CJ ENM (the “Company”), operator of the “Mwave” service (the “Service”), has enacted this privacy policy (this “Privacy Policy”) in order to provide users of the Service with detailed information on the purposes for and methods of collecting their personal information as well as measures being taken to protect the personal information.

This Privacy Policy is posted on the Service for easy access by users at any time and includes the following information:

1. 1. Consent to collection/use of personal information;
2. 2. Items of personal information to be collected and purpose for collection/use;
3. 3 Period of retention and use, and destruction of personal information;
4. 4. Installation, operation and rejection of automatic personal information collection devices;
5. 5. User rights regarding their personal information and how to exercise those rights;
6. 6. Data protection officer and responsible department;
7. 7. Consent to provision and sharing of personal information to third parties;
8. 8. Outsourcing of the processing of personal information;
9. 9. Rights of data subjects;
10. 10. Restrictions on children’s use of the Service;
11. 11. Technical and managerial protection of personal information; and
12. 12. Amendment of this Privacy Policy.

1. Consent to Collection/Use of Personal Information

To express your consent to the collection, use, provision to third parties, and outsourced processing of your personal information, carefully read the Terms of Use of Service, this Privacy Policy and the Form of Consent to Collection/Use of Personal Information on the Company’s website and click the “Consent” button.

2. Items of Personal Information to be Collected and Purpose for Collection/Use

The company collect and use the user’s personal information as described below

[Method of Collection]

• • Registration for the Service (web/mobile)
• • Collection of generated information through log-analysis program
• • Collection of information through cookies

1. 1) (Required) Registration and Use of Service

   Purpose for Collection/Use	Registration, Using Mwave and the product purchase service, communication of announcements to users Prevention of illegal or unauthorized use of the Service, response to inquiries and complaints Statistical analysis and research towards improving the Service and developing optimizations
   Items to be Collected	[Registration on Mwave website] Name, nickname, email, country / region, IP address, cookie information, date of birth, gender
   Retention Period	30 days from the membership withdrawal date

2. 2) (Optional) Product Purchase and Delivery

   Purpose for Collection/Use	Product purchase and delivery, communication of announcements to users, response to inquiries and complaints
   Items to be Collected	Purchaser information (name, email address) and payment information, and recipient information (name, mobile phone number, address, email address)
   Retention Period	30 days from the membership withdrawal date

3. 3) (Optional) Participation in and Attendance at Events

   Purpose for Collection/Use	Participation in and attendance at events, identity verification, communication of announcements, handling of complaints
   Items to be Collected	Participant/winner information (name, mobile phone number, email address)
   Retention Period	365 days from the event end date

4. 4) (Optional) Consent to Collection/Use of Personal Information for Delivery of Prizes to Event Participants

   Purpose for Collection/Use	Delivery of prizes for event participation, communication of announcements and handling of complaints
   Items to be Collected	Recipient information (name, mobile phone number, address, email address)
   Retention Period	365 days from the event end date

   1. ※ If the prize is subject to taxes, we may also collect and use the resident registration number and bank account information of the prize winner as permitted in the Income Tax Act.
   2. ※ If tax withholding is made, the retention period may increase to the extent necessary to comply with the applicable law, e.g., 5 years from the date immediately after the statutory due date for the relevant tax return under Article 85-3 of the Framework Act on National Taxes.
5. 5) (Optional) Consent to Receive Personalized Advertising and Marketing

   Purpose for Collection/Use	Information on various events, personalized advertising and other marketing activities
   Items to be Collected	Email address, optional cookie information, gender, age, IP address
   Retention Period	Destroyed upon the member’s request or 30 days from the membership withdrawal date

6. 6) Information Generated and Collected during Use of the Service or Processing of Personal Information

   The following information may be generated and collected for payment of usage fees and provision of personal services during the use of the Service or processing of personal information.

   1. • Frequency and times of use of the Service, and usage logs
   2. • Connection logs, connection IP addresses, cookies
   3. • Usage logs, session information, dates and times of visit
   4. • Device information

3. Period of Retention and Use, and Destruction of Personal Information

1. 1) Period of retention and use

   The Company retains and uses each user’s personal information as described above in Section However, the Company may retain the user’s personal information for a longer period if required by relevant laws and only to the extent so required or if the Company obtained the user’s consent for a prolonged period of retention and use.

2. 2) Period of retention and preservation

   If it is necessary to preserve any personal information in accordance with the provisions of relevant laws, such as the Commercial Act and the Act on the Consumer Protection in Electronic Commerce, etc., the Company retains such personal information for a certain period of time as stipulated in the relevant laws and regulations. In such case, the Company uses the retained information only for the purpose of such retention, with the period of preservation as follows:

   • • Records related to cancellation of contracts or subscriptions: 5 years (Act on the Consumer Protection in Electronic Commerce, etc.)
   • • Records related to payment and supply of goods: 5 years (Act on the Consumer Protection in Electronic Commerce, etc.)
   • • Records related to handling of consumer complaints or disputes: 3 years (Act on the Consumer Protection in Electronic Commerce, etc.)
   • • Records related to connections of visitors (logs): 3 months (Protection of Communications Secrets Act)
   • • Other reasons for retention and preservation
     - Where transaction records are required to be retained under the Framework Act on National Taxes
3. 3) Process and method of destruction of personal information
   1. A. Process of Destruction: Information provided by users for service subscription or other Service-related purposes is transferred to a separate database after the purpose of provision is achieved, stored in the database for a certain period according to internal policies and other relevant laws and regulations, and then destroyed by the method specified in subparagraph (c) below. Personal information transferred to a separate database will not be used for any other purpose unless it is retained by law.
   2. B. Subject of Destruction: Any personal information for which the retention period and any preservation period under relevant laws have expired.
   3. C. Method of Destruction
      • Personal information written and printed: Shredded or incinerated
      • Personal information stored in the form of an electronic file: Deleted using a technical method that makes it impossible to reproduce the record.
4. 4) Application of personal information expiration periods
   1. A. Pursuant to the Personal Information Protection Act and its Enforcement Decree, the Company deletes or separately stores and manages the personal information of a user who has not used the Service or otherwise shown any related activity for a period of 1 year (the “Personal Information Expiration Period”) for protection of the personal information and prevention of loss with a prior notice to the user.
   2. B. The Company gives a prior notice to the user whose personal information is to expire in 30 days to the email address entered in the “User Information” tab, provided, however, that the Company continues to preserve such information if
      1. (i) consent thereto is given by the user, including in the form of a request for extension or renewal of the Personal Information Expiration Period or
      2. (ii) another preservation period is provided in other laws or regulations, in which case for the period set forth in such laws or regulations.

4. Installation, Operation and Rejection of Automatic Personal Information Collection Devices

① Cookie
This cookie notice provides a description of cookies, the content and methods of collection, reasons for using them, and the right of data subjects to refuse the installation of cookies when visiting a website. The Service may change its cookie notice at any time. Changes will take effect when the amended cookie notice is posted on the Service’s webpage or on the Company’s website.

• - What are cookies?
  Cookies are data files sent to the user’s web browser (Internet Explorer, Chrome, Firefox, etc.).
• - What do cookies do?
  When a user visits the Service, the Company reads the content of the cookies stored in the user’s PC/mobile device and uses it to authenticate the user while the customer is logged on. In addition, cookies allow the Company to customize its services and advertising to each user by analyzing the information of the Service visited, access time and frequency, as well as other information generated or provided (entered) in the course of using the Service.

※ Essential cookies are necessary for the website to operate and cannot be turned off in our system. They are usually set only in response to your actions, which are service requests such as privacy default settings, logging in, or filling out forms. You can set your browser to block or warn you about these cookies, but if these cookies are not accepted, some parts of the website may not work. These cookies do not store personally identifiable information.

• - Cookie Notice and Applicability, Third-party Cookies
  

  This cookie notice applies to “https://mwave.me” only. Data subjects may receive third-party cookies from service providers to the Company when using the website, but the Company does not provide cookies it collects to third parties. Service providers to the Company may send cookies to the user to track the user’s browser on various websites and to build a web surfing profile on the user.

• - How to reject cookies
  
  1. 1) Internet Explorer
     Tools menu at the top of the web browser > Internet Options > Privacy > Settings
  2. 2) Chrome
     Settings menu on the right side of the web browser > Show advanced settings at the bottom of the screen > Content setting button for personal information > Cookies
• - Contact regarding cookies
  mwave.shop@cj.net for any inquiries or problems

5. User Rights regarding Their Personal Information and How to Exercise Those Rights

Users may at any time visit the website and access or modify their registered personal information and request a withdrawal of their consent to the collection, use, outsourced processing or provision of their personal information and of their membership.

• 1) Users may request access to or confirmation of their personal information through the website or the customer service center.
• 2) The Company verifies the identity of the user requesting access to or confirmation of his/her personal information.
• 3) When a proxy of a user requests access to or confirmation of the user’s personal information, or exercise of the user’s rights under Article 9 of this Privacy Policy, the Company requires the presentation of a power of attorney, a certificate of seal impression, and the ID of the proxy to verify the principal-agent relationship with the user.
• 4) If a user requests correction of an error in his/her personal information, the Company does not use or provide his/her personal information until the error is corrected. If the Company has already provided the erroneous personal information to a third party, the Company must immediately notify such third party of the results of the correction.
• 5) The Company may exceptionally restrict access to or modification of personal information in the following cases:
  
  1. A. Where there is a risk of harm to the life or body of another person or unfair infringement of the property rights or other interests of another person; or
  2. B. Where access is restricted or prohibited by law.

6. Data Protection Officer and Responsible Department

The Company has appointed a data protection officer and designated the responsible department for smooth communication with customers regarding their personal information.

1. 1) Data Protection Officer : IT Service Planning Specialist, Park Byung Ah (mwave.shop@cj.net)
2. 2) Responsible Person : Live Entertainment Planning, Chang Kyung Ah (mwave.shop@cj.net)

If you need to consult on or report an infringement of your personal information, please contact the data protection officer and the responsible person by phone or e-mail, or contact the following institutions.

• - Personal Information Infringement Report (http://privacy.kisa.or.kr / 118 without an exchange number )
• - Cyber Investigation Division of the Supreme Prosecutors’ Office (http://www.spo.go.kr / 02-3480-3571)
• - Cyber Security Bureau of the National Police (http://cyberbureau.police.go.kr / 182 without an exchange number)
• - Personal Information Dispute Mediation Committee (http://kopico.go.kr / 02-2100-2499)

7. Provision of Personal Information to Third parties

The Company uses each user’s personal information only within the scope specified in the “Terms of Service” or this “Privacy Policy,” and does not use personal information beyond the specified scope or provide it to a third party unless there is prior consent from the user or when requested or permitted according to the regulations and procedures set by relevant laws and regulations.

8. Outsourcing of the Processing of Personal Information

The Company outsources the processing of personal information, such as management of service user agreements, provision of after-sales services, and performance of any other incidental business, for greater user convenience and better management. All outsourced processors of personal information are strictly bound, through outsourcing contracts, to the obligations to: (i) comply with relevant laws, regulations and guidelines; (ii) protect and keep confidential the personal information to which they have access, (iii) not disclose the personal information to any third party, (iv) be liable for any accident regarding that personal information, and (v) return or destroy the personal information immediately upon expiry of the outsourcing contact period.
The Company requires outsourced processors to take all mandatory or necessary measures to protect the personal information transferred to them, and remains liable for any damage users may suffer that is attributable to willful misconduct or negligence of the outsourced processor(s).

※ Please note that we do not receive money or other valuable consideration from the outsourced processor in return for the outsourcing of the processing of personal information.

9. Rights of Data subjects

Pursuant to the Personal Information Protection Act of Korea, users will have the following rights as data subjects (For residents in California, the “Supplemental Notice for California Consumers” will apply which is attached to the end of this Privacy Policy) :

1. 1) Users may at any time request access to or correction or deletion of their personal information. Select “Change Personal Information” on “My Page” on our website to directly access, correct or delete your personal information or contact the data protection officer, responsible person, or the customer service center by mail, email or phone, upon which we will process your request without delay after verifying your identity.
   Access to or correction of personal information may be restricted or denied in the following cases:
   
   • - Access is restricted or prohibited under special provisions of law or in order to comply with the law; or
   • - There is a risk of harm to life or body of another person or of unfair infringement on the property rights or other interests of another person.
     Requests for deletion of personal information are not granted if any law or regulation provides that the relevant personal information can be collected.
     Additionally, the Company may reject a request for suspension of the processing of personal information in the following cases:
   • - Such rejection is required under special provisions of law or to comply with our duties under law;
   • - There is a risk of harm to life or body of another person or of unfair infringement on the property rights or other interests of another person; or
   • - It is difficult to fulfill the contract with the data subject, such as not being able to provide the service agreed with the data subject if personal information is not processed, and the data subject has not clearly expressed the intention to terminate the contract.
2. 2) Users may withdraw their consent to the collection, use, and provision of their personal information, and request deletion or suspension of the processing of their personal information.
   To withdraw your consent, delete or suspend the processing of your personal information, click “Change Personal Information” or “Membership Withdrawal” on “My Page” on our website or contact the customer service center, upon which we will process your request without delay after verifying your identity.

10. Restrictions on Children’s Use of the Service

The Service does not accept registration for membership of children under the age of 14 (in Korea) / 16 (outside Korea) who require the consent of their legal representative for collecting and using their personal information. Entering false birth dates when registering for the Service constitutes a violation of the Company’s terms of the Service for which the Company is not responsible. If a child under the aforementioned age has created an account, the legal representative is strongly advised to request deletion or temporary suspension of the account through the [Customer Service] Account deletion requests can be canceled within 30 days through the customer center.

11. Technical and Managerial Protection of Personal Information

The Company has implemented the following technical and managerial safeguards to protect users’ personal information from loss, theft, leakage, alteration or damage.

• 1) Technical measures
  
  1. A. Personal information is protected by a password, and important data is protected through separate security functions, such as file and transmitted data encryption or use of the file lock function.
  2. B. Antivirus software is used to prevent damage from computer viruses. Antivirus software is updated periodically, and in the event of a sudden virus outbreak, the vaccine for the virus is introduced and applied as soon as it is released to prevent infringement of personal information.
  3. C. SSL, a security protocol, has been adopted to help ensure personal information is transmitted safely through the network.
  4. D. In order to prevent leakage of users’ personal information by hacking or other unauthorized access, the system is maintained in an area where access from outside is restricted, with intrusion-blocking devices in use.
• 2) Managerial measures
  
  1. A. The Company has procedures in place needed for appropriate management of and access to users’ personal information. Company officers and employees are required to understand and comply with these procedures and compliance is monitored regularly.
  2. B. The Company keeps the number of persons who can process users’ personal information to a minimum, controls access rights, and ensures compliance with laws and policies through education and training. Persons who process users’ personal information are the following:
     • • Persons who deal directly or indirectly with users as they handle business;
     • • The data protection officer, responsible person, and others engaged in personal information management and protection duties; and
     • • Others who need access to users’ personal information to engage in their work duties.
  3. C. The Company requires new employees to sign an information protection pledge, reminds all of its employees from time to time of their duty to protect personal information, and has in place internal procedures to audit their compliance with such duties to prevent leakage of personal information by its employees.
  4. D. The handover of duties of personal information manager takes place under strict security, and responsibilities for personal information incidents are clearly defined for both current and former employees.

12. Amendment of this Privacy Policy

This Privacy Policy may be subject to additions, deletions or amendments for a variety of reasons, including enactment of new or amendment of existing law, and changes made to government policy or applicable security technology. Any amendment of this Privacy Policy will be posted in advance on the Company’s website.

• - Current version: 1.0
• - Date of notice: 24.08, 2021
• - Effectve as of: 24.08, 2021

※ Supplemental Notice for California Consumers

1. Notice of Collection and Use of Personal Information

1. 1) During the 12-month period prior to the effective date of this privacy policy, the Company may have collected the following categories of personal information about you :
   

   Information you provide directly to us :

   • - Real name, alias, postal address, email address, account name, or other similar identifiers
   • - Personal information listed in the California Customer Records statute (Cal. Civ. Code §1798.80): Name, address, telephone number, credit card number, debit card number, or any other financial information. (Some personal information included in this category may overlap with other categories.)
   • - Protected classification characteristics under California or federal law : Age, national origin, citizenship, sex.
   • - Commercial information : products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies

   Information we collect automatically:

   • - Internet or other similar network activity : Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement, Internet Protocol address, or unique personal or online identifiers
   • - Inferences drawn from other personal information to create a profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
     We may also receive the categories of information described above from other sources, including from internet service providers and data analytics providers.
2. 2) The Company may use the categories of personal information listed above for the following purposes:
   1. - User registration and use of Mwave, product purchase services
   2. - Receipt of notices related to the use of services
   3. - Prevention of improper/unauthorized use of services
   4. - Responding to inquiries/complaints related to services
   5. - Statistical analysis and research for service improvement and optimization development
   6. - Purchase/delivery of products
   7. - Participation in events/prize draws
   8. - Receipt of notices related to User verification and events/prize draws, processing of related complaints
   9. - Award and delivery of gifts/prizes due to event participation, receipt of related notices and processing of complaints
   10. - Notices related to various events
   11. - Individualized targeting advertisements and various marketing activities

2. Disclosure of your personal information

1. 1) During the 12-month period prior to the effective date of this privacy policy, the Company may have shared your personal information with certain categories of third parties, as described below.
   • - Vendors that provide services on our behalf (e.g. shipping company, payment company)
   • - Advertising networks
   • - Business partners
   • - Internet service providers
   • - Data analytics providers
   • - Professional services organizations, such as auditors and law firms
   • - Social networks
     The categories of personal information disclosed in this way are as shown in 1.1) above.
     The Company does not sell personal information of members residing in California that was collected through the Mwave Website.

3. Privacy Rights for California Consumers

Members who are California residents may have various rights related to their personal information, and will not receive discriminatory treatment with regards to using the Website for exercising such rights.

1. 1) Access
   Members who are California residents may exercise their right to request access to personal information collected via Mwave Website related to matters described below. However, the Company may deny such request to access if permitted under the CCPA.
   1. (1) Categories of personal information the Company has collected about you over the past 12 months and categories of sources from which the personal information was collected
   2. (2) Business or commercial purpose(s) for the Company’s collection of your personal information
   3. (3) Categories of personal information the Company discloses for a business purpose, and categories of third parties with whom the Company has shared your personal information
   4. (4) Specific pieces of personal information the Company has collected about you
      If you wish to request such access to your personal information, please do so by using the following link. [Customer Service] The Company will need to verify your identity in order to fulfill such request. The Company will do so in accordance with the applicable law. Also, you may request to exercise your right to access using the following email address: [mwave.shop@cj.net].
2. 2) Deletion
   Members who are California residents may exercise their right to request deletion of their personal information. However, the Company may deny such deletion request if permitted under the CCPA. When members who are California residents request deletion, the Company permanently deletes all personal information of members by membership withdrawal. Therefore, in order to use the Website after deletion of personal information, you must register again to the Website. Please note that registration will be prohibited for 7days after withdrawal in order to prevent improper use of the Company’s services.
   If you wish to request such deletion of your personal information, please do so by using the following link. [Deletion]The Company will need to verify your identity in order to fulfill such request. The Company will do so in accordance with the applicable law. Also, you may request to exercise your right to deletion using the following email address: [mwave.shop@cj.net].
3. 3) Opt-Out of Sale
   The Company does not sell personal information of members residing in California that was collected through the Mwave Website. If the Company sells personal information in the future, members will be notified in advance, and members residing in California will have the right to opt-out of the sale of their personal information.
4. 4) Shine the Light Request
   The Company does not share personal information with third parties for their direct marketing purposes.
5. 5) Eraser Law Request
   If you are a California resident under the age of 18 and are a registered user of the Website, then you may request that we remove any submission you publicly posted on or in the Website. To request removal of a submission, please email a detailed description of the submission to [Customer Service]. You may also be able to log into your account and delete your own submission. The Company reserves the right to ask you to provide information that enables us to confirm that the submission in question was created and posted by you.

※ You may appoint an authorized agent to exercise your rights on your behalf. In order for the Company to honor a request made by your agent, you must submit proof of your written authorization of the agent. The Company may also require you to verify your own identity with the Company consistent with the verification procedures described above.