Ayusha (hereinafter referred to as the "Company") establishes and discloses the following processing policy to protect users' personal information in accordance with the Personal Information Protection Act and related laws and to promptly and smoothly resolve related issues.

1. Purpose and Items of Personal Information Collection

The Company collects and uses personal information for the following purposes. The processed personal information will not be used for any purpose other than the following.

1) Purpose of Collection

Providing services and managing membership

Handling customer inquiries and complaints

Compliance with laws and contract execution

2) Collected Items

Required items: Name, Email, Contact Information

Automatically collected items: Connection IP information, Cookies, Visit records

2. Retention and Use Period of Personal Information

The Company destroys personal information without delay once the purpose of collection and use is achieved. However, personal information is retained for the period specified by law.

• Membership registration and management: 5 years after membership withdrawal

• Contract and withdrawal of subscription: 5 years after contract or withdrawal of subscription

• Legal obligations: Adherence to the preservation period as per related laws

3. Rights of Information Subject and Exercise Methods

Users can request to view, correct, or delete their personal information at any time. Requests can be made via written form, email, or phone.

Until the correction or deletion is processed, the concerned personal information will not be used.

4. Destruction of Personal Information

Personal information is immediately destroyed once the purpose of processing is achieved. The procedure and methods of destruction are as follows:

• Electronic files: Deleted using technical methods that prevent recovery

• Paper documents: Shredded or incinerated

5. Measures for Protecting Personal Information

The Company takes the following measures to protect personal information.

• Minimizing and educating employees handling personal information

• Establishing and implementing internal management plans

• Operating security systems to prevent external intrusions such as hacking

• Keeping and inspecting access records of personal information processing systems for at least 6 months

6. Delegation of Personal Information Processing

The Company may delegate personal information processing tasks externally to provide smooth services. In such cases, notification and consent regarding the delegate and the content of the delegation are obtained in advance.

7. Report and Consultation on Personal Information Infringement

If you need to report or consult on personal information infringement, please contact the following institutions:

• Personal Information Dispute Mediation Committee: www.kopico.go.kr 1833-6972

• Personal Information Infringement Report Center: privacy.kisa.or.kr 118

• Supreme Prosecutors' Office Cyber Investigation Department: www.spo.go.kr 1301

• Cyber Bureau of the National Police Agency: cyberbureau.police.go.kr 182

8. Changes to Personal Information Processing Policy

If the Company changes the personal information processing policy, the changes and reasons will be announced at least 7 days in advance.

9. Personal Information Protection Officer

The Company endeavors to oversee the personal information processing work comprehensively and to handle complaints and damages relief efforts.

• Personal Information Protection Officer:

This policy is effective from January 14, 2026.