Hugel, Inc. (hereinafter referred to as the "Company") complies with the Personal Information Protection Act and related laws and regulations to protect the freedom and rights of information subjects, and process personal information lawfully and securely. In accordance with Article 30 of the Personal Information Protection Act, the Company establishes and discloses a privacy policy to guide information subjects on the procedures and standards for processing personal information and to handle related complaints promptly and smoothly.

Article 1. Purpose of Processing Personal Information

The Company processes personal information for the following purposes. Personal information processed by the Company will not be used for purposes other than those specified below, and in the event that the purpose of use is changed, the Company will take necessary measures, such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act.

1. Inquiry Response
Personal information is processed for the purpose of providing services for various inquiries, including customer inquiries, recruitment inquiries, and business partnerships.
2. Cyber Whistleblower Center (Cyber Sinmungo) Response
Personal information is processed to verify and respond to reports regarding illegal, unfair, or unethical conduct by executives and employees (including, if necessary, further verification of report details, notification of receipt, and reward for reporting).
3. Cyber Whistleblower Center Email Verification
Personal information is processed for the purpose of sending verification emails to prevent false or malicious reporting, and to notify the reporter of the processing results.

Article 2. Personal Information Processing and Retention Period

The Company collects and uses personal information within the minimum extent necessary to provide its services in accordance with the Personal Information Protection Act.

1. Personal Information Processed Without Consent There are no categories of personal information processed without the consent of the data subject.
2. Personal Information Processed With Consent The Company processes the following categories of personal information with the consent of the data subject, pursuant to Article 15, Paragraph 1, Subparagraph 1 and Article 22, Paragraph 1, Subparagraph 1 of the Personal Information Protection Act.

※ Email verification (entering an email address and confirming the verification code) is required to prevent false or malicious reports. Please be advised that the email address you enter will not be disclosed to the personnel in charge of the Cyber Whistleblower Center.

Article 3: Processing and Retention Period of Personal Information

1. The Company processes and retains personal information within the period of retention and use in accordance with relevant laws or the period agreed upon by the data subject at the time of collection.
2. The general processing and retention period for personal information is one (1) year. (However, if separate storage is required, such as for whistleblowing rewards, the information will be retained until the relevant purpose is achieved.)
3. In cases where preservation is required under relevant laws and regulations as shown below, the Company shall preserve the information for the specified period:

Article 4. Personal Information Destruction Procedure and Method

1. When personal information becomes unnecessary due to the expiration of the retention period of personal information, the achievement of the processing purpose, etc., the Company promptly destroys the relevant personal information.
2. If personal information must be retained pursuant to other laws despite the expiration of the agreed-upon retention period obtained from the information subject or the achievement of the processing purpose, the Company transfers the personal information to a separate database (DB) or stores it in a different location.
3. The procedure and method of personal information destruction are as follows.
1) Destruction Procedure: The department or person in charge responsible for the relevant information selects the personal information for destruction when the reason for destruction occurs and proceeds to destroy the personal information according to the following method of destruction.  
2) Destruction Method: The Company destroys personal information recorded or stored in electronic file from in a manner that the records cannot be regenerated, and shreds or incinerates personal information recorded or stored in paper documents.

Article 5. Provision of personal data to a third party

1. The company processes the personal information of the information subject only within the scope specified in the purpose of processing the personal information, and only processes personal information in cases that fall under Articles 17 and 18 of the Personal Information Protection Act, including the consent of the information subject and special provisions of the law. Other than providing it to third parties, the personal information of the information subject is not provided to third parties.
2. In order to provide smooth service, the company obtains the consent of the information subject in accordance with Article 17, Paragraph 1, Item 1 of the Personal Information Protection Act in the following cases and provides only the minimum necessary scope.

※ For anonymous reporting, your personal information will not be provided. Only the content of the report you provide—including the subject's name, affiliation, type of misconduct, related business unit/department or task, subject, description, and attachments—may be provided.

Article 6. Outsourcing of Personal Information Processing

1. For efficient handling of personal information tasks, the Company entrusts the processing of personal information as follows:

2. When entering into outsourcing contracts, the Company complies with Article 26 of the Personal Information Protection Act. It specifies in documents such as contracts the prohibition of processing personal information for purposes other than performing entrusted tasks, technical and administrative protective measures, restrictions on re-outsourcing, management and supervision of trustees, and liability for damages, ensuring that trustees handle personal information securely.
3. Pursuant to Article 26(6) of the Personal Information Protection Act, the Company obtains consent if the trustee re-outsources its personal information processing tasks.
4. In the event of changes in the content of outsourcing tasks or trustees, the Company will promptly disclose such changes through this privacy policy.

Article 7. Overseas Transfer of Personal Information

The Company entrusts and stores personal information on overseas servers as follows to ensure the seamless provision of website services:
1. Legal Basis for Transfer: Article 28-8, Paragraph 1, Subparagraph 3 of the Personal Information Protection Act (Overseas entrustment and storage of personal information for the performance of a contract).
2. Countries of Transfer: United States, Germany (for Cyber Whistleblower Center services).
3. Schedule and Method of Transfer: Transferred via encrypted network at the time of service use.
4. Personal Information Items Transferred: Categories of personal information as specified in Article 2.
5. Recipient of Information: Cloudflare, Amazon.
6. Recipient’s Purpose of Use: Website infrastructure operation and server management (data storage and system maintenance).
7. Retention and Use Period: Identical to the retention periods specified in Article 3 of this Privacy Policy.
8. Right to Refuse and Consequences: If you refuse the overseas transfer of your personal information, use of the relevant services may be restricted. If you do not wish for your information to be transferred overseas, please discontinue the use of the "Contact" and "Cyber Whistleblower Center" sections on the website. If you have already entered your personal information, please contact the Personal Information Protection Department specified in Article 10 to request its deletion.

Article 8. Measures to Ensure the Security of Personal Information

To ensure the security of personal information, the Company has implemented the following measures:
1. Administrative Measures: Establishment and implementation of internal management plans, operation of dedicated organizations, regular employee training, etc.
2. Technical Measures: Management of access rights to personal information processing systems, installation of security programs, etc.
3. Physical Measures: Access control to computer rooms, data storage rooms, etc.

Article 9. Rights, Obligations, and Methods of Exercising Rights of Information Subjects and Legal Representatives

1. Data subjects may exercise their rights to request access to, correction of, deletion of, or suspension of processing of their personal information from the Company at any time. ※ The "Personal Information Processing Request Form" can be obtained by contacting the Personal Information Protection Department (privacy@hugel-inc.com).
2. Rights may be exercised in writing, via email, or by facsimile (FAX) in accordance with Article 41, Paragraph 1 of the Enforcement Decree of the Personal Information Protection Act, and the Company will take action without delay.
3. Rights may also be exercised through a legal representative or an authorized agent of the data subject. In this case, a power of attorney must be submitted in accordance with Form No. 11 of the "Notification on the Method of Processing Personal Information (No. 2023-12)." ※ The "Power of Attorney Form" can be obtained by contacting the Personal Information Protection Department (privacy@hugel-inc.com).
4. The right of a data subject to request access to or suspension of processing of personal information may be restricted pursuant to Article 35, Paragraph 4 and Article 37, Paragraph 2 of the Personal Information Protection Act.
5. A request for deletion of personal information may be restricted if the personal information is explicitly specified as a subject of collection under other laws and regulations.
6. Upon receiving a request for access, correction, deletion, or suspension of processing according to the data subject's rights, the Company shall verify whether the person making the request is the data subject themselves or a legitimate representative.
7. If a data subject is dissatisfied with or has an objection to the measures taken regarding the access, correction, deletion, or suspension of processing of personal information, they may file an objection by submitting an "Objection Form" to the Personal Information Protection Officer. ※ The "Objection Form" can be obtained by contacting the Personal Information Protection Department (privacy@hugel-inc.com).
8. Requests for access, correction, deletion, and suspension of processing of personal information should be submitted to the Personal Information Protection Department, and such requests will be processed without delay in accordance with relevant laws and regulations.

Article 10. Personal Information Security Officer

1. The Company is responsible for overseeing personal information processing tasks and has designated a personal information protection manager for handling complaints and remedies related to personal information processing. The details are as follows:
1) Personal Information Security Officer
Department, Name, Position: Security Office, Jo Hyun Sik, Director
Contact: privacy@hugel-inc.com / 02-6966-1600
2) Personal Information Security Department    
Department Name: Security Office, Security Team 1
Contact: privacy@hugel-inc.com / 02-6966-1600
※ This department also handles personal information access requests.
2. Information subjects can contact the personal information security officer and the department in charge regarding all inquiries, complaints, and remedies related to personal information protection arising from the use of the Company's services (or business). The Company will promptly respond and address inquiries of information subjects.

Article 11. Remedies for Rights Infringement

1. Information subjects may apply for dispute resolution or consultation with the Personal Information Dispute Mediation Committee, Korea Internet & Security Agency Personal Information Infringement Report Center, and other relevant institutions, to seek resolution for personal information breaches. For other reports or consultations regarding personal information breaches, please contact the following organizations:
 1) Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)
 2) Personal Information Infringement Report Center: 118 (privacy.kisa.or.kr)
 3) Supreme Prosecutors' Office of the Republic of Korea: 1301 (www.spo.go.kr)
 4) National Police Agency: 182 (ecrm.cyber.go.kr)
2. The Company ensures information subjects' right to self-determination of personal information and endeavors to provide consultation and remedy for damages caused by personal information breaches. If reporting or consultation is necessary, please contact the following department:
 1) Customer Consultation and Reporting for Personal Information Protection  
   Department Name: Security Office, Security Team 1
   Contact: privacy@hugel-inc.com / 02-6966-1600
3. According to the provisions of Article 35 (Access to Personal Information), Article 36 (Correction or Deletion of Personal Information), and Article 37 (Suspension of Personal Information) of the ‘Personal Information Protection Act’, individuals who have suffered infringement of rights or interests due to the actions or omissions of a public institution’s head in response to requests based on those provisions may file an administrative appeal in accordance with the Administrative Appeals Act.
  1) Central Administrative Appeals Commission: (Without area code) 110 (www.simpan.go.kr)

Article 12. Privacy Policy Change

1. This Privacy Policy will be effective from April 24, 2026.
2. In the event of changes to the Privacy Policy, we will provide access to previous versions on this page.
∙ From July 1, 2025 to April 23, 2026
∙ From August 1, 2024 to June 30, 2025
∙ From April 1, 2024 to July 31, 2024