The company collects and processes the minimum necessary personal information for the following purposes. The personal information being processed will not be used for any purpose other than those listed below, and if the purpose changes, necessary measures such as obtaining separate consent in accordance with the Personal Information Protection Act will be implemented.

• ① Personal Information Items Processed with the Consent of the Information Subject

  The company processes the following personal information with the consent of the information subject as per Article 15(1)(1) of the "Personal Information Protection Act".

  Article 1 — Items processed with consent

  Category	Type	Purpose of Collection	Items Collected	Retention and Usage Period
  Customer Inquiry	Mandatory	Verifying inquirer, receiving/handling/responding to inquiries	Name, Email, Details of inquiry (type/title/content), Confirmation of being over 14 years old	1 month from the date of inquiry
  	Optional	Registering reference materials, securing additional communication methods, and telephone responses if needed	Attached files, contact information
  Unethical Behavior Reporting	Mandatory	Verifying reporter, receiving/handling/responding to reports	Name, Contact information, Email, Details of report (type/title/content), Password for checking my post, Confirmation of being over 14 years old	3 years after conclusion of related actions, etc.
  	Optional	Quick and accurate verification of facts and measures	Location, Regional headquarters, Attached files
  Safety and Health Communication Forum	Mandatory	Receiving/handling/responding to opinions	Email, Details of opinion (category/institution/title/content), Confirmation of being over 14 years old	5 years after review of related actions
  	Optional	Verification of details related to the opinion	Attached files
  Commercial Use of Imagery	Mandatory	Verifying requester, receiving/handling/approval of requests	Company name, Person in charge, Email, Confirmation of being over 14 years old	1 month from the date of request
  	Optional	Verification of imagery usage period and securing additional communication methods	Contact information
  SNS Events	Mandatory	Participation details and identity verification, prize dispatch	Name, contact information, ID (nickname) Collection items may vary by event, and consent will be obtained after notification.	5 days after dispatching event prizes

• ② Personal Information Items Processed Without the Consent of the Information Subject

  The company discloses the items and the legal basis for processing personal information without the consent of the information subject in this "Personal Information Processing Policy."

• ③ During the use of services or in the process of handling services, the following information may be automatically generated and collected:

  Article 1 — Automatically generated information

  Purpose of Collection	Items Collected
  Statistical analysis and prevention of illegal/unfair usage	Browser information, IP address, date and time of visit
  Providing customized services (maintaining user settings)	Cookies

The company does not process personal information of children under 14 years old without the consent of their legal guardian, as the collection and use of personal information require such consent.

The company processes and retains personal information within the retention and usage period agreed upon by the information subject at the time of collection or as prescribed by laws.

• ① The retention period for personal information collected for each purpose and service can be found in detail in Article 1: Purpose of Processing Personal Information, Items Collected, and Usage Period.
• ② The retention periods prescribed by relevant laws are as follows:

  Article 3 — Statutory retention periods

  Law	Subject	Retention Period
  Enforcement Decree of the Serious Accidents Punishment Act Article 13	[Safety and Health Communication Forum] Employees and the general public's opinions	5 years from the date actions are taken

The company destroys personal information according to the following procedures and methods:

• ① Personal information that has become unnecessary due to the expiration of the retention period or the achievement of the processing purpose is destroyed without delay. However, if retention is required by other laws, such information is physically or logically separated and stored separately.

  ※ Preservation subjects according to other laws can be verified in <Article 3: Processing and Retention Period of Personal Information>.

• ② Personal information stored in electronic file format is destroyed in a manner that prevents its recovery, and personal information recorded on paper documents is incinerated or shredded.

• ① The company processes personal information within the scope specified for the processing purpose and only provides it to third parties in cases stipulated by Articles 17 and 18 of the Personal Information Protection Act, such as with the consent of the information subject or under special provisions of law, and does not provide it to third parties otherwise.
• ② In accordance with the 'Personal Information Processing and Protection Guidelines for Emergency Situations' jointly announced by government ministries, the company may provide personal information to relevant authorities without the consent of the information subject in cases of emergencies, such as disasters, infectious diseases, urgent threats to life or physical safety, and urgent property loss. For more details, please click <here>.
• ③ The company provides personal information as follows to ensure smooth service delivery:

  Article 5 — Third-party provision

  Legal Basis	Recipient	Purpose of Provision	Items Provided	Retention and Usage Period
  Article 17(1)(1) of the Personal Information Protection Act (Consent of the information subject)	KT&G affiliatesSee list	Investigation and verification of reports on unethical behavior	- Name, contact information, email, details of report (type/title/content) - Region/attached files * If consent is given for the collection and use of optional items and submitted	Immediate deletion after the conclusion of related actions, etc.
  	Operators/partner companies of KT&G reported by complainants

• ① The company may outsource the processing of personal information to ensure smooth service provision and will disclose this in the "Personal Information Processing Policy" to allow the information subjects to easily verify it at any time.
• ② The company outsources personal information processing tasks as follows:

  Article 6 — Outsourcing of processing

  Outsourced Party (Trustee)	Outsourced Tasks	Personal Information Items	Retention and Usage Period
  Easymedia Co., Ltd	Website maintenance	All personal information collected from the website, including name, contact information, email, etc. (refer to Article 1)	Until the end of the outsourcing contract (not retained separately)
  SK Corporation (Subcontractors - Daeshin Networks, ITNC)	Infrastructure operation	All personal information collected from the website, including name, contact information, email, etc. (refer to Article 1)	Until the end of the outsourcing contract (not retained separately)
  The SMC Group	SNS operation agency	All personal information collected for event execution and prize dispatch, including name, contact information, etc. (refer to Article 1)	5 days after each event's prize dispatch

• ③ When concluding the outsourcing contract, the company specifies in the contract and other documents the matters related to the prohibition of processing personal information beyond the purpose of the outsourced tasks, technical and administrative protection measures, restrictions on subcontracting, management and supervision of the trustee, and liability for damages, in accordance with Article 26 of the Personal Information Protection Act. The company supervises the trustee to ensure the secure processing of personal information.
• ④ In accordance with Article 26(6) of the Personal Information Protection Act, when a trustee subcontracts the company's personal information processing tasks, it does so with the company’s consent.
• ⑤ If there is a change in the trustee or the outsourced tasks, the company will promptly disclose this through the "Personal Information Processing Policy".

• The company takes the following measures to ensure the security of personal information:
  • 1. Administrative measures: Establishment and implementation of internal management plans for personal information, operation of dedicated organizations, and regular training of employees.
  • 2. Technical measures: Management of access rights to personal information processing systems, installation of access control systems, encryption of passwords, and installation and updating of security programs.
  • 3. Physical measures: Access control to the locations where personal information is stored, such as data centers.

• ① 'Cookies' are small pieces of information sent by the server used to operate a website to the browser of the information subject and are stored on the subject's device.
• ② The company uses cookies to provide customized services (maintaining user settings).
• ③ Information subjects can set their web/mobile browser options to allow or block cookies. However, refusing to store cookies may make it difficult to use customized services.
  • 1. Methods to allow and block cookies in web/mobile browsers:
    • 가. Chrome: Web/Mobile Browser Settings > Privacy and Security > Clear Browsing Data
    • 나. Edge: Web Browser Settings > Cookies and Site Permissions > Manage and Delete Cookies and Site Data
    • 다. Safari: Mobile Browser Settings > Safari > Advanced > Block All Cookies
    • 라. Samsung Internet: Mobile Browser Settings > Internet Usage History > Delete Internet Usage History

• ① According to the Personal Information Protection Act, information subjects can exercise the following rights regarding their personal information at any time:
  • 1. Access to personal information
  • 2. Correction of personal information
  • 3. Deletion of personal information
  • 4. Suspension of processing of personal information
  • 5. Withdrawal of consent for personal information
  • 6. Refusal of notification of personal information usage/provision
• ② Rights under the above clause can be requested in writing, via email, etc., and the company will respond without delay.
  • 1. The company verifies whether the person exercising the rights is the information subject or a legitimate representative. If requesting through a representative, a power of attorney must be submitted. Download Power of Attorney
  • 2. Inquiries and requests can be made to the following department according to the 'Rights Exercise Request Form'.
  Download Power of AttorneyRequest Form Download

  Personal Information Rights Exercise Reception/Handling Department

  Personal Information Rights Exercise Reception/Handling Department
  Department Name	Communication Office, Lee Jun-woo
  Contact/FAX	02-3404-4634 / 02-3404-4210
  Email	jwlee@ktng.com

• ③ Requests for access to personal information and suspension of processing may be restricted under Article 35(4) and Article 37(2) of the Personal Information Protection Act.
• ④ If other laws specify that the personal information is a subject of collection, it cannot be requested for deletion.

• ① The company has designated a Personal Information Protection Officer to oversee and be responsible for personal information protection tasks, handling complaints related to personal information, and remediation of related issues as follows:

  Privacy Officer and Manager

  Category	Personal Information Protection Officer	Personal Information Protection Manager
  Name	Park Jun-young	Kim Seon-guk
  Position/Department	Head of Information Security	Information Security Department
  Contact information	042-939-5340
  Email	kimsk@ktng.com

• ② You may inquire about any grievances related to personal information that occur while using the service, and the company will provide prompt and sufficient responses.

  Personal Information Grievance Handling Department

  Personal Information Grievance Handling Department
  Department Name	Communication Office, Lee Jun-woo
  Contact information	02-3404-4634
  Email	jwlee@ktng.com

• Information subjects can consult the following organizations for remediation of personal information infringements and for consultation. These organizations are independent from the company, and if you need more detailed assistance regarding the infringement of personal information rights, please contact them:
  • 1. Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)
  • 2. Personal Information Infringement Report Center: 118 (privacy.kisa.or.kr)
  • 3. Supreme Prosecutors' Office: 1301 (www.spo.go.kr)
  • 4. National Police Agency: 182 (ecrm.police.go.kr)

• ① Announcement date of the "Personal Information Processing Policy": Month 1 Day 13, 2025
• ② Effective date of the "Personal Information Processing Policy": Month 1 Day 13, 2025
• ③ Previous versions of the "Personal Information Processing Policy" can be reviewed below: