CJ ENM’s Entertainment Division (the “Company”), the operator of the “Mwave” service (the “Service”), has enacted and abided by this privacy policy (the “Privacy Policy”) to actively protect the personal information of users (both members and non-members) collected by the Company and conform to related laws including the Personal Information Protection Act. The Privacy Policy informs users of the purposes and methods of collecting their personal information as well as the specific measures being taken to protect the collected personal information.

This Privacy Policy is posted on the Service for easy access by users at any time and includes the following information:

1. 1. Consent to collection/use of personal information;
2. 2. Items of personal information to be collected and purpose for collection/use;
3. 3 Period of retention and use, and destruction of personal information;
4. 4. Installation, operation, and rejection of automatic personal information collection devices (information collection through cookies);
5. 5. User rights regarding their personal information and how to exercise those rights;
6. 6. Data protection officer and responsible department;
7. 7. Consent to provision and sharing of personal information to third parties;
8. 8. Outsourcing of personal information processing;
9. 9. Restrictions on the use of the Service by children under 14;
10. 10. Technical and managerial protection of personal information; and
11. 11. Amendment of this Privacy Policy.

1. Consent to Collection/Use of Personal Information

To express your consent to the collection, use, provision to third parties, and outsourced processing of your personal information, carefully read the Terms of Use of Service, this Privacy Policy and the Form of Consent to Collection/Use of Personal Information on the Service webpage (https://www.mwave.me) and click the “Consent” button provided by the Service.

2. Items of Personal Information to be Collected and Purpose for Collection/Use

The Company shall collect and use the personal information of users as described below to the minimum extent possible for the provision of the Service. The personal information provided shall not be used for any purposes other than those agreed to by users. If the need arises to use any personal information for purposes other than those agreed to by users, the Company shall take necessary measures, such as seeking the additional consent of users in advance.

[Method of Collection]

• • Access to the Service by users, such as registration for the Service (web/mobile), participation in online and offline events, and inquiries about the Service via the Customer Service Center
• • Collection of generated information through log-analysis program
• • Collection of information through cookies

1. 1) (Required) Registration and Use of Service

   Purpose for Collection/Use	Membership registration, use of Mwave service, use of product purchase service, delivery of notices and announcements, prevention of illegal use and unauthorized use of defective members, response to service related inquiries and complaints, statistical analysis and research for improvement and optimization of service
   Items to be Collected	Name, nickname, email address, country / region, IP address, cookie information, date of birth, mobile phone number
   Retention Period	30 days from the membership withdrawal date

2. 2) (Optional) Product Purchase and Delivery

   Purpose for Collection/Use	Product purchase and delivery, communication of announcements to users, response to inquiries and complaints
   Items to be Collected	Purchaser information (name, email address) and payment information, and recipient information (name, mobile phone number, address, email address)
   Retention Period	30 days from the membership withdrawal date

3. 3) (Optional) Participation in and Attendance at Events

   Purpose for Collection/Use	Participation in events and sit-in audience, confirm identification and deliver notices related to voting/events/sit-in, handle inquiries and complaints
   Items to be Collected	Participant/winner information (name, mobile phone number, email address)
   Retention Period	365 days from the event & voting end date

4. 4) (Optional) Consent to Collection/Use of Personal Information for Delivery of Prizes to Event Participants

   Purpose for Collection/Use	Delivery of prizes for event participation, communication of announcements and handling of complaints
   Items to be Collected	Recipient information (name, mobile phone number, address, email address)
   Retention Period	365 days from the event end date

   1. ※ If the prize is subject to taxes, we may also collect and use the resident registration number and bank account information of the prize winner as permitted in the Income Tax Act.
   2. ※ If tax withholding is made, the retention period may increase to the extent necessary to comply with the applicable law, e.g., 5 years from the date immediately after the statutory due date for the relevant tax return under Article 85-3 of the Framework Act on National Taxes.
5. 5) (Optional) Consent to Receive Personalized Advertising and Marketing

   Purpose for Collection/Use	Information on various events, personalized advertising and other marketing activities
   Items to be Collected	Email address(ID), Name, Mobile phone number
   Retention Period	Destroyed upon the member’s request or 30 days from the membership withdrawal date

6. 6) Information Generated and Collected during Use of the Service or Processing of Personal Information

   The following information may be generated and collected for payment of usage fees and provision of personal services during the use of the Service or processing of personal information.

   1. • Frequency, length, and times of accessing the Service
   2. • Connection logs, connection IP addresses, cookies
   3. • Usage logs, session information, dates and times of visit
   4. • Device information (OS and version, screen size, terminal identification number and terminal ID, terminal model name, etc.)

3. Period of Retention and Use, and Destruction of Personal Information

1. 1) Period of retention and use

   The Company retains and uses each user’s personal information as described above in 2. Items of Personal Information to Be Collected and Purpose for Collection/Use. However, the Company may retain or store the user’s personal information for a longer period if required by relevant laws as prescribed in 2) Period of retention and preservation below or if the Company has obtained the user’s additional consent on the retention and use of his/her personal information for a prolonged period.

2. 2) Period of retention and preservation

   If it is necessary to preserve any personal information for the period agreed to by users or in accordance with the provisions of relevant laws, such as the Commercial Act and the Act on the Consumer Protection in Electronic Commerce, etc., the Company retains such personal information for a certain period of time as stipulated in the relevant laws and regulations. In such case, the Company uses the retained information only for the purpose of such retention, with the period of preservation as follows:

   • • Records related to cancellation of contracts or subscriptions: 5 years (Act on the Consumer Protection in Electronic Commerce, etc.)
   • • Records related to payment and supply of goods: 5 years (Act on the Consumer Protection in Electronic Commerce, etc.)
   • • Records related to handling of consumer complaints or disputes: 3 years (Act on the Consumer Protection in Electronic Commerce, etc.)
   • • Records related to connections of visitors (logs): 3 months (Protection of Communications Secrets Act)
   • • Other reasons for retention and preservation
     - Where transaction records are required to be retained under the Framework Act on National Taxes
     - Where the approval of users has been gained
3. 3) Process and method of destruction of personal information
   1. A. Process of Destruction: Information provided by users for service subscription or other Service-related purposes is transferred to a separate database after the purpose of provision is achieved, stored in the database for a certain period according to internal policies and other relevant laws and regulations, and then destroyed by the method specified in subparagraph (c) below. Personal information transferred to a separate database will not be used for any other purpose unless it is retained by law.
   2. B. Subject of Destruction: Any personal information of users for which the retention period and any preservation period under relevant laws have expired.
   3. C. Method of Destruction
      • Personal information written and printed: Shredded or incinerated
      • Personal information stored in the form of an electronic file: Deleted using a technical method that makes it impossible to reproduce the record.

4. Installation, Operation and Rejection of Automatic Personal Information Collection Devices

① Cookie
This cookie notice sent by the Company provides the description and content of cookies, as well as the methods for collecting and purposes of using them. It also introduces users’ right to refuse the installation of cookies when visiting the website. The Company may at any time change its cookie notice. Such changes shall take effect at the point of posting the revised cookie notice on the Service webpage or the Company website (https://www.mwave.me).

• - What are cookies?
  Cookies are generated automatically in the course of accessing the Service, etc., by users. Cookies are small text data files sent to the user’s web browser (Microsoft Edge, Internet Explorer, Chrome, Firefox, etc.) from the server used to operate the Company website. They are collected and stored in the user’s access devices (computers, mobile devices, etc.).
• - What do cookies do?
  The Company can authenticate the user by reading the cookies stored in the user’s computer or mobile device when the user logs in to the Company website. It can also enhance the Service, prevent illegal use, confirm user errors, and offer customized services and ads by analyzing past access to the Service, access time and frequency, and other information generated or provided (entered) in the course of using the Service.

[Essential Cookies]

※ Essential cookies are necessary for the correct functioning of a website and cannot be arbitrarily turned off. They are typically set only in response to each user’s service requests such as privacy default settings, logging in, and filling out forms. Users are allowed to set their browser to block or warn about the collection of cookies provided by the Company. However, if these cookies are not accepted, access to certain content and services offered by the website may be rejected. These cookies do not store personally identifiable information.

[ Optional Cookies ]

• - Cookie Notice and Applicability, Third-party Cookies
  

  This cookie notice applies to “https://mwave.me” only. Users may receive third-party cookies from service providers to the Company when using the website, but the Company does not provide cookies it collects to third parties. Service providers to the Company may send cookies to the user to track the user’s browser on various websites and to build a web surfing profile on the user.

• - How to reject the collection of cookies
  
  1. 1) Internet Explorer
     Tools menu at the top of the web browser > Internet Options > Privacy > Settings
  2. 2) Chrome
     Settings menu on the right side of the web browser > Show advanced settings at the bottom of the screen > Content setting button for personal information > Cookies
  3. 3) Microsoft Edge
     Settings menu at the top of the web browser > Cookies and Site Data > Choose What to Clear
• - Contact regarding cookies Contact us for any inquiries or problems.

5. User Rights regarding Their Personal Information and How to Exercise Those Rights

Pursuant to the Personal Information Protection Act of Korea, users are entitled to the following rights as the owner of their personal information (the Supplemental Notice for California Consumers posted at the bottom of the Privacy Policy page shall apply to residents of California).

• 1) Users may at any time visit the Company website (http://www.mwave.me) to access, modify, and delete their registered personal information.
• 2) Users may request to access, modify, and delete their registered personal information by clicking “Personal Information Modification” under 'My Page'

   

  or by contacting the data protection officer, staff in charge, or Customer Service Center in written form, via email, or by telephone. The Company shall take immediate measures to process the request after user identity verification through an evidential document (i.e., resident registration card, passport, and driver’s license).
• 3) When a proxy of a user requests access to or confirmation of the user’s personal information, or exercise of the user’s rights under Article 9 of this Privacy Policy, the Company requires the presentation of a power of attorney, a certificate of seal impression, and the ID of the proxy to verify the principal-agent relationship with the user.
• 4) If a user requests correction of an error in his/her personal information, the Company does not use or provide his/her personal information until the error is corrected. If the Company has already provided the erroneous personal information to a third party, the Company must immediately notify such third party of the results of the correction.
• 5) Users may request the withdrawal of their consent to the collection and use of their personal information as well as the suspension of the outsourced processing and provision of their personal information to a third party. Such a withdrawal of consent and request for suspension shall be immediately processed after user identity verification by clicking “Personal Information Modification” or “Withdrawal from Membership” under “My Page” or by contacting the Customer Service Center.
• 6) The Company may restrict access to or modification of personal information or refuse the request for the suspension of personal information processing in the following exceptional cases:
  
  1. A. Where there is a risk of harm to the life or body of another person or infringement of the property rights or other interests of another person;
  2. B. Where it is required by law or it is deemed inevitable to observe duties defined by law; or,
  3. C. Where it is deemed impossible to fulfill the provisions of a contract (i.e., failure to provide contracted services to the user) unless personal information is processed and the user has not clearly shown any intention of canceling the contract.

6. Data Protection Officer and Responsible Department

The Company has appointed a data protection officer and designated the responsible department for smooth communication with customers regarding their personal information. If you need to consult on or report an infringement of your personal information, please contact the person in chanrge or forward your inquiries to the following institutions.

1. Data Protection Officer: CJ ENM Live Entertainment Business Department, Kim Hyun Su

If you need to consult on or report an infringement of your personal information, please contact the data protection officer and the responsible person by phone or e-mail, or contact the following institutions.

• - KISA Personal Information Infringement Report Center (http://privacy.kisa.or.kr / 118without area code )
• - Cyber Investigation Division of the Supreme Prosecutors’ Office (http://www.spo.go.kr / 1301 without area code )
• - Korean National Police Agency Cyber Bureau (ECRM) (https://ecrm.cyber.go.kr / 182 without area code )
• - Personal Information Dispute Mediation Committee (http://kopico.go.kr / 1833-6972 without area code )

7. Consent to Provision and Sharing of Personal Information with Third Parties

The Company uses each user’s personal information only within the scope specified in the “Terms of Service” or this “Privacy Policy,” and does not use personal information beyond the specified scope or provide it to a third party unless there is prior consent from the user or when requested or permitted according to the regulations and procedures set by relevant laws and regulations.

8. Outsourcing of the Processing of Personal Information

The Company outsources the processing of personal information, such as management of service user agreements, provision of after-sales services, and performance of any other incidental business, for greater user convenience and better management. All outsourced processors of personal information are strictly bound, through outsourcing contracts, to the obligations to: (i) comply with relevant laws, regulations and guidelines; (ii) protect and keep confidential the personal information to which they have access, (iii) not disclose the personal information to any third party, (iv) be liable for any accident regarding that personal information, and (v) return or destroy the personal information immediately upon expiry of the outsourcing contact period.
The Company requires outsourced processors to take all mandatory or necessary measures to protect the personal information transferred to them, and remains liable for any damage users may suffer that is attributable to willful misconduct or negligence of the outsourced processor(s).

※ Please note that we do not receive money or other valuable consideration from the outsourced processor in return for the outsourcing of the processing of personal information.

9. Restriction on the Use of the Service by Children under 14

The Service does not accept registration for membership of children under the age of 14 (in Korea) / 16 (outside Korea) as they are minors and the collection and use of their personal information requires the consent of their legal representative . Entering false birth dates when registering for the Service constitutes a violation of the Company’s terms of the Service for which the Company is not responsible. If a child under the aforementioned age has created an account, the legal representative is strongly advised to request deletion or temporary suspension of the account through the [Customer Service] Account deletion requests can be canceled within 30 days through the customer center.

10. Technical and Managerial Protection of Personal Information

The Company has implemented the following technical and managerial safeguards to protect users’ personal information from loss, theft, leakage, alteration or damage.

• 1) Technical measures
  
  1. A. Personal information is protected by a password, and important data is protected through separate security functions, such as file and transmitted data encryption or use of the file lock function.
  2. B. Antivirus software is used to prevent damage from computer viruses. Antivirus software is updated periodically, and in the event of a sudden virus outbreak, the vaccine for the virus is introduced and applied as soon as it is released to prevent infringement of personal information.
  3. C. SSL, a security protocol, has been adopted to help ensure personal information is transmitted safely through the network.
  4. D. In order to prevent leakage of users’ personal information by hacking or other unauthorized access, the system is maintained in an area where access from outside is restricted, with intrusion-blocking devices in use.
• 2) Managerial measures
  
  1. A. The Company has procedures in place needed for appropriate management of and access to users’ personal information. Company officers and employees are required to understand and comply with these procedures and compliance is monitored regularly.
  2. B. The Company keeps the number of persons who can process users’ personal information to a minimum, controls access rights, and ensures compliance with laws and policies through education and training. Persons who process users’ personal information are the following:
     • • Persons who deal directly or indirectly with users as they handle business;
     • • The data protection officer, responsible person, and others engaged in personal information management and protection duties; and
     • • Others who need access to users’ personal information to engage in their work duties.
  3. C. The Company requires new employees to sign an information protection pledge, reminds all of its employees from time to time of their duty to protect personal information, and has in place internal procedures to audit their compliance with such duties to prevent leakage of personal information by its employees.
  4. D. The handover of duties of personal information manager takes place under strict security, and responsibilities for personal information incidents are clearly defined for both current and former employees.

11. Amendment of this Privacy Policy

This Privacy Policy may be subject to additions, deletions or amendments for a variety of reasons, including enactment of new or amendment of existing law, and changes made to government policy or applicable security technology. Any amendment of this Privacy Policy will be posted in advance on the Company’s website.

• - Current version: 1.5
• - Date of notice: 2024.01.24
• - Date of implementation: 2023.01.31

※ Supplemental Notice for California Consumers

1. Notice of Collection and Use of Personal Information

1. 1) During the 12-month period prior to the effective date of this privacy policy, the Company may have collected the following categories of personal information about you :
   
   

   Information you provide directly to us :

   • - Real name, alias, postal address, email address, account name, or other similar identifiers
   • - Personal information listed in the California Customer Records statute (Cal. Civ. Code §1798.80): Name, address, telephone number, credit card number, debit card number, or any other financial information. (Some personal information included in this category may overlap with other categories.)
   • - Protected classification characteristics under California or federal law : Age, national origin, citizenship, sex.
   • - Commercial information : products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
   
   

   Information we collect automatically:

   • - Internet or other similar network activity : Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement, Internet Protocol address, or unique personal or online identifiers
   • - Inferences drawn from other personal information to create a profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
     We may also receive the categories of information described above from other sources, including from internet service providers and data analytics providers.
2. 2) The Company may use the categories of personal information listed above for the following purposes:
   1. - User Membership registration
   2. - use of Mwave service
   3. - use of product purchase service
   4. - Receipt of notices related to the use of services
   5. - Prevention of improper/unauthorized use of services
   6. - Responding to inquiries/complaints related to services
   7. - Statistical analysis and research for service improvement and optimization development
   8. - Purchase/delivery of products
   9. - Participation in events/prize draws
   10. - Receipt of notices related to User verification and voting/events/prize draws/sit-in, processing of related complaints
   11. - Award and delivery of gifts/prizes due to event participation, receipt of related notices and processing of complaints
   12. - Notices related to various events
   13. - Individualized targeting advertisements and various marketing activities

2. Disclosure of your personal information

1. 1) During the 12-month period prior to the effective date of this privacy policy, the Company may have shared your personal information with certain categories of third parties, as described below.
   • - Vendors that provide services on our behalf (e.g. shipping company, payment company)
   • - Advertising networks
   • - Business partners
   • - Internet service providers
   • - Data analytics providers
   • - Professional services organizations, such as auditors and law firms
   • - Social networks
     The categories of personal information disclosed in this way are as shown in 1.1) above.
     The Company does not sell personal information of members residing in California that was collected through the Mwave Website.

3. Privacy Rights for California Consumers

Members who are California residents may have various rights related to their personal information, and will not receive discriminatory treatment with regards to using the Website for exercising such rights.

1. 1) Access
   Members who are California residents may exercise their right to request access to personal information collected via Mwave Website related to matters described below. However, the Company may deny such request to access if permitted under the CCPA.
   1. (1) Categories of personal information the Company has collected about you over the past 12 months and categories of sources from which the personal information was collected
   2. (2) Business or commercial purpose(s) for the Company’s collection of your personal information
   3. (3) Categories of personal information the Company discloses for a business purpose, and categories of third parties with whom the Company has shared your personal information
   4. (4) Specific pieces of personal information the Company has collected about you
      If you wish to request such access to your personal information, please do so by using the following link.[Request access to personal information]The Company will need to verify your identity in order to fulfill such request. The Company will do so in accordance with the applicable law. Also, you may request to exercise your right to access using.
2. 2) Deletion
   Members who are California residents may exercise their right to request deletion of their personal information. However, the Company may deny such deletion request if permitted under the CCPA. When members who are California residents request deletion, the Company permanently deletes all personal information of members by membership withdrawal. Therefore, in order to use the Website after deletion of personal information, you must register again to the Website. Please note that registration will be prohibited for 7days after withdrawal in order to prevent improper use of the Company’s services.
   If you wish to request such deletion of your personal information, please do so by using the following link.[Deletion] The Company will need to verify your identity in order to fulfill such request. The Company will do so in accordance with the applicable law. Also, you may request to exercise your right to deletion using.
3. 3) Opt-Out of Sale
   The Company does not sell personal information of members residing in California that was collected through the Mwave Website. If the Company sells personal information in the future, members will be notified in advance, and members residing in California will have the right to opt-out of the sale of their personal information.
4. 4) Shine the Light Request
   The Company does not share personal information with third parties for their direct marketing purposes.
5. 5) Eraser Law Request
   If you are a California resident under the age of 18 and are a registered user of the Website, then you may request that we remove any submission you publicly posted on or in the Website. To request removal of a submission, please email a detailed description of the submission to [Customer Service]. You may also be able to log into your account and delete your own submission. The Company reserves the right to ask you to provide information that enables us to confirm that the submission in question was created and posted by you.

※ You may appoint an authorized agent to exercise your rights on your behalf. In order for the Company to honor a request made by your agent, you must submit proof of your written authorization of the agent. The Company may also require you to verify your own identity with the Company consistent with the verification procedures described above.