THE EIGHT ROOM - THE ESSENCE OF LUXURY

Article 1 (Purpose of Processing Personal Information)

EIGHT ROOM Co., Ltd. (hereinafter "Company") processes personal information for the following purposes, and the personal information being processed shall not be used for purposes other than those stated below. If the purpose of use changes, the Company will take necessary measures such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act.

※ Note: The Korean version of this Privacy Policy is the legally binding version. This English translation is provided for convenience only.

1. Member Registration and Management Confirmation of intent to register, identity verification for member services, maintenance and management of membership qualifications, prevention of fraudulent use, various notifications, and handling of grievances.

2. Provision of Goods or Services Product delivery, service provision, contract and invoice issuance, content delivery, personalized services, identity verification, age verification, payment processing and settlement, and debt collection.

3. Grievance Handling Identity verification of complainants, confirmation of complaints, communication for fact-finding, and notification of processing results.

4. Marketing and Advertising (upon optional consent) Development of new services and personalized offerings, provision of event and promotional information, demographic-based service provision and advertising, service effectiveness verification, access frequency analysis, and statistics on member service usage.

Article 2 (Personal Information Items Processed)

The Company processes the following personal information items.

1. Membership Registration and Management - Required: Name, email address, password, mobile phone number - Optional: Date of birth, gender

2. Provision of Goods or Services - Required: Name, delivery address, phone number, email, payment information (partial card number or account number) - Optional: Delivery instructions

3. Automatically Collected Items The following items may be automatically generated and collected during the use of internet services: IP address, cookies, service usage records, visit date and time, access logs, improper use records, device information.

Article 3 (Processing and Retention Period)

① The Company processes and retains personal information within the retention and use period prescribed by law, or within the retention and use period consented to when collecting personal information from the data subject. ② The processing and retention period for each category of personal information is as follows:

1. Membership Registration and Management: Until membership withdrawal However, in the following cases, retention continues until the relevant cause ends: - When an investigation is in progress due to a violation of relevant laws: Until completion of the investigation - When claims and obligations arising from the use of the website remain: Until settlement of such claims and obligations

2. Provision of Goods or Services: Until completion of supply and payment settlement However, the following records are retained for the periods specified by law: - Under the Act on the Consumer Protection in Electronic Commerce: · Records of displays and advertisements: 6 months · Records of contracts, withdrawal of subscription, payments, and supply of goods: 5 years · Records of consumer complaints or dispute resolution: 3 years - Under the Electronic Financial Transactions Act: 5 years - Under the Protection of Communications Secrets Act (communication confirmation data): 3 months

Article 4 (Provision of Personal Information to Third Parties)

① The Company processes the personal information of data subjects only within the scope specified in Article 1, and provides personal information to third parties only in cases corresponding to Articles 17 and 18 of the Personal Information Protection Act, such as consent from the data subject or special legal provisions. ② The Company provides personal information to third parties for smooth service provision as follows:

1. Delivery Companies - Recipient: Entrusted delivery companies (e.g., CJ Logistics) - Purpose: Shipping of ordered products - Items provided: Name, address, phone number - Retention and use period: Destroyed after delivery completion

2. Payment Gateway Providers - Recipient: Payment gateway companies (e.g., Toss Payments, KG Inicis) - Purpose: Credit card and bank transfer payment processing - Items provided: Payment information, order information - Retention and use period: Legal retention period under the Electronic Commerce Act

Article 5 (Entrustment of Personal Information Processing)

① For smooth personal information processing, the Company entrusts the following work:

1. Delivery Service - Trustee: Domestic courier companies - Content: Product delivery and return processing

2. Payment Processing - Trustee: Payment gateway companies - Content: Credit card, bank transfer, and virtual account payment processing and refund processing

3. Message Delivery - Trustee: Email and SMS service providers - Content: Order/delivery notifications and marketing message delivery

② When entering into entrustment contracts, the Company specifies in documents such as the contract, in accordance with Article 26 of the Personal Information Protection Act, prohibition of processing personal information for purposes other than the performance of entrusted work, technical and administrative protection measures, restrictions on re-entrustment, management and supervision of the trustee, and liability for damages. The Company also supervises whether the trustee safely processes personal information. ③ If the content of the entrusted work or the trustee changes, the Company will disclose such changes through this Privacy Policy without delay.

Article 6 (Rights and Obligations of Data Subjects and Legal Representatives)

① Data subjects may exercise the following rights regarding personal information protection at any time: 1. Request to access personal information 2. Request to correct errors 3. Request to delete 4. Request to suspend processing ② The exercise of rights under paragraph ① may be made in writing, by email, or by fax, in accordance with Article 41, paragraph 1 of the Enforcement Decree of the Personal Information Protection Act, and the Company will take action without delay. ③ When a data subject requests correction or deletion of errors in personal information, the Company will not use or provide the relevant personal information until the correction or deletion is completed. ④ The exercise of rights under paragraph ① may be conducted through a legal representative or an authorized agent. In such cases, a power of attorney as prescribed by the notice on methods of personal information processing must be submitted. ⑤ Requests for access and suspension of processing may be limited under Article 35, paragraph 4 and Article 37, paragraph 2 of the Personal Information Protection Act. ⑥ Requests for correction or deletion of personal information cannot be made if the personal information is specified as a subject of collection in other laws.

Article 7 (Procedures and Methods for Destruction of Personal Information)

① The Company destroys personal information without delay when it becomes unnecessary due to the expiration of the retention period or the achievement of the processing purpose. ② When personal information must continue to be preserved under other laws despite the expiration of the retention period consented to by the data subject or the achievement of the processing purpose, the Company transfers such personal information to a separate database (DB) or stores it in a different location. ③ The procedures and methods for destroying personal information are as follows: 1. Destruction Procedure: The Company identifies personal information for which destruction is warranted and destroys it with the approval of the Personal Information Protection Officer. 2. Destruction Method: Electronic files are permanently deleted using technical methods that prevent record restoration. Personal information printed on paper is shredded or incinerated.

Article 8 (Measures to Ensure Security of Personal Information)

The Company takes the following measures to ensure the security of personal information:

1. Administrative Measures - Establishment and implementation of internal management plans - Separation of duties and regular training for personal information handlers - Management of access rights and retention of access records

2. Technical Measures - Access rights management for personal information processing systems and installation of access control systems - Encryption of passwords, unique identification information, and other important data - Installation and periodic updating of security programs - Backup for safe storage and retention of access logs

3. Physical Measures - Physical access control to server rooms and data storage areas

Article 9 (Installation, Operation, and Refusal of Automatic Personal Information Collection Devices)

① The Company uses "cookies" that store and retrieve usage information to provide personalized services to users. ② Cookies are small pieces of information sent by the server (HTTP) operating the website to the user's browser, and may be stored on the user's PC or mobile device.

1. Purpose of Cookie Use: Cookies are used to analyze visit and usage patterns, popular searches, secure connection status, and language settings for each service and website visited, in order to provide optimized information to users. 2. Installation, Operation, and Refusal of Cookies: Users can refuse cookie storage through options in the Tools > Internet Options > Privacy menu at the top of their web browser. 3. Refusing cookie storage may cause difficulties in using some personalized services.

Article 10 (Personal Information Protection Officer)

① The Company designates a Personal Information Protection Officer as follows to take overall responsibility for personal information processing and to handle complaints and damages relief of data subjects related to personal information processing.

▶ Personal Information Protection Officer - Name: Taehwan Jang - Position: CEO - Contact: 010-8630-3330 - Email: the8room@naver.com

② Data subjects may contact the Personal Information Protection Officer regarding all inquiries, complaints, and damage relief related to personal information protection arising from using the Company's services. The Company will respond and process such inquiries without delay.

Article 11 (Remedies for Infringement of Rights)

To receive relief for personal information infringement, data subjects may apply for dispute resolution or consultation with the Personal Information Dispute Mediation Committee, the Personal Information Infringement Report Center of the Korea Internet & Security Agency (KISA), and other organizations. For reports or consultations on other personal information infringements, please contact the following agencies:

1. Personal Information Dispute Mediation Committee: 1833-6972 / www.kopico.go.kr 2. Personal Information Infringement Report Center: 118 / privacy.kisa.or.kr 3. Supreme Prosecutors' Office Cyber Investigation Division: 1301 / www.spo.go.kr 4. National Police Agency Cyber Investigation Bureau: 182 / ecrm.cyber.go.kr

Article 12 (Changes to This Privacy Policy)

① This Privacy Policy applies from the effective date. ② If there are additions, deletions, or revisions due to laws or policies, the Company will announce such changes through notices at least 7 days before their effective date.

Addendum