PRIVACY POLICY

GENERAL PROVISIONS

CJ ENM Co., Ltd. (the “Company”) gives priority to protection of personal information and it is always doing its utmost to protect personal information of users.
The Company observes the Act on Promotion of Information and Communications Network Utilization and Information Protection and other rules and regulations related to protection of personal information as well as this Privacy Policy.

This Privacy Policy allows the Company to inform users of the purpose and method of using their personal information and the measures for protection of the personal information.
This Privacy Policy will be posted on the Company’s Mwave mobile application or website so that the users can refer to it anytime.

This Privacy Policy includes the following contents:

1. A. Items of personal information to be collected and methods of collection
2. B. The purpose of using personal information
3. C. Consent to collection of personal information
4. D. Consent to disclosure of the collected personal information to authorized third parties
5. E. Entrustment of the handling of personal information
6. F. The period of retention and the procedures and method of destruction of personal information
7. G. The right of user and his or her legal representative and the method of exercising such right
8. H. Collection of personal information by cookie
9. I. Personal data protection for children under 14 years of age
10. J. Technical and managerial measures for protection of personal information
11. K. Person in charge of protection of personal information
12. L. Report of privacy infringements
13. M. Effective date; Obligation to notify any change in policy

A. Items of personal information to be collected and methods of collection

The Company collects and utilizes the minimum amount of personal information of the user required for the purpose of authentication of user, payment of services, shipment and provision of the customized service to the user by utilizing the personal information as marketing materials for statistics and analysis. Specifically, users may sign in Mwave mobile application or website only through a third-party social media service account only.

1. Items of personal information to be collected and the purpose of collection

1. ① Nickname information in regards to each user’s social media account: to be used in the process of authentication of users for access to membership service
2. ② Address: to be used to ship purchased products or giveaways, when applicable

2. Description of information to be collected

1. ① Required items: nickname in relation to each user’s social media account and address, if provided by each user in case of purchase of goods on Mwave mobile application or website
2. ② Optional items: no information (other than nickname) will be collected by the Company in the course of registration procedures, even if users elect to decide to disclose certain optional items in their discretion
3. ③ Other information on transaction and personal preference collected during the process of users' using Mwave mobile application or website or Company's doing the business, service using record, data access log, cookie, IP address, records of payment, suspension of membership, withdrawal from the membership and etc.
4. ④ Cell phone information while using the mobile service: cell phone model number, carrier information, hardware ID, provided that the cell phone information is in a format that cannot be used for personal identification and the Company does not participate in any activities to identify individuals using the collected data.

3. The method of collection

1. ① The personal information may be collected from the select social media service companies on which each user has a social media account used to sign in Mwave mobile application or website.
2. ② The personal information may be collected through homepage, written document, telephone, Q&A bulletin board, registration for giveaway event, shipping request and etc.
3. ③ The personal information may be provided by the Company's affiliated partners
4. ④ The personal information may be collected through a program that analyzes the log
5. ⑤ The personal information may be collected through cookie

B. The purpose of using personal information

The Company utilizes the personal information collected for the following purposes.

1. The Company’s legitimate interests

For provision of the Company’s services to users regarding Mwave mobile application or website or the Company’s general business, including (without limitation):
1. ① to set up and administer users’ accounts and provide technical and customer support;
2. ② to administer the Company’s relationship with users and the Company’s business;
3. ③ to protect the Company’s network security and IT systems and to prevent fraudulent use; and
4. ④ to meet the Company’s internal and external audit requirements and to comply with legal requirements applicable to the Company.

2. Users management

For user authentication of membership service, personal identification, prevention of illicit use or unauthorized use by fraudulent user, confirmation of a user's intent to join, enrollment or limitation of the number of enrollment, maintenance of records for conflict resolution, customer service including recourse and redress, and sending notification

3. Fulfillment of a contract

For performance of the Company’s contractual obligations to users, including (without limitation) delivery of purchased albums or other goods

Personal Information Items	Purposes of Collection and Use	Retention and Usage Period
Name	Process of purchase order and delivery of goods	Until purposes of collection and use are achieved, whereupon each item being immediately destroyed
Address
Phone Number
E-mail	Notification about progress and status of purchase order
* Users may refuse to provide or allow use of the said personal information items, but in such instance, process of purchase order and delivery of goods may not be completed.

C. Consent to collection of personal information

The Company collects the minimum amount of personal information required for the execution and performance of service use agreements by using legal and fair methods. When the Company collects a user’s identification information, it must receive the user’s prior consent according to the following legal procedures. As to the collection of the personal information, the Company gives notification to the users in accordance with this Privacy Policy. When the user clicks on the “agree” button, it is deemed as the user’s consent to the collection of personal information. The Company studies the distribution of users and their interests and patterns of behavior based on server log files of the Company or its own research. The purpose is to learn more about its users and provide high-quality service to users. The information from these studies is thoroughly collected and analyzed, but does not contain the information, which can recognize the identification of individual user.

D. Consent to disclosure of the collected personal information to authorized third parties

The Company shall not utilize the personal information or provide it to a third party, other companies, or organizations beyond the purpose stipulated in this Privacy Policy, except for cases where the user’s consent is already obtained or the disclosure of personal information is inevitable for the purpose of taking legal measures due to their violation of the Company’s policy and management regulations, or responding to a request from the relevant governmental institutions. If the Company wishes to provide (or share) additional personal information beyond the designated purpose of this Privacy Policy, it shall give a notification to each user by means of the Terms of Use, the Privacy Policy, electronic mails or a written document about to whom or to which business the information is provided to, the items of personal information to be provided, the purpose of provision of personal information and receive the prior consent from the user.

However, personal information can be provided without the user’s consent according to relevant provisions in the laws in the following cases:

1. 1. Where it is necessary for charge of payment for the Company’s services or goods
2. 2. Where it is necessary for statistics, academic studies or market research, but the information shall not directly or indirectly identify users
3. 3. Where it is allowed by special provisions in Law of Real Name Financial Transaction, the Use and Protection of Credit Information Act, Telecommunications Basic Act,
   Telecommunications Business Act, Local Taxes Law, Customers Basic Act, Law of Bank of Korea or the Criminal Procedure Code or other applicable laws.

E. Entrustment of the handling of personal information

The Company delegates the handling of personal information necessary for payment and customer service to external companies for the Company’s service as described below.

Entrusted Company	Entrusted Operations	Entrusted Purposes	Shared Information
Reve Co.Ltd	Customer guidance and CS customer service systems operation	Customer service center operation	Social media account information, address
Reve Co.Ltd	Shipping agency services	Delivery of goods for the event	Social media account information, address
PayPal	Payment processing for the purchase of a paid product	Payment processing & prevention of payment misappropriation	Social media account information, address
KG Inisis	Payment processing for the purchase of a paid product	Payment processing & prevention of payment misappropriation	Social media account information, address

F. The period of retention and the procedures and method of destruction of personal information

When personal information becomes obsolete due to the achievement of the purpose of collecting and handling personal information, the Company shall immediately destroy such information.

1. The list of information to be destroyed

1. ① Information provided when signing up for membership: It should be destroyed when the user withdraws from his or her membership or whose membership is revoked
2. ② If information other than the membership information, such as bank account information, was collected for the purpose of payment of refund it should be destroyed after the payment or refund
3. ③ If address was collected for shipping, it should be destroyed after the purpose is achieved

2. However, the personal information of a user can be retained even after the purpose was achieved in exceptional cases required by the Commercial Law or other laws

1. ① Where retention is inevitable due to the provisions in Commercial Law, Protection of Users of Digital Contents and other relevant laws.
   • - Information in regards to consenting or withdrawing the contract: 5 years
   • - Information in regards to payment settlements and supply of goods: 5 years
   • - Information in regards to handling of customers’ complaints and disputes: 3 years
2. ② Where the Company already notified the user of the period of retention through proper procedures
3. ③ Where the Company received consent from an individual user
4. ④ Where the Company retains the information for thirty (30) days to consult with users or to prevent additional loss to users

3. The method of destruction

1. ① Personal information printed in document: It shall be destroyed by shredder
2. ② Personal information saved as electronic file: It shall be destroyed with technical method which disables the recovery or reproduction of such personal information

G. The right of user and his or her legal representative and the method of exercising such right

1. Accessing the account information and the method of modification of information users

If users request correction of error in the account information, the Company will not use or provide the personal information to others before such information is modified. In case where the Company already provided the personal information with error to a third party, it will immediately notify the third party of the modified information. However, if there is reasonable ground to refuse a user's access or request for correction of part or all of the personal information, the Company may immediately notify users of such refusal and provide its basis for such refusal.

In the following exceptional cases, however, the Company may refuse users to access or modify the personal information without notice.

1. ① Where there is a risk of remarkable harm to the user him or herself or to the third party’s life, body, property or right.
2. ② Where there is a chance of remarkable interruption to the service provider’s business
3. ③ Where there is a violation of laws and regulations

2. Retraction of users’ consent and the method of withdrawal from membership

Users may anytime retract their consent to the collection, use, and provision of personal information that they provided at the time of signing up membership. Retraction of consent and withdrawal from membership may limit use of certain feature of Mwave mobile application or website. When users wish to retract their consent (or withdraw from membership), they can click on the “withdrawal from membership” option on the company's website and directly apply for withdrawal. (For Mwave application, click “Settings” and then click “withdrawal from membership” button on the bottom of the screen.) Or, they may contact the person in charge of managing personal information by phone or electronic mail, and then the Company shall immediately commerce with necessary measures.

H. Collection of personal information by cookie

The Company manages “cookie” which frequently saves and finds personal information of users.
Cookie is a small text file sent by the server used to run the website or mobile services of the Company to the browser of users and it is saved in the hard disk of users’ devices (PC Smartphone, tablet PC, etc).
Cookie may contain the information of websites that users visited and users’ personal information. Users have the right to choose the installation of cookie. By setting the options on web browsers, users may enable cookies completely, request it to ask the consent whenever cookies save data or disable cookies completely so that they are always blocked.
However, if users disabled cookies completely, they might experience some difficulty in fully utilizing the Company’s services.

1. Allowing installation of cookie (Internet Explorer)

1. ① Click “Internet Options” under “Tools” menu
2. ② Click “Privacy Tab”
3. ③ Set “Personal Information Protection Level”

2. Viewing cookies (Internet Explorer)

1. ① Click “Tools” menu in task bar
2. ② Click “Internet Options”
3. ③ Click “Settings” in general tab
4. ④ Select “View Files”

3. The purpose of using cookie

The personal information gathered through cookie is used in providing customized information tailored to the users’ interest areas, target marketing by analyzing users’ preferences and interest areas through frequency of access and length of use by members and non-members, and customized service through users’ habits in utilizing the Company’s service, improving the Company’s service tailored to users’ preferences and posting on bulletin board.

I. Personal data protection for children under 14 years of age

The Company will make every efforts to comply with legal requirements regarding protection of underage users. Children under 14 years of age (so called ‘minor’) shall need consent from a legal representative (parent) to create and use social media accounts which are necessary to sing-in the Company’s Mwave mobile application or website. For more information, please contact the customer center of each social media service company. (In addition and without prejudice to the foregoing, the Company will comply with the applicable laws and regulations to protect juveniles from media products harmful to juveniles. In this regard, please refer to the Company’s Youth Protection Policy separately posted on Mwave mobile application or website.)

J. Technical and managerial measures for protection of personal information

The Company implements technical and managerial measures for protection of personal information. It also provides its employees with education about personal information protection and does its utmost to prevent the loss from leakage of personal information by limiting the minimum number of employees who can access to the personal information

1. Technical measures

In managing the personal information, the Company takes the following technical measures to prevent loss, theft, leakage, falsification, or destruction of personal information and to secure the safety of its user's personal Information:

1. ① Users’ personal information is being controlled by the internal network, which cannot be accessed or invaded by the external network
2. ② The important data is strictly protected through individual security functions such as encrypting a file or data or using a lock function
3. ③ The Company uses vaccine programs to protect its system from computer virus. Vaccine programs are updated periodically. If a sudden viruses appears, the Company immediately installs a new vaccine program in order to prevent invasion of personal information
4. ④ The Company adopts a security system that allows personal information to be safely transmitted on the network through a cryptographic algorithm
5. ⑤ The Company first encrypts the important personal information of users such and stores them
6. ⑥ The Company is strengthening its security by installing access-control systems in each server

2. Managerial measures

1. ① To securely protect personal information, the Company operates under the authorization of its information protection management system and other authorizations provided by external specialized agencies for its major system and facilities
2. ② The Company prepares the necessary procedures for its employees’ access to personal information and management of personal information so that its employees can fully understand and conform to those procedures
3. ③ The company limits the minimum number of employees who can deal with personal information of users. Those who can deal with users’ personal information are limited to the lists below
   • - Those who directly or indirectly deal with the users and perform marketing tasks
   • - Those who are in charge of personal information management tasks (i.e. Personal Information Management Officer or Personal Information Protection Officer)
   • - Those who inevitably have to deal with personal information due to other tasks
4. ④ When the Company handles users’ personal information through the computer, it designates a person who is authorized to access to personal information
5. ⑤ For employees who deal with personal information, the Company provides regular internal education programs and external commissioned educations on new security technology and their obligations to protect personal information
6. ⑥ When the Company hires new employees, it obligates them to sign an Information Protection Pledge or Personal Information Protection Pledge in order to prevent potential leakage of information by the new employees. It also prepares internal procedures to check implementation of this Privacy Policy and supervises whether the employees comply with this Privacy Policy
7. ⑦ When employees leave the Company the Company obligates them to sign a Secrecy Declaration to prevent them from destroying invading or disclosing users’ personal information they learned from their work at the Company
8. ⑧ Duties and responsibilities of a person who dealt with personal information are transferred to a new person under strictly secured conditions. The Company clearly stipulates the employees’ responsibility for any disclosure of personal information after joining the Company and leaving the Company
9. ⑨ Data processing room and data storage room are designated as specially protected areas and the Company implements access management procedures such as the control of access to such areas

K. Person in charge of protection of personal information

In order to protect users’ personal information and handle their complaints related to the Company’s use of personal information, the Company designates the relevant department and Personal Information Management Officer as below. If you have any complaints in regards to personal information while using the service, please report it to the Personal Information Management Officer or Personal Information Protection Officer and we will get back to you right away.

- Personal Information Management Officer

• Name: Sang-Young Lee of Digital Media headquarter
• Telephone number: 1566-2226

- Personal Information Protection Officer

• Name: Sun-Young Na of Digital Media Headquarter
• Telephone number: 1566-2226

L. Report of privacy infringements

Contact the aforesaid person in charge of personal information by means of telephone or electronic mails to discuss or report any invasion of personal information, or contact the organizations shown below to file reports or seek consultation for other privacy infringements:

- Invasion of Personal Information Complaint Center, Korea Internet and Security Agency (KISA)

• Telephone: (no area code) 118
• Website: http://www.118.or.kr

- ePRIVACY Mark Certification Commission

• Telephone: 02-580-0533~4
• Website: http://www.eprivacy.or.kr

- Supreme Prosecutors’ Office High-Tech and Financial Crimes Investigation Division

• Telephone: 02-3480-2000
• Website: http://www.spo.go.kr

- National Police Agency Cyber Terror Response Center

• Telephone: 02-392-0330
• Website: http://www.ctrc.go.kr

M. Effective date; Obligation to notify any change

This Privacy Policy may be frequently modified by amendment of relevant laws and government policy and the Company’s internal policy. In cases where this Privacy Policy of the Company is amended, the Company notifies users of the amended policy at the website operated by the Company or by other methods. If you have any questions in regards to an amendment of this Privacy Policy, you may ask the Personal Information Management Officer or Personal Information Protection Officer or the customer service at the Company’s website.

1. - Current privacy policy effective as of 2020.03.27
2. - Previous privacy policy effective as of 2019.12.16