant law and internal policies.

- The Company continues to take appropriate steps to prevent damage caused by computer viruses through its vaccine program. The vaccine program is periodically updated and if a new virus suddenly appears, its information is immediately applied to the vaccine in order to prevent personal information from being infringed upon.

- The Company encrypts users' personal information for storage and management as required by law and adopts security devices that enables secure transmission of personal information over the network.

- In order to prevent the leaking of users' personal information through hacking, the Company uses a device to prevent outside intrusion and monitors it 24 hours a day, 365 days a year.

2) Managerial Measures

- The Company’s employees who handle personal information are limited to those in charge, given separate passwords, regularly updated, for their tasks. Furthermore, the Company continues to emphasize the importance of privacy protection at all times through frequent training of those in charge.

- The Company identifies whether the laws related to the protection of personal information are complied with by those in charge of protecting personal information through an in-house department for personal information protections in order to ensure that any issue that may arise are corrected for and resolved immediately upon discovery.

7. The Chief Privacy Officer and the Responsible Personnel

The Company has designated the following persons as the Chief Privacy Officer and the Personal Information Manager who are responsible for answering users’ inquiries regarding personal information and resolving any related complaints.

- Chief Privacy Officer

Name: Cho Jiyoung

Affiliation: NAVER Webtoon

Contact: dl_windbreakercs@webtoonscorp.com

- Personal Information Manager

Name: Cho Jiyoung

Affiliation: NAVER Webtoon

Contact: dl_windbreakercs@webtoonscorp.com

You may contact the following institutions to file a report or seek consultation for other personal information infringements.

- Privacy Infringement Report Center (privacy.kisa.or.kr / Phone no. w/o country code. 118)

- Cyber Crime Investigation Unit, Supreme Prosecutor’s Office (www.spo.go.kr / Phone no. w/o country code. 1301)

- Cyber Terror Response Center, National Police Agency (cyberbureau.police.go.kr / Phone no. w/o country code. 182)

8. Duty to Notify

Users will be notified of any modification to this Privacy Policy, including any newly added, deleted, or updated pieces of information through a “Notice” on the Company website at least seven (7) days prior to such modification. However, notices for important modifications that affect users’ rights, including changes to personal information that is subject to collection or to the purposes of using such information, will be made at least thirty (30) days prior to the date of modification and the user’s consent will be reobtained if necessary.

- Date of Notification: March 15, 2019

- Effective Date: March 15, 2019