Article 1 Purpose of Processing Personal Information, Items Processed, and Retention/Usage Period

In accordance with the 「Personal Information Protection Act」, MIRI D.I.H collects and uses personal information only to the minimum extent necessary for providing its services. 1. Cases when Consent from the data subject is not obtained MIRI D.I.H processes the following personal information items without obtaining the data subject’s consent.

2. Cases when Consent from the data subject is obtained MIRI D.I.H processes the following personal information items after obtaining the data subject's consent.

Article 2. Personal Information of Children Under 14 Years of Age

Miri.DIH Co., Ltd. (“the Company”) does not collect or process personal information of children under the age of 14 for the provision of its services.

Article 3. Period of Processing and Retention of Personal Information

① MIRI D.I.H processes and retains personal information within the period of retention and use of personal information stipulated by law or agreed upon by the data subject at the time of collection. ② The specific processing and retention periods for each type of personal information are as follows: 1. Website Membership Registration and Management: Until membership withdrawal. However, in the following cases, until the reason for retention ceases to exist: 1) If an investigation or inquiry is underway due to a violation of relevant laws, until the said investigation or inquiry is concluded. 2) If any claims or debts remain from the use of the website, until the settlement of said claims or debts. 2. Provision of Goods or Services: Until the supply of goods/services is complete and payment/settlement is finalized. However, in the following cases, until the specified period ends: - Records on contracts or withdrawal of offers: 5 years (「Enforcement Decree of the Act on Consumer Protection in Electronic Commerce, etc.」 Article 6, Paragraph 1, Subparagraph 2) - Records on payment and supply of goods: 5 years (「Enforcement Decree of the Act on Consumer Protection in Electronic Commerce, etc.」 Article 6, Paragraph 1, Subparagraph 3) - Records on consumer complaints or dispute resolution: 3 years (「Enforcement Decree of the Act on Consumer Protection in Electronic Commerce, etc.」 Article 6, Paragraph 1, Subparagraph 4) - Records on display and advertising: 6 months (「Enforcement Decree of the Act on Consumer Protection in Electronic Commerce, etc.」 Article 6, Paragraph 1, Subparagraph 1) 3. Retention of communication confirmation data in accordance with Article 15-2, Paragraph 2 of the 「Protection of Communications Secrets Act」 - Computer communication, internet log records, access point tracking data: 3 months

Article 4. Procedure and Method of Personal Information Destruction

① MIRI D.I.H will destroy the relevant personal information without delay when it becomes unnecessary, such as upon the expiration of the retention period or the achievement of the processing purpose. ② If personal information must be retained in accordance with other laws, even after the retention period agreed upon by the data subject has expired or the processing purpose has been achieved, the said personal information will be transferred to a separate database (DB) or stored in a different location. ※ The items of personal information to be retained and the legal basis for retention can be found in 'Article 3. Period of Processing and Retention of Personal Information'. ③ The procedure and method of personal information destruction are as follows: 1. Destruction Procedure MIRI D.I.H selects the personal information for which a reason for destruction has occurred and destroys it with the approval of MIRI D.I.H 's Chief Privacy Officer. 2. Destruction Method MIRI D.I.H destroys personal information recorded and stored in electronic file format in a way that the records cannot be reproduced. Personal information recorded and stored in paper documents is shredded with a shredder or incinerated.

Article 5. Provision of Personal Information to Third Parties

MIRI D.I.H processes the personal information of data subjects only within the scope specified in the purpose of processing personal information. Personal information is provided to third parties only in cases falling under Articles 17 and 18 of the 「Personal Information Protection Act」, such as with the consent of the data subject or special provisions of the law. Otherwise, the data subject's personal information is not provided to third parties.

Article 6. Entrustment of Personal Information Processing

① For the processing of personal information, MIRI D.I.H entrusts the following personal information processing tasks:

② When concluding an entrustment agreement, in accordance with Article 26 of the 「Personal Information Protection Act」, MIRI D.I.H specifies in documents such as the contract matters concerning the prohibition of processing personal information for purposes other than performing the entrusted task, technical and administrative protection measures, restrictions on re-entrustment, management and supervision of the trustee, and liability for damages, and supervises whether the trustee processes personal information securely. ③ In accordance with Article 26, Paragraph 6 of the 「Personal Information Protection Act」, if the trustee re-entrusts MIRI D.I.H’s personal information processing tasks, they must obtain MIRI D.I.H 's consent, and MIRI D.I.H disclose the re-trustee and the content of the re-entrusted tasks through this Privacy Policy. ④ If the content of the entrusted task or the trustee changes, MIRI D.I.H will disclose it through this Privacy Policy without delay.

Article 7. Measures to Ensure the Security of Personal Information

MIRI D.I.H takes the following measures to ensure the security of personal information: 1. Administrative Measures: Establishment and implementation of an internal management plan, regular employee training, operation of a dedicated organization. 2. Technical Measures: Management of access rights to the personal information processing system, installation of an access control system and other related protective measures, internet network blocking measures, encryption of personal information, storage and inspection of access records, installation and updating of security programs, inspection and supplementation of vulnerabilities in the personal information processing system. 3. Physical Measures: Access control for computer rooms, data storage rooms, etc., storage of documents and auxiliary storage media in a secure location with a locking device, safety measures against disasters and calamities, control of the entry and exit of auxiliary storage media.

Article 8. Matters Concerning the Installation, Operation, and Opting out of Automatic Collection Devices for Behavioral Information

① To provide personalized services and convenience to data subjects, MIRI D.I.H uses 'cookies' that store and frequently retrieve usage information. ② A cookie is a small amount of information that the server (http) used to operate the website sends to the data subject's browser. It is stored on the data subject's computer or mobile device and is automatically transmitted to the server from the data subject's browser when accessing the website. ③ Data subjects can configure their browser options to allow or block cookies. ▶ Allowing/Blocking Cookies in a Web Browser ･ Chrome: Select the '⋮' icon at the top right of the web browser > New Incognito window (Shortcut: Ctrl+Shift+N) ･ Edge: Select the '...' icon at the top right of the web browser > New InPrivate window (Shortcut: Ctrl+Shift+N) ▶ Allowing/Blocking Cookies in a Mobile Browser ･ Chrome: Select the '⋮' icon at the top right of the mobile browser > New Incognito tab ･ Safari: Go to device Settings > Safari > Advanced > Block All Cookies ･ Samsung Internet: Select the 'Tabs' icon at the bottom of the mobile browser > Turn on Secret mode > Start

Article 9. The Rights of the Member and Their Legal Representative, and Means of Their Exercise

① Data subjects may, at any time, request Miri.DIH Co., Ltd. (“the Company”) to allow access to, transfer, correct, delete, suspend the processing of, or withdraw consent to the use of their personal information (hereinafter referred to as “exercise of rights”). ※ For children under the age of 14, the exercise of rights must be carried out directly by their legal representative. For minors aged 14 or older, the data subject may exercise rights regarding their personal information directly or through their legal representative. ② In accordance with Article 41(1) of the Enforcement Decree of the Personal Information Protection Act, data subjects may exercise their rights through written requests, telephone, email, fax, or via the Company’s website. The Company will take necessary measures without delay in response to such requests. Data subjects may, at any time, directly view, modify, delete, suspend processing of, or withdraw consent to the use of their personal information via “Name > Edit My Information” located at the top-right corner of the website, or request access through the “Help icon (question mark)” at the bottom-right corner of the website. Data subjects may also refuse automated decision-making and request an explanation at any time through the “Help icon (question mark)” located at the bottom-right corner of the website. ③ The exercise of rights may also be carried out through a legal representative or an agent authorized by the data subject. In such cases, a power of attorney must be submitted in accordance with the form provided in Annex Form No. 11 of the “Guidelines on the Processing of Personal Information.” ④ The right of the data subject to request access to and suspension of personal information processing may be restricted pursuant to Article 35(4) and Article 37(2) of the Personal Information Protection Act. ⑤ If the personal information is explicitly designated as a subject of collection under other applicable laws, the data subject cannot request its deletion. ⑥ The Company verifies whether the person exercising the rights is the data subject themselves or a duly authorized representative. ⑦ Data subjects may exercise their rights by contacting the department below. The Company will respond within 10 days from the date of receiving the request for exercising rights (immediately in the case of requests for data transfer). ▶ Department for Receiving and Handling Requests to Exercise Personal Information Rights Department: Design Request Team Address: TP Tower, 8F, 13F, 14F, 17F, #1004, 12 Digital-ro 31-gil, Guro-gu, Seoul, Republic of Korea Contact: <070-4355-4884>, creative@miridih.com

Article 10. Chief Privacy Officer & Responsible Personnel

① MIRI D.I.H has designated the following persons as the Chief Privacy Officer and Personal Information Manager to remain responsible for responding to Data subjects' inquiries regarding personal information and resolving any related complaints. ▶ Chief Privacy Officer Name: Heo Yeong Min Position: COO Contact: <070-4355-4884>, <creative@miridih.com> ▶ Personal Information Protection Department Department Name: Design Request Team Contact: <070-4355-4884>, creative@miridih.com ② For any privacy-related questions, complaints, or concerns that arise while using MIRI D.I.H 's services, data subjects can contact the Chief Privacy Officer and the Privacy Department. MIRI D.I.H will respond promptly to all inquiries.

Article 11. Remedies for Infringement of Rights

Data subjects may seek remedies and consultations for personal information infringement at the Personal Information Dispute Mediation Committee, the Korea Internet & Security Agency's Personal Information Infringement Report Center, etc. For other reports and consultations on personal information infringement, please contact the institutions below. 1. Personal Information Dispute Mediation Committee: (no area code) 1833-6972 (www.kopico.go.kr) 2. Personal Information Infringement Report Center: (no area code) 118 (privacy.kisa.or.kr) 3. National Police Agency: (no area code) 182 (https://ecrm.police.go.kr/minwon)

Article 12. Changes to the Personal Information Processing Policy

This Privacy Policy will take effect on October 15, 2025.

Supplementary Terms

The following additional terms apply respectively to users having residence in or nationality of certain countries. In the event of any conflict between the following additional terms and the provisions of the main body of this Policy, the following terms shall prevail. The Company shall try to comply with any legal regulation of countries which may be applied to the User and the Company. 1. For Users Having Usual Residence in European Union The purpose and basis of personal information processing: The Company uses the collected personal information only for the purposes stated in Article 3 and seeks the User's consent. Also, in accordance with GDPR, the Company may process personal information if one of the following applies: (1) consent; (2) conclusion and performance of a contract; (3) compliance with legal requirements; (4) vital interests; (5) legitimate interests (unless overridden by the data subject's rights and freedoms). Users may request data portability, object to processing, and lodge complaints with supervisory authorities. Marketing uses require consent, which may be withdrawn at any time. Personal Information of Children: For users resident in the EU (including UK, Switzerland), the service is not directed towards children under 16. If collected, such data will be promptly deleted. 2. For Users Having Usual Residence in California, and Virginia, United States The Company shall take necessary measures to comply with CPRA and VCDPA as applicable. 3. For Users Having Usual Residence in Japan Use of Personal Information: The Company processes personal information as necessary to provide services and features, mainly regulated in Article 3. Provision and Outsourcing: Articles 7 and 8 of this Policy apply.