Personal Data Protection Act Policy

○ In accordance with the Personal Information Protection Act, iTrip ("" or hereinafter referred to as ‘company’) has the following policies to protect the personal information of customers as well as to protect their rights and interests in order to better manage and handle conflicts and matters relating to personal data.
○ When the company revises its Personal Data Protection Act Policy, an announcement will be uploaded through the company website (and individual notification).
○ This policy will take effect from July 1, 2020.

Article 1 [Purpose of collecting personal information]
The company collects personal information for the following purposes: Personal information processed will not be used for any purpose other than the following purposes, and prior consent will be sought if the purpose of use is changed.
A. Providing goods or services
Personal information is collected for the purpose of providing services, contents, verification of identity and settlement of payment.
B. Member registration and homepage management
Personal information is processed for the sole purpose of identification for the provision of services to members, personal information for the purpose of identification and authentication, identification for the implementation of a limited system, prevention of illegal use of services, notification and notification, handling of grievances, and preservation of records for dispute settlement.
C. Handling disputes and complaints
Personal information is collected for the purpose of identification of those who filed for dispute claims, confirmation of dispute claims, to contact and notify for proof of evidence, and final notification of collection results.
D, Use for marketing and advertising
Personal information is collected for the purpose of developing new services and providing customized services, providing information for events and various promotions, as well as for services and advertising based on specific demographic characteristics, and to verify the validity of these services.

Article 2 [Duration of collection and retention of personal information]
Personal information file name: Safex user information
- Personal information item: Name, nationality, mobile phone number, email address
- Collection method: Through Safex homepage
- Basis for retention: Consent of customers to provide their information
- Retention period: 3 years
- Relevant statutes: Records on the collection, processing, and utilization of credit information, records on customer complaints or dispute handling, records on service payments and records on the withdrawal of contracts or member termination, etc.

Article 3 [Rights and obligations of customers]
The customer may exercise the following rights as the subject of personal information:

A. The information subject may exercise the right to view, correct, delete, or request suspension of collection of personal information to the company at any time.
B. The exercise of rights under paragraph (1) may be carried out by the company in writing, e-mail, or facsimile (FAX) pursuant to Article 41 (1) of the Enforcement Decree of the Personal Information Protection Act, and the company is permitted to take action without delay.
C. The exercise of rights under paragraph (1) may be carried out through an agent, such as a legal representative of the information subject or a delegated person. In such cases, a power of attorney in attached Form 11 of the Enforcement Rules of the Personal Information Protection Act shall be submitted.
D. Requests for personal information the access and suspension of collection/retention may restrict the rights of the customer pursuant to Articles 35 (5) and 37 (2) of the Personal Information Protection Act.
E. If the personal information is designated as the subject of collection by other statutes, the request for correction or deletion of personal information cannot be requested.
F. The company verifies that the person who made the request for perusal according to the right of the information subject, correction or deletion, or suspension of collection, will be designated as a legitimate agent.

Article 4 [Prohibits provision of personal information to a third party]
The company uses personal information within the scope notified for the purpose of collecting and using personal information, and does not use or provide it to third parties without prior consent from customers.

Article 5. [Provision of personal information based on prior consent etc]
A. Notwithstanding the prohibition of providing personal information to third parties, the company may provide personal information to third parties if the user discloses it in advance or agrees to the following matters: However, in this case, the company provides minimum personal information within the relevant statutes.
- Provide company partners with customer name and phone number information for the purpose of storing and locating luggage
- Provide company delivery partners with customer name and phone number information for luggage delivery
- Provide the company's overseas service partners with the customer's name and phone number information to store and deliver luggage as well as to search for luggage.
- In order for the company to store and find luggage for the customers, to provide the address, location, company name and phone number of the merchant
B. The company shall notify and seek the agreement of users/customers when there is a change in the third party provision contract or when the contract with the third party is terminated.
Article 6. Personal information manager and Consultation Report

In principle, the company destroys the personal information of customers immediately after the purpose of collection of personal information has been achieved. The procedure, disposal deadline and methods are as follows.
A. Disposal procedure
The personal information provided by the customer will be transferred to a separate DB after achieving the purpose (in case of paper, hard copy documents) and destroyed immediately after being stored for a period of time in accordance with internal policy and other relevant statutes. The personal information transferred to DB is not used for any other purpose except by law.
B. Duration of personal information retention
The personal information of the customer shall be destroyed within five days from the end of the retention period, or within five days from the date when it is deemed unnecessary to handle personal information, such as achieving the purpose of collecting personal information, terminating the relevant service, or closing the company.
C. Method of disposal
The use of electronic file-type information that uses technical methods which prevents the file from being opened/played.

Article 7 [Matters concerning installation, operation, and rejection of the mandatory collection of personal information]
The company operates 'cookie' that stores and retrieves customer information regularly. Cookie is a very small text file sent to internet browser by the server in order to run the website and is stored on your computer's hard disk. The company uses cookies in the following for valid reasons.
A. Purpose of using cookies, etc.

Target advertising marketing and personalized services are provided by analyzing the frequency of visit by members and non-members, identifying and tracking customer tastes and interests, and identifying the degree of participation in various events and the number of visits. Customers have the option of switching on or off their cookies. Therefore, customers can set options on their web browser to enable cookies, check each time which file the cookies are stored at, or have an option to refuse to store cookies.
B. Manage cookie settings
You can change your cookie settings and either choose the option in your web browser to allow cookies, check each time you save cookies, or decline to save cookies.

Example of how to set it up (for Internet Explorer): Tools at the top of the web browser > Internet Options > Personal information However, please note that if the customer refuses to install the cookie, it may be difficult to provide the service.

Article 8 [Personal Data Protection Officer]

A. The company is in charge of handling personal information and appoints a person in charge in managing personal data protection. The appointed office will handle complaints and devise solutions to conflicts and grievances related to collection of personal information.
[Personal Data Protection Officer]
Name: Shin Jae-gon
Designation: Team Leader
Department: Sales Planning and Management Team
Contact details: 070-7713-9558,
[Department in charge of Personal Data Protection]
Department name: Development team
Person in charge: Oh Kyu-jung
Contact details: 070-7713-9558,

B. Customers can contact the Personal Information Protection Officer and the department in charge regarding all personal data protection related inquiries, complaints, and issues etc. that occurred while using the company's services. The company will respond and process inquiries from the customers immediately. without delay. Article 9 [Change in Data Information Collection Policy]

The policy is applied immediately from the enforcement date, and if there is any addition, deletion, or correction of changes in accordance with statutes or policies, it will be notified 7 days prior to the implementation of the changes. Article 10 [Measures for safe collection of Personal Information]

In accordance with Article 29 of the Personal Information Protection Act, the company takes necessary technical, administrative and physical measures in ensuring the safe collection of Personal Information:
A. Conduct regular self-audit.
To ensure safe collection of personal information, the company conducts a self-audit on a regular basis (once a quarter).
B. Educate employees on managing personal information
The company implements measures to collect and manage personal information by designating specific employees to collect and manage personal information and limiting the number of Personal Data Officers.
C. Encryption of personal information
The customer's personal information is stored and managed by encryption, so only the customer has access to the password, and important data uses separate security functions such as encrypting files and transmission data or through the file lock function.
D. Restricting access to personal information
We take necessary measures to control access to personal information through granting, changing, and revoking access to the database system that processes personal information, and using the intrusion prevention system, the company controls unauthorized access from outside.
E. Access control to unauthorized personnel.
We have a separate physical storage area to store personal information, we establish and operate access control procedures User's consent
I have understood the contents of this policy and have given my consent of collecting personal information and providing it to third parties. I will tick on the consent column of this policy.