1 General Rules

1. Riiid Co., Ltd. (hereinafter "Company") complies with ACT ON PROMOTION OF INFORMATION AND COMMUNICATIONS NETWORK UTILIZATION AND INFORMATION PROTECTION, ETC., PERSONAL INFORMATION PROTECTION ACT, PROTECTION OF COMMUNICATIONS SECRETS ACT, TELECOMMUNICATIONS BUSINESS ACT.  
2. Company shall inform rights of Users and Company’s obligations, policies on personal information in this Privacy Policy,
3. Company shall request consent on Terms of Use, Privacy Policy to Users, and by checking " I Agree" box, it will be deemed that User has carefully read and agreed to Terms of Service, Privacy Policy.

 2. Revision of Privacy Policy

In the event Company amends this Privacy Policy, Company shall notify at least seven (7) days prior to the effective date.  Nonetheless Company shall notify at least thirty (30) days prior to the effective date if the amendment has substantial changes or has disadvantage to User, and shall request User’s consent if necessary.

3. Purpose of Collection and Use of Personal Information

Company shall collect, use Personal Information for the following purposes.

1. Member management: (i) Identification, verification, confirmation of Member, (ii) Prevention of unauthorized use by Member, (iii) Notification, announcement to Member
2. CS support: Response to Member’s complaints, request and take appropriate action
3. Service management and improvement: (i) Prevention of illegal usage, secure  stability of Service (ii) Develop new services, technologies, provide personalized service, (iii) Payment of service fee
4. Marketing and advertising: Marketing and provide advertisement, commercial information
5. Statistics and analysis: Analysis on Service usage information per User
6. "Company" do not knowingly collect personal information from children under the age of 13, but if a child under 13 has provided personal information to "Company" contrary to the intent of "Company", users and legal representatives can view or modify the personal information of the registered child or child under 13 at any time.For users or children under the age of 13 to view or modify personal information, you can click "Exit member" and view, correct, or withdraw. Or if you contact the person in charge of personal information management in writing, phone or email, Company will take care of it without delay. The "Company" shall process personal information disclosed or deleted at the request of the user or legal representative as specified in the retention and use period of personal information collected by the "Company" and shall not be viewed or used for any other purpose.

4. Particulars of Personal Information to be collected, used

Company collects minimum personal information of User as below.  

5 Outsourcing Personal Information to Third Party

Company shall outsource personal information processing to a third party as follows.

1. Outsourcer: AWS

Country: United States

Details of outsourced work and the purpose: Infrastructure management for Service and analysis

2. Outsourcer: Stripe

Country: United States

Details of outsourced work and the purpose: Payment and refund processing

6 Personal Information to Third Party

Without User’s consent, Company shall not provide personal information to third parties. Nonetheless, Company shall provide personal information to third parties on following events.

1. Where special provisions exist in other laws or it is inevitable to observe legal obligations;
2. Where it is inevitable for a public institution’s performance of its duties under its jurisdiction as prescribed by statutes, etc.;
3. Where it is deemed manifestly necessary for the protection of life, bodily or property interests of User or third party from imminent danger where User or his or her legal representative is not in a position to express intention, or prior consent cannot be obtained owing to unknown addresses, etc.;

1. Persuant to relevant laws, Company may use personal information beyond the scope of purposes or provide personal information to third party.

1. Where information is necessary to calculate Service fees;
2. Where information itself does not identify a particular individual and is necessary for academic research, statistics
3. Where it is necessary for the investigation of a crime, indictment and prosecution;
4. Where it is necessary for a court to proceed with trial-related duties;

7 Period for retaining, using Personal Information

1. Company shall retain, use personal information within the period based on relevant laws and regulations, or within the period agreed by Users.
2. Company shall retain personal information of Member until Member terminates Terms of Use or membership. Nonetheless, Company may retain personal information until the end of the following events.

1. Investigation on violation of relevant laws, regulations in progress. Until the investigation have been completed.
2. Member has debts using Websites. Until the payment debts have been completed.

3. Notwithstanding subparagraph 2, Company may retain personal information of Member for one (1) year from the date of withdrawal of membership to prevent re-enrollment and unauthorized access of such former Member.
4. Company shall retain personal information pursuant to following relevant laws, regulations.

5.  The "Company" shall separately manage the ID and personal information of the "Member" as inactive ID if the user has not logged in for more than 12 months or does not use the service according to the Information and Communication Network Act. In such cases, "Company" will notify "Members"of the fact that their personal information is stored and managed separately by 30 days prior to the arrival of the 12-month period, by e-mail, written, imitation, telephone, or similar means. However, if you are using the service, it will be switched to an inactive ID at the time of service deletion regardless of the expiration date. Personal information converted to inactive ID will be deactivated without delay after 4 years of storage.

8 User’s Rights, obligations and entitlement

1. User may at any time, exercise the following rights to protect user’s own personal information.

1. Request to disclose personal information
2. Request for correction on errors in personal information
3. Request to delete personal information
4. Request to stop using personal information

1. User may exercise rights stated in paragraph 1 by sending documents, phone calls, email, facsimile transmission (FAX), etc., and Company shall take appropriate action immediately.
2.  In the event User requests correction or deletion of personal information, until such correction, deletion is completed, Company shall not use, nor provide User’s personal information.
3. User shall not violate PERSONAL INFORMATION PROTECTION ACT or other relevant laws, and shall not infringe User’s own or other User’s personal information or privacy.

9 Transfer of Personal Information due to Business Transfer

In the event Company transfers all or part of business to third party, prior to such events Company shall notify following information to User.

1.  The fact of transferring personal information

1. Name of the person (name of the entity) who shall receive personal information (referred as “Business Transferee”), address, contact number of Business Transferee
2. Procedures for User who wishes not to transfer his/her personal information

10 Matters on Installation, Operation and Refusal of Automatic System for Collecting Personal Information

1. Company shall use “cookies” to store User’s usage information and in order to provide optimized Service for each User.
2. A cookie is a small amount of data generated by the server(http) of Websites and sent to User. A cookie may be saved in hardware of User’s computer.

1. Purpose of using cookies: To provide optimized Service for each User bases on login record, favorite search word, security access etc. of User
2. Cookie installation ∙ operation and Refusal: You can select on cookie installation by Web browser tools -> internet option -> settings for menu options on personal information.

3. In the event User refuses to cookie installation, preservation then the use of Service provided by Company shall be restricted.  

11 Measures to Safeguards Personal Information

1. Company shall take such technical, managerial, and physical measures as establishing an internal management plan and preserving access records, etc. that are necessary to ensure safety so that the personal information may not be lost, stolen, divulged, forged, altered, or damaged.

1. To formulate and implement an internal management plan for the safe processing of personal information;
2. To control access to personal information and restrict the authority to access personal information;
3. To adopt encryption technology to safely store and transmit personal information and other equivalent measures;
4. To retain login records to respond to incidents of infringement with respect to personal information and to take measures to prevent the forgery and falsification thereof;
5. To install and upgrade security programs to protect personal information;
6. To take physical measures, such as a storage or locking system, to keep personal information safely.

2. Company has designated minimum personal information handlers, monitors and provides educational program regularly, frequently and indicates the importance of personal information

12 Destruction of Personal Information

1. Company shall destroy personal information without delay upon the expiry of retention period, or attainment of the purpose of processing personal information.
2. In the event Company retains personal information after the expiry of retention period or after attainment of the purpose of processing personal information, pursuant to relevant law such personal information files shall be stored and managed separately   from other personal information (such as in separate database).
3. The procedure and method of destroying User’s personal information as follows.

1. Procedure: Company shall select personal information subject to destruction,      and upon approval from Privacy Officer Company shall conduct destruction.
2. Method: Company shall use technical method to destroy electronic files. Company shall shred or burn paper files.  

13 GDPR

1. “Company”complies with the General Data Protection Regulation (GDPR) as well as the domestic laws of each member country.
2. "Company" uses personal information collected from users only for purposes specified in 3 [Purpose of collection and use of personal information] informs users prior to any use thereof and asks for agreement. In addition, "Company" may process personal information in accordance with applicable laws including GDPR in any of the following cases:

1. Consent of the data subject
2. Sign and fulfil a contract with the data subject

• Member management, identification, etc.
• Performance of a contract in relation to providing the services required by users, payment and settlement of fees, etc.

3. legal compliance

• Compliance with relevant law, regulations, legal proceedings, requests by the government

4. When personal information processing is necessary for the material benefit of the data subject

• Detection of, prevention of, and response to fraud, abuse, security risks, and technical issues that may harm users or other natural persons

5. For the pursuit of legitimate interests of the company (except for cases where the benefits, rights or freedom of the data subject is more important than that of the company.)

3. User’s right when applying GDPR

1. The users or their legal representatives, as main agents of the information, may exercise the

following rights regarding the collection, use and sharing of personal information by the Company:

1. The right to access to personal information: The users or their legal representatives may access the information and check the records of the collection, use and sharing of the information under the applicable law.
2. The right to rectification: The users or their legal representatives may request to correct inaccurate or incomplete information.
3. The right to erasure: The users or their legal representatives may request the deletion of the information after the achievement of their purpose and the withdrawal of their consent.
4. The right to restriction of processing: The users or their legal representatives may make temporary suspension of treatment of personal information in case of disputes over the accuracy of information and the legality of information treatment, or if necessary to retain the information.
5. The right to data portability: The users or their legal representatives may request to provide or transfer the information.
6. The right to object: The users or their legal representatives may suspend the treatment of personal information if the information is used for the purpose of direct marketing, reasonable interests, the exercise of official duties and authority, and research and statistics.
7. The right to automated individual decision-making, including profiling: The users or their legal representatives may request to cease the automated treatment of personal information, including profiling, which has critical impact or cause legal effect on them.

2. If, in order to exercise the above rights, you, as an user, contact the Company by sending a document or e-mails, or using telephone to the Company ( person in charge of management of personal information or a deputy), the Company will take measures without delay: Provided that the Company may reject the request of you only to the extent that there exists either proper cause as prescribed in the laws or equivalent cause.

14 Brazilian Privacy Rights

Provides additional details about the personal information collected about Brazilian members under the Brazilian Information Protection Act or "LGPD" and the rights provided to them.

1. Responsibility for processing and transmitting personal data

Riiid Inc. ("Riiid") is the administrator of personal data collected in connection with its use.

2. Data Supervisor Contact

Riiid Data Protection Director in Brazil can be reached at support@riiid.co.

3. Rationale for processing

"Company" collects and uses personal data only if there is a legal basis. This includes processing.

4. Personal Data

1. Provides services and provides the requested resources.
2. Consent of the Foundation Holder;
3. For the fulfillment of legal or regulatory obligations;
4. Regular exercise of rights in judicial, administrative or arbitration proceedings;
5. For protection
6. Life or physical safety of a user or a third party;
7. For the legitimate benefit of "Company" or any third party;
8. Security and fraud prevention and credit protection.

15 Mexico user rights

 If you're an Riiid user in Mexico, you have the following rights with respect to "Company"'s handling of your personal information:

1. the right to access your personal information and request an explanation about how "Company" uses that information;
2. the right to rectify your personal information if you believe it is out of date, inaccurate, or incomplete;
3. the right to cancel your data if you believe it is not used in accordance with the principles, duties, and obligations set forth by Mexican data protection laws; and
4.  the right to object to "Company"’s processing of your data for certain purposes.

These rights are known under Mexican legislation as “ARCO rights.”

1.  To exercise your ARCO rights, please submit your request support@riiid.co “Exercise of ARCO rights/Mexico” at the beginning of your request.
2. When "Company" responds to your request, our customer support agents will ask you to provide the following information and documentation in the corresponding email communication:

1.  A copy of your official ID and/or the ID of your legal representative. Scan and attach these documents to the corresponding email communication. If you have a legal representative, please also attach a copy of their power of attorney.
2.  A clear and precise description of the personal information related to the ARCO right(s) you wish to exercise, as well as the right(s) to be exercised. This description could be included in the body of the email or in a scanned and attached document that you’ve initialed on each page.
3.  A statement from you expressly agreeing to receive our response through an email communication and specifying the corresponding email address.

3. "Company" will send a response within 20 business days after we receive your request. Once you receive our response, you’ll have 15 business days to respond to our communication. In case you don’t reply within that period of time, we’ll understand in good faith that you agree with our response.
4. Please note that "Company", as data controller, may refuse the exercise of your ARCO rights in the cases permitted by applicable law and will inform you about such decision. The refusal may be partial, in which case "Company" will carry out the access, rectification, cancellation, or objection in the corresponding part. If you’d like to limit the use and disclosure of your personal data or revoke your consent to its use, please also follow the process described above. If you revoke your consent, you won’t be able to use any service or feature that requires collection or use of the information we collected or used on the basis of consent. "Company" also provides the means for users to see and control the information we collect, including through in-app privacy settings and device permissions.

16 Transferring data to a third country

1. "Company" provides services in Korea, where its headquarters is located, and does not operate branches in other countries. Therefore, the transfer of personal information to Korea is inevitable to provide the service, and if you disagree, the service will not be provided. In order to support global services for the purpose specified in the Privacy Policy, users' personal information may be provided, processed, and stored outside the authorities.

17  Privacy Officer

1. Company shall designate privacy officer who comprehensively takes charge of personal information processing, manage complaints, and treat remedial compensation related to processing of personal information.

1. Privacy Officer

Name ： Ryan

Title: CTO

Phone number: 02-795-1221

Email address: ryan.yun@riiid.co

2. Privacy Department

Name of team: Growth Tribe

Person in charge: Ryan

Phone number 02-795-1221

Email address: ryan.yun@riiid.co

2. User may make an inquiry, complaint, request remedial compensation in relation   to personal information and may call Privacy Officer or Privacy Department. Upon such request from User, Company shall respond and take appropriate action without delay.

18 Applicable Laws on Personal Information

Company is incorporated in Republic of Korea and User’s personal information is collected, stored in Republic of Korea. Nonetheless, Company may transfer User’s personal information outside Republic of Korea pursuant to Article 5 in this Privacy Policy. Company will comply with laws, regulations of other countries and shall notify separate privacy policy in accordance with such laws and regulations. ’    

Effective Date : 28 / JUNE  2021..