Article 1 Purpose of Processing Personal Information, Items Processed, and Retention/Usage Period

In accordance with the 「Personal Information Protection Act」, MIRI D.I.H collects and uses personal information only to the minimum extent necessary for providing its services. 1. Cases when Consent from the data subject is not obtained MIRI D.I.H processes the following personal information items without obtaining the data subject’s consent.

2. Cases when Consent from the data subject is obtained MIRI D.I.H processes the following personal information items after obtaining the data subject's consent.

Article 2. Personal Information of Children Under 14 Years of Age

Miri.DIH Co., Ltd. (“the Company”) does not collect or process personal information of children under the age of 14 for the provision of its services.

Article 3. Period of Processing and Retention of Personal Information

① MIRI D.I.H processes and retains personal information within the period of retention and use of personal information stipulated by law or agreed upon by the data subject at the time of collection. ② The specific processing and retention periods for each type of personal information are as follows: 1. Website Membership Registration and Management: Until membership withdrawal. However, in the following cases, until the reason for retention ceases to exist: 1) If an investigation or inquiry is underway due to a violation of relevant laws, until the said investigation or inquiry is concluded. 2) If any claims or debts remain from the use of the website, until the settlement of said claims or debts. 2. Provision of Goods or Services: Until the supply of goods/services is complete and payment/settlement is finalized. However, in the following cases, until the specified period ends: - Records on contracts or withdrawal of offers: 5 years (「Enforcement Decree of the Act on Consumer Protection in Electronic Commerce, etc.」 Article 6, Paragraph 1, Subparagraph 2) - Records on payment and supply of goods: 5 years (「Enforcement Decree of the Act on Consumer Protection in Electronic Commerce, etc.」 Article 6, Paragraph 1, Subparagraph 3) - Records on consumer complaints or dispute resolution: 3 years (「Enforcement Decree of the Act on Consumer Protection in Electronic Commerce, etc.」 Article 6, Paragraph 1, Subparagraph 4) - Records on display and advertising: 6 months (「Enforcement Decree of the Act on Consumer Protection in Electronic Commerce, etc.」 Article 6, Paragraph 1, Subparagraph 1) 3. Retention of communication confirmation data in accordance with Article 15-2, Paragraph 2 of the 「Protection of Communications Secrets Act」 - Computer communication, internet log records, access point tracking data: 3 months

Article 4. Procedure and Method of Personal Information Destruction

① MIRI D.I.H will destroy the relevant personal information without delay when it becomes unnecessary, such as upon the expiration of the retention period or the achievement of the processing purpose. ② If personal information must be retained in accordance with other laws, even after the retention period agreed upon by the data subject has expired or the processing purpose has been achieved, the said personal information will be transferred to a separate database (DB) or stored in a different location. ※ The items of personal information to be retained and the legal basis for retention can be found in 'Article 3. Period of Processing and Retention of Personal Information'. ③ The procedure and method of personal information destruction are as follows: 1. Destruction Procedure MIRI D.I.H selects the personal information for which a reason for destruction has occurred and destroys it with the approval of MIRI D.I.H 's Chief Privacy Officer. 2. Destruction Method MIRI D.I.H destroys personal information recorded and stored in electronic file format in a way that the records cannot be reproduced. Personal information recorded and stored in paper documents is shredded with a shredder or incinerated.

Article 5. Provision of Personal Information to Third Parties

MIRI D.I.H processes the personal information of data subjects only within the scope specified in the purpose of processing personal information. Personal information is provided to third parties only in cases falling under Articles 17 and 18 of the 「Personal Information Protection Act」, such as with the consent of the data subject or special provisions of the law. Otherwise, the data subject's personal information is not provided to third parties.

Article 6. Entrustment of Personal Information Processing

① For the processing of personal information, MIRI D.I.H entrusts the following personal information processing tasks:

② When concluding an entrustment agreement, in accordance with Article 26 of the 「Personal Information Protection Act」, MIRI D.I.H specifies in documents such as the contract matters concerning the prohibition of processing personal information for purposes other than performing the entrusted task, technical and administrative protection measures, restrictions on re-entrustment, management and supervision of the trustee, and liability for damages, and supervises whether the trustee processes personal information securely. ③ In accordance with Article 26, Paragraph 6 of the 「Personal Information Protection Act」, if the trustee re-entrusts MIRI D.I.H’s personal information processing tasks, they must obtain MIRI D.I.H 's consent, and MIRI D.I.H disclose the re-trustee and the content of the re-entrusted tasks through this Privacy Policy. ④ If the content of the entrusted task or the trustee changes, MIRI D.I.H will disclose it through this Privacy Policy without delay.

Article 7. Measures to Ensure the Security of Personal Information

MIRI D.I.H takes the following measures to ensure the security of personal information: 1. Administrative Measures: Establishment and implementation of an internal management plan, regular employee training, operation of a dedicated organization. 2. Technical Measures: Management of access rights to the personal information processing system, installation of an access control system and other related protective measures, internet network blocking measures, encryption of personal information, storage and inspection of access records, installation and updating of security programs, inspection and supplementation of vulnerabilities in the personal information processing system. 3. Physical Measures: Access control for computer rooms, data storage rooms, etc., storage of documents and auxiliary storage media in a secure location with a locking device, safety measures against disasters and calamities, control of the entry and exit of auxiliary storage media.

Article 8. Matters Concerning the Installation, Operation, and Opting out of Automatic Collection Devices for Behavioral Information

① To provide personalized services and convenience to data subjects, MIRI D.I.H uses 'cookies' that store and frequently retrieve usage information. ② A cookie is a small amount of information that the server (http) used to operate the website sends to the data subject's browser. It is stored on the data subject's computer or mobile device and is automatically transmitted to the server from the data subject's browser when accessing the website. ③ Data subjects can configure their browser options to allow or block cookies. ▶ Allowing/Blocking Cookies in a Web Browser ･ Chrome: Select the '⋮' icon at the top right of the web browser > New Incognito window (Shortcut: Ctrl+Shift+N) ･ Edge: Select the '...' icon at the top right of the web browser > New InPrivate window (Shortcut: Ctrl+Shift+N) ▶ Allowing/Blocking Cookies in a Mobile Browser ･ Chrome: Select the '⋮' icon at the top right of the mobile browser > New Incognito tab ･ Safari: Go to device Settings > Safari > Advanced > Block All Cookies ･ Samsung Internet: Select the 'Tabs' icon at the bottom of the mobile browser > Turn on Secret mode > Start

Article 9. The Rights of the Member and Their Legal Representative, and Means of Their Exercise

① Data subjects may, at any time, request Miri.DIH Co., Ltd. (“the Company”) to allow access to, transfer, correct, delete, suspend the processing of, or withdraw consent to the use of their personal information (hereinafter referred to as “exercise of rights”). ※ For children under the age of 14, the exercise of rights must be carried out directly by their legal representative. For minors aged 14 or older, the data subject may exercise rights regarding their personal information directly or through their legal representative. ② In accordance with Article 41(1) of the Enforcement Decree of the Personal Information Protection Act, data subjects may exercise their rights through written requests, telephone, email, fax, or via the Company’s website. The Company will take necessary measures without delay in response to such requests. Data subjects may, at any time, directly view, modify, delete, suspend processing of, or withdraw consent to the use of their personal information via “Name > Edit My Information” located at the top-right corner of the website, or request access through the “Help icon (question mark)” at the bottom-right corner of the website. Data subjects may also refuse automated decision-making and request an explanation at any time through the “Help icon (question mark)” located at the bottom-right corner of the website. ③ The exercise of rights may also be carried out through a legal representative or an agent authorized by the data subject. In such cases, a power of attorney must be submitted in accordance with the form provided in Annex Form No. 11 of the “Guidelines on the Processing of Personal Information.” ④ The right of the data subject to request access to and suspension of personal information processing may be restricted pursuant to Article 35(4) and Article 37(2) of the Personal Information Protection Act. ⑤ If the personal information is explicitly designated as a subject of collection under other applicable laws, the data subject cannot request its deletion. ⑥ The Company verifies whether the person exercising the rights is the data subject themselves or a duly authorized representative. ⑦ Data subjects may exercise their rights by contacting the department below. The Company will respond within 10 days from the date of receiving the request for exercising rights (immediately in the case of requests for data transfer). ▶ Department for Receiving and Handling Requests to Exercise Personal Information Rights Department: Design Request Team Address: TP Tower, 8F, 13F, 14F, 17F, #1004, 12 Digital-ro 31-gil, Guro-gu, Seoul, Republic of Korea Contact: <070-4355-4884>, creative@miridih.com

Article 10. Chief Privacy Officer & Responsible Personnel

① MIRI D.I.H has designated the following persons as the Chief Privacy Officer and Personal Information Manager to remain responsible for responding to Data subjects' inquiries regarding personal information and resolving any related complaints. ▶ Chief Privacy Officer Name: Heo Yeong Min Position: COO Contact: <070-4355-4884>, <creative@miridih.com> ▶ Personal Information Protection Department Department Name: Design Request Team Contact: <070-4355-4884>, creative@miridih.com ② For any privacy-related questions, complaints, or concerns that arise while using MIRI D.I.H 's services, data subjects can contact the Chief Privacy Officer and the Privacy Department. MIRI D.I.H will respond promptly to all inquiries.

Article 11. Remedies for Infringement of Rights

Data subjects may seek remedies and consultations for personal information infringement at the Personal Information Dispute Mediation Committee, the Korea Internet & Security Agency's Personal Information Infringement Report Center, etc. For other reports and consultations on personal information infringement, please contact the institutions below. 1. Personal Information Dispute Mediation Committee: (no area code) 1833-6972 (www.kopico.go.kr) 2. Personal Information Infringement Report Center: (no area code) 118 (privacy.kisa.or.kr) 3. National Police Agency: (no area code) 182 (https://ecrm.police.go.kr/minwon)

Article 12. Changes to the Personal Information Processing Policy

① This Privacy Policy takes effect starting from October 15, 2025. ② Previous versions of the Privacy Policy can be found below. ･ Effective period: February 8, 2024 – October 14, 2025 (View more) ･ Effective period: December 22, 2022 – February 7, 2024 (View more)

Supplementary Terms

The following additional terms apply respectively to users having residence in or nationality of certain countries. In the event of any conflict between the following additional terms and the provisions of the main body of this Policy, the following terms shall prevail. The Company shall try to comply with any legal regulation of countries which may be applied to the User and the Company. 1. For Users Having Usual Residence in European Union The purpose and basis of personal information processing The Company uses the collected personal information only for the purposes stated in Article 3, gives the User advance notice of this fact, and seeks the User's consent. Also, in accordance with the GDPR etc., the Company may process the User's personal information if any one of the following applies: (1) The data subject consented; (2) It is for the conclusion and performance of a contract with the data subject; (3) It is to comply with legal requirements; (4) Processing is necessary for the crucial interest of the data subject; or (5) It is for the pursuit of the Company's legitimate interests (the foregoing does not apply where the data subject's interests, rights, or freedoms are more important than the interests pursued by the Company). The guarantee of the rights of the User who uses the Company's services within the European Union (EU) According to the GDPR etc., the User may request the Company to transfer their personal information to a different manager, and may also refuse the processing of their personal information. Furthermore, the User retains the right to bring grievances on the processing of their personal information before the personal information protection authorities. Meanwhile, the Company may use personal information to provide marketing such as events or advertisement to the User and seeks the User's consent in relation to the foregoing; the User may at any time withdraw their consent if such marketing is not desired. The User may request the foregoing requests by means such as telephone, email, documents etc.; the Company will act on such request without delay once it is filed. If modification or correction is requested for errors in the User's personal information, the Company will not use or provide such personal information of the User until such matter is modified or corrected. Personal Information of Children For the Users having usual residence in EU (including UK, Switzerland), the Company’s services is designed for a general audience and is not directed towards children. In connection with the Company’s service, the Company does not knowingly collect or maintain personal information from anyone under the age of sixteen (16) or knowingly allow such persons to use the Company’s service. If you are under sixteen (16), please do not attempt to register for the Company’s service or provide the Company with any personal information. If the Company learns that a person under the age of sixteen (16) has provided the Company with any personal information, the Company shall promptly delete such personal information. If you believe that a child under age sixteen (16) may have provided the Company with personal information, please contact the Company using the information specified in the Policy. 2. For Users Having Usual Residence in California, and Virginia, United States If the Users reside in California and Virginia, certain rights may be given. The Company shall prepare preventive measures necessary for protecting personal information of Users so that the Company may comply with California Privacy Rights Act of 2020 (hereinafter referred to as “CPRA”) and Virginia Consumer Data Protection Act (hereinafter referred to as “VCDPA”) when necessary. 3. For Users Having Usual Residence in Japan Use of Personal Information of Users The Company process the User’s personal information when this is necessary under the Company’s agreement with the User, to provide Users with the Company’s service, and specific features users select when using the Company’s service, which may require personalizing the content of the Company’s service mainly regulated in Article 3 of this Policy. Provision and Outsourcing of Personal Information of Users Article 7 and 8 of this Policy shall be applied on the provision and outsourcing of personal information of Users