ARTICLE 1 General Rules 1. “Personal information” means an information concerning a living person by which the relevant person may be identified on the basis of his/her name, etc. contained in the information (it includes information which cannot identify the specific individual by itself but can identify that individual by easily combining with other information). 2. Box o’ Bliss (all online stores operated by Box o’ Bliss, Inc.; hereinafter referred to as “the Company”) makes much account of personal information of our customers and doing our best to protect user rights by complying with the provisions concerning protection of personal information under any applicable law including the 『Privacy Protection Act』 and the 『Act on Promotion of Information and Communications Network Utilization and Information Protection』 3. Through the Privacy Policy, the Company notifies members the purpose and the method of using personal information submitted by the members and what kind of actions are being taken for protecting personal information. 4. The Company takes actions for facilitating members to easily browse the Privacy Policy whenever desired by exposing it on the first page of the website. The Company set up the required processes to continuously improve the Privacy Policy. When the Privacy Policy is revised or changed, it is assigned with a version number for customers to easily note the revised contents. ARTICLE 2 Collection of Personal Information and Purpose of Use 1. The Company collects user information to provide identification of oneself, mileage or reward points and payment service, and various convenient services. The purpose and method of collection of personal information are as follows. 1) Required information(mandatory) or purpose of collection in registration Collected information: E-mail address(used as a sign-in account), name, password Purpose of collection: To contact in case of identification of oneself and service provision Duration of retention: 30 days after membership withdrawal 2) Collected information and purpose of collection whilst using the service or ordering/inquiring procedures A. Collected information when accessing to the service(mandatory) Collected information : Service utilization record, access log, cookie, accessed IP information (Mobile device) Mobile device identification number mobile device OS information, telecommunication companies Purpose of collection : Provision to online shopping mall services excluding services for orders Duration of retention : Until the purpose of collection is achieved B. Information possible to be collected when placing an order, making payment, and product shipping (mandatory) Collected information: Address, name, contact number, recipient/contact number, payment record, inactivation record, transaction information Payment method information(bank account information, credit card information), etc. Purpose of collection : Order and receipt for items or service products, making payment, exact delivery of ordered products Personal identification to deal with complaints, analysis aiming on service improvement Duration of retention : Until the purpose of collection is achieved 3) Marketing-purpose collection of information and collection purpose (optional) Collected information: E-mail, name, address, agreement in receiving marketing action, gender, date of birth Purpose of collection: Data utilization for event/service promotion marketing, securement of accurate shipping destination for gift delivery, Provision of information on services and events by the Company(e-mail, etc.) Identification for customer service center inquiries, etc. Duration of retention : Until the withdrawal of agreement 2. The Company’s action for provision of false information Members must assure the accuracy and legitimacy of one’s own information. If this is violated and false information is provided through whichever method such as stealing other’s information, the Company has the right to report the member according to the related act and may withdraw the member without one’s permission. 3. Responsibilities on loss or issues occurred to individual members due to voluntary exposure of personal information is entirely on individuals. Be in full aware of the possibility of unauthorized utilization by collection of others when published on public spaces, and unwanted damage may occur. 4. Collection method of personal information The Company’s homepage, inquiry board, telephone, participating in events, generating information collection through log analysis program, information collection through “cookie” ARTICLE 3 Provision and Sharing of Personal Information 1. When registered as a member of Box o’ Bliss, one can purchase products operated by the Site. 2. The Company will not provide customer’s personal information to a third party without any prior agreement. 3. If member’s personal information is provided or shared, separate agreement is required after notification through the website, e-mail, and others covering information on to whom the information is provided, who is sharing the information, which information is provided or shared, what the purpose of provision or sharing is, duration of retention and utilization, etc. 4. Unless otherwise prescribed by law, provision of personal information without the member’s permission is allowed. ARTICLE 4 Handling Entrustment of Collected Personal Information 1. The Company operates personal information handling tasks by entrusting to the following outsourcing companies to implement services.

Outsourced Tasks	Third-party Service Providers
Building and managing the computerized system Customer service	Box o’ Bliss Inc.
Transmission of payment information, payment agency services	KR Partners Inc.
Service provision of product shipping, shipping location / arrival information	[Logistics Partners]: Lotte Global Logistics, Deleo Korea, WEX24, UPS, Fedex, USPS, DHL
Shipping of orders and after-sales service	[Sales Parners] : Dariconsulting co.,ltd, Jaimdang Corp, Manna CEA Inc, Swanicoco Inc

* Duration of retention and utilization of personal information: Until the date of withdrawal or termination of consignment contract * Depending on certain types of delivery such as direct shipping, shipping information will be provided to affiliates, which requested sales, according to Article 21 of Electronic Commerce Consumer Protection Act. 2. Except for cases where customers have made agreement in advance or in accordance with related legislations, the Company will not utilize customer’s personal information beyond the bounds of specified range notified on the agreement nor provide it to others or other companies/institutions. However, if customer’s inquiries or complaints are concluded to be related with affiliates carried by the Company’s stores, customer’s personal information and inquiries can be provided to the corresponding affiliates for a prompt service. 3. When concluding consignment contract, to promote safety in personal information protection, the Company clearly stipulates that it has to strictly observe the instructions on personal information protection, the ban on offering of personal information and also stipulates that who bears the responsibility in case of accident. The company keeps the contract contents both in writing or in electronic formats. When the consigned enterprise is changed, the name of changed enterprise is posted on the Privacy Policy page. ARTICLE 5 Period of Retention, Utilization, and Destruction of Personal Information 1. The Company immediately destroys personal information of members once the collection purpose or provision purpose is achieved. (However, member registration information is destroyed with “30 days of grace period” from the date of withdrawal request due to the purpose of handling member’s inquiries, temporary postponement of reward points, etc.) It is retained for a certain period of time when there is a need of retention according to related legislation such as the Commercial Law for reasons regarding approval of transaction related management duty relations as follows. A. Records related to contracts or withdrawal of subscription : 5 years B. Records related to payment and supply of goods : 5 years C. Records related to consumer complaints or dispute settlement : 3 years 2. Personal information destruction method is as follows. A. Personal information printed on paper: Shred by paper shredder or incinerate B. Personal information saved in digital file formats: Deletion by technical methods which makes the record irretrievable ARTICLE 6 Method to Browse and Correct Personal Information, Withdraw Membership and Agreement 1. Members can browse of update enlisted personal information or withdraw membership whenever it is desired. A. Homepage : After logging in, click 『My Information』 to browse and update personal information or withdraw B. Immediate measures will take action when one contacts the Chief Manager of Personal Information. 2. When the member requests the correction of error in personal information, the company does not use or provide that personal information until the correction is completed. Moreover, in case the company has already provided the wrong personal information to third parties, the company will take measures to correct relevant information by notifying third parties with the corrected result without delay. 3. The Company handles deleted or withdrawn personal information by the member’s request according to the period of retention and utilization of personal information collected by the Company, and is restricted when attempted to be browsed or used with other purposes. ARTICLE 7 Administration and Utilization of Cookie 1. The Company may use ‘cookie’ to provide customized service. ‘Cookie’ is a small data bundle sent from the HTTP server to the user’s browser, and is stored in the member’s computer hard drive. Cookie identifies your computer, but not you as an individual. 2. The Company uses cookies for purposes listed below. A. To analyze access frequency and duration of visit of members and non-members as well as understand user’s preference and field of interest to utilize as an index of target marketing and service improvement. B. To provide customized service on subsequent shopping by tracking the information on purchased products and browsed products. Expires when cookie browser shuts down or logged out. Cookies expire after a day, and can be deleted through browser ‘delete cookie’. * Installation of cookies and refusal thereof You have an option to accept or refuse installation of cookies. Therefore, you can choose the options of your web browser to accept all cookies, to receive notice when cookies are installed, or to refuse all cookies. However, if you refuse storage of cookies, you may not be able to access certain services that require log-in. How to enable/disable cookies (For Internet Explorer) (1) Select [Internet Option] from the [Tools] menu (2) Click [Privacy] (3) Click [Advance] (4) Select whether to enable/disable cookies How to enable/disable cookies (For Safari) (1) At the upper left bar or MacOS, select [Safari] -> [Settings] (2) Move to [Security] tab within the [Settings] window and select whether to enable/disable cookies C. It is used as a data to provide customized information depending on each individual’s field of interest and to provide differentiated entry opportunities in reference to the number of visits and degree to participation of members in events held by the Company. D. Members have an option to accept or refuse installation of cookies. Therefore, members can choose the options of one’s web browser to accept all cookies, to receive notice when cookies are installed, or to refuse all cookies. E. Storage of cookie may be refused by members, but in this case normal web services may not be accessed. ARTICLE 8 Chief Privacy Officer 1. To protect personal information of members and handle complaints and inquiries regarding personal information, the Company operates related department and chief privacy officer as the following. [Person in Charge of Personal Information]

Classification	In Charge
Chief Privacy Officer(CPO)	Seula lee
Department of Privacy Protection / Position	CEO
Telephone Number	+82-2-2088-2547
E-mail Address	contact@boxobliss.com

2. Please inquire the organizations listed below when reports or consultations from other privacy infringement issues are required. e-Privacy Mark Certification Committee (www.eprivacy.or.kr / +82-2-580-0534) Supreme Prosecutors’ Office Cyber Crime Investigation Department (http://www.spo.go.kr / +82-2-3480-2000) Korean National Police Agency Cyber Bureau (http://cyberbureau.police.go.kr / +82-2-392-0330) ARTICLE 9 Technical and Institutional Measures to Protect Personal Information 1. Technical measures In handling personal information of member, the Company seeks for technical measures to secure safety as the following in order to make personal information not to be lost, stolen, leaked, falsified, or damaged. A. The member’s personal information is protected by the password and the important data is protected through another security functions by using encryption of files and data to transmit or by using file-locking functions. B. The Company takes measures using vaccine program to prevent damages by computer viruses. The vaccine program is updated regularly and when the virus appears suddenly, the violation of personal information is prevented by providing vaccine program as soon as it is updated. C. The Company adopts security system (SSL or SET) which can transmit personal information safely on the network using encryption algorithm. D. As preparation for foreign invasion such as hacking and others, the company makes full preparation in security by using firewall system and vulnerability analysis system in every server. 2. Managing measures The Company restricts the access authority to the member’s personal information as minimum personnel. Those minimum personnel are as follows. Persons who perform the direct marketing task which is targeting members Persons who perform personal information management task such as chief privacy officer and personnel. Other persons who inevitably deal personal information owing to the business The Company carries out regular in-company education and commissioned education outside the company for the personnel who deal with personal information to acquire new security technology and to learn obligation of personal information protection. When employed to the company, security pledge is required of the personal information handling personnel to prevent information leakage beforehand, and internal procedure is arranged to observe whether the personnel abides by the information protection policy. Duty succession of personnel handling personal information is held under strict security, and subject or responsibility when personal information incident occurs is stated clear in case of employment and resignation. Personal information and general data are stored individually. ARTICLE 10 Transmission of Advertising Information The Company does send advertising information for profit-making against the member’s clear intention to unsubscribe. ARTICLE 11 Obligation of Notice This Privacy Policy shall be effective as of September 6, 2022. In the event of addition, deletion, or alteration in its contents according to the government’s policy or change shall be notified at least seven days before the changes take effect.