The company collects and processes the minimum necessary personal information for the following purposes. The personal information being processed will not be used for any purpose other than those listed below, and if the purpose changes, necessary measures such as obtaining separate consent in accordance with the Personal Information Protection Act will be implemented.

• ① Personal Information Items Processed Without the Consent of the Information Subject

  The company processes the following personal information without the consent of the information subject.

  Article 1 — Items processed without consent

  Category	Legal Basis	Purpose of Processing	Items Processed	Retention and Usage Period
  Customer Inquiry	Personal Information Protection Act Article 15(1)(4) (Contract conclusion/execution)	Verifying inquirer, receiving/handling/responding to inquiries	Name, Email, Details of inquiry (type/title/content), Confirmation of being over 14 years old	1 month from the date of inquiry
  Unethical Behavior Reporting	Personal Information Protection Act Article 15(1)(4) (Contract conclusion/execution)	Verifying reporter, receiving/handling/responding to reports	Name, Contact information, Email, Details of report (type/title/content), Password for checking my post, Confirmation of being over 14 years old	3 years after conclusion of related actions, etc.

• ② Personal Information Items Processed with the Consent of the Information Subject

  The company processes the following personal information with the consent of the information subject as per Article 15(1)(1) of the Personal Information Protection Act.

  Article 1 — Items processed with consent

  Category	Legal Basis	Purpose of Processing	Items Processed	Retention and Usage Period
  Customer Inquiry	Personal Information Protection Act Article 15(1)(1) (Consent of information subject)	Registering reference materials, securing additional communication methods, and telephone responses if needed	Attached files, Contact information	1 month from the date of inquiry
  Unethical Behavior Reporting	Personal Information Protection Act Article 15(1)(1) (Consent of information subject)	Quick and accurate verification of facts and measures	Region, Regional headquarters, Attached files	3 years after conclusion of related actions, etc.

• ③ During the use of services or in the process of handling services, the following information may be automatically generated and collected:

  Article 1 — Automatically generated information

  Purpose of Processing	Items Processed
  Statistical analysis and prevention of illegal/unfair usage	Browser information, IP address, date and time of visit
  Providing customized services (maintaining user settings)	Cookies

The company does not process personal information of children under 14 years old without the consent of their legal guardian, as the collection and use of personal information require such consent.

The company processes and retains personal information within the retention and usage period agreed upon by the information subject at the time of collection or as prescribed by laws.

• ① The retention period for personal information collected for each purpose and service can be found in detail in <Article 1: Purpose of Processing Personal Information, Items Collected, and Retention and Usage Period>.
• ② The retention periods prescribed by relevant laws are as follows:

  Article 3 — Statutory retention periods

  Law	Subject	Retention Period
  Enforcement Decree of the Serious Accidents Punishment Act Article 13	[Safety and Health Communication Forum] Records of implementation of measures such as receiving opinions from employees and general citizens	5 years from the date actions are taken

The company destroys personal information according to the following procedures and methods:

• ① Personal information that has become unnecessary due to the expiration of the retention period or the achievement of the processing purpose is destroyed without delay. However, if retention is required by other laws, such information is physically or logically separated and stored separately.

  ※ Preservation subjects according to other laws can be verified in <Article 3: Processing and Retention Period of Personal Information>.

• ② Personal information stored in electronic file format is destroyed in a manner that prevents its recovery, and personal information recorded on paper documents is incinerated or shredded.

• ① The company processes personal information within the scope specified for the processing purpose and only provides it to third parties in cases stipulated by Articles 17 and 18 of the Personal Information Protection Act, such as with the consent of the information subject or under special provisions of law, and does not provide it to third parties otherwise.
• ② In accordance with the 'Personal Information Processing and Protection Guidelines for Emergency Situations' jointly announced by government ministries, the company may provide personal information to relevant authorities without the consent of the information subject in cases of emergencies, such as disasters, infectious diseases, urgent threats to life or physical safety, and urgent property loss. For more details, please click <here>.
• ③ The company provides personal information as follows to ensure smooth service delivery:

  Article 5 — Third-party provision

  Legal Basis	Recipient	Purpose of Provision	Items Provided	Retention and Usage Period
  Article 17(1)(1) of the Personal Information Protection Act (Consent of the information subject)	KT&G affiliatesSee list	Investigation and verification of reports on unethical behavior	- Name, Contact information, Email, Details of report (type/title/content) - Region/Attached files * If consent is given for the collection and use of optional items and submitted	Immediate deletion after the conclusion of related actions, etc.
  	Operators/partner companies of KT&G reported by complainants

• ① The company may outsource the processing of personal information to ensure smooth service provision and will disclose this in the "Personal Information Processing Policy" to allow the information subjects to easily verify it at any time.
• ② The company outsources personal information processing tasks as follows:

  Article 6 — Outsourcing of processing

  Outsourced Party (Trustee)	Outsourced Tasks
  DOES Interactive Co., Ltd.	Website maintenance
  SK AX (Subcontractors - Daeshin Networks, ITNC)	Infrastructure operation
  Adqua Interactive Co., Ltd.	SNS operation agency

• ③ When concluding the outsourcing contract, the company specifies in the contract and other documents the matters related to the prohibition of processing personal information beyond the purpose of the outsourced tasks, technical and administrative protection measures, restrictions on subcontracting, management and supervision of the trustee, and liability for damages, in accordance with Article 26 of the Personal Information Protection Act. The company supervises the trustee to ensure the secure processing of personal information.
• ④ In accordance with Article 26(6) of the Personal Information Protection Act, when a trustee subcontracts the company's personal information processing tasks, it does so with the company's consent.
• ⑤ If there is a change in the trustee or the outsourced tasks, the company will promptly disclose this through the "Personal Information Processing Policy".

• The company takes the following measures to ensure the security of personal information:
  • 1. Administrative measures: Establishment and implementation of internal management plans for personal information, operation of dedicated organizations, regular training of employees, and management and supervision of trustees.
  • 2. Technical measures: Management of access rights to personal information processing systems, installation of access control systems, retention and inspection of access logs, encryption of passwords, installation and updating of security programs, and inspection and supplementation of vulnerabilities in personal information processing systems.
  • 3. Physical measures: Access control to the locations where personal information is stored, such as data centers.

• ① 'Cookies' are small pieces of information sent by the server used to operate a website to the browser of the information subject and are stored on the subject's device.
• ② The company uses cookies for website visit statistics analysis, user convenience, and service quality improvement.
• ③ Information subjects can set their web/mobile browser options to allow or block cookies. However, refusing to store cookies may make it difficult to use customized services.
  • 1. Methods to allow/block cookies in web browsers:
    • a. Chrome: Click '⋮' in the upper right corner of the web browser → New incognito window (Shortcut: Ctrl+Shift+N)
    • b. Edge: Click '…' in the upper right corner of the web browser → New InPrivate window (Shortcut: Ctrl+Shift+N)
  • 2. Methods to allow/block cookies in mobile browsers:
    • a. Chrome: Click '⋮' in the upper right corner of the mobile browser → New incognito tab
    • b. Safari: Mobile device settings → Safari → Advanced → Block All Cookies
    • c. Samsung Internet: Click 'Tab' icon at the bottom of the mobile browser → Turn on secret mode → Start

• ① According to the Personal Information Protection Act, information subjects can exercise the following rights regarding their personal information at any time:
  • 1. Access to personal information
  • 2. Correction of personal information
  • 3. Deletion of personal information
  • 4. Suspension of processing of personal information
  • 5. Withdrawal of consent for personal information
  • 6. Refusal of notification of personal information usage/provision
• ② Rights under the above clause can be requested in writing, via email, etc., and the company will respond without delay.
  • 1. The company verifies whether the person exercising the rights is the information subject or a legitimate representative. If requesting through a representative, a power of attorney must be submitted.
  • 2. Inquiries and requests can be made to the following department according to the 'Rights Exercise Request Form'.
  Download Power of AttorneyRequest Form Download

  Personal Information Rights Exercise Reception/Handling Department

  Personal Information Rights Exercise Reception/Handling Department
  Department Name	Communication Planning Department, Ryu Seung-tae
  Contact/FAX	02-3404-4634 / 02-3404-4210
  Email	albertyu@ktng.com

• ③ Requests for access to personal information and suspension of processing may be restricted under Article 35(4) and Article 37(2) of the Personal Information Protection Act.
• ④ If other laws specify that the personal information is a subject of collection, it cannot be requested for deletion.

• ① The company has designated a Personal Information Protection Officer to oversee and be responsible for personal information protection tasks, handling complaints related to personal information, and remediation of related issues as follows:

  Privacy Officer and Manager

  Category	Personal Information Protection Officer	Personal Information Protection Manager
  Name	Park Jun-young	Kim Seon-guk
  Position/Department	Head of Information Security	Information Security Office
  Contact	042-939-5340
  Email	kimsk@ktng.com

• ② You may inquire about any grievances related to personal information that occur while using the service, and the company will provide prompt and sufficient responses.

  Personal Information Grievance Handling Department

  Personal Information Grievance Handling Department
  Department Name	Communication Planning Department, Ryu Seung-tae
  Contact/FAX	02-3404-4634
  Email	albertyu@ktng.com

• Information subjects can consult the following organizations for remediation of personal information infringements and for consultation. These organizations are independent from the company, and if you need more detailed assistance regarding the infringement of personal information rights, please contact them:
  • 1. Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)
  • 2. Personal Information Infringement Report Center: 118 (privacy.kisa.or.kr)
  • 3. Supreme Prosecutors' Office: 1301 (www.spo.go.kr)
  • 4. National Police Agency: 182 (ecrm.police.go.kr)

The company operates fixed video information processing equipment at some business sites for the purposes of facility safety and management, fire prevention, etc. Detailed operation and management policies can be found on the website below.

• • "Fixed Video Information Processing Equipment Operation and Management Policy" View

The company does its best to safely manage the personal information of information subjects and has obtained the following domestic and international personal information protection certifications:

Article 13 — Personal Information Protection Certification Status

Category	Domestic Information Security and Personal Information Protection Management System Certification (ISMS-P)	International Standard Personal Information Protection Management System Certification (ISO/IEC27701)
Scope	Customer service operation (Main website, Lil Service, SangSang Madang, SangSang Planet)	Privacy information management system applicable as a PII controller for KT&G customer web service
Period	2023.02.01. ~ 2026.01.31.	2025.02.07. ~ 2027.10.09.

• ① Announcement date of the "Personal Information Processing Policy": December 10, 2025
• ② Effective date of the "Personal Information Processing Policy": December 17, 2025
• ③ Previous versions of the "Personal Information Processing Policy" can be reviewed below: