Camon Social Biz-Card Privacy Policy

Camon Social Co., Ltd. (the “Company”) is committed to protecting the freedom and rights of users and complies with the Personal Information Protection Act and other applicable laws and regulations by lawfully processing and safely managing personal information.

In accordance with Article 30 of the Personal Information Protection Act, the Company hereby establishes and discloses this Privacy Policy to inform users of the procedures and standards related to the processing of personal information, and to ensure the prompt and efficient handling of any complaints or concerns related thereto.

Article 1 (Purpose of Collection and Use of Personal Information)

1. The Company processes users’ personal information for the following purposes. The collected personal information will not be used for any purpose other than that stated below. If the purpose of use changes, the Company will take necessary measures, such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act.

   Service	Purpose of Collection	Collected Items
   Membership Registration and Management	Confirming intent to register, user identification for membership-based services, maintaining and managing member status, delivering notifications, retaining records for dispute resolution	Required: ID, password, email, occupation, region of residence Optional: Cultural background, educational background, work experience, industry, areas of interest
   Use and Provision of Biz-Card Services	Registering and updating business card information, managing and sharing personal network information, enabling short-range card sharing	Required: Name, occupation, business card image, phone number, fax number, external service accounts, website, email, company information (company name, job title, company address, company phone number), educational background, work experience, projects, industry, skills, languages spoken, portfolio links, network information (cards and contacts registered by the user) Optional: Location information
   Use and Provision of Subscription-Based Paid Services	Processing recurring subscription payments	Bank account information (bank name, account holder, account number), card information, mobile phone number, in-app purchase details (item purchased, receipt ID) For payments via PG (payment gateway) providers, personal information is collected and stored by the PG company. The Company only receives transaction records provided by the PG company.
   Customer Inquiries and Support	Handling inquiries and complaints, improving customer service	Name, email, mobile phone number
   Marketing and Advertising	Providing personalized services, promoting new services, serving ads based on demographic characteristics	Email, mobile phone number, data generated during use of the Service
   Automatically Collected During Service Use	Analyzing usage patterns and statistics for service improvement and development of new services	OS version, device information, browser type, IP address, cookies, web/app usage history, records of service misuse

2. The Company collects only the minimum necessary personal information during membership registration (including sign-ups using SNS accounts), when a user updates their profile or uses the Service, when the user voluntarily enters or updates additional profile information, and when contacting customer service via fax, mail, or phone. The Company may also collect information through data collection tools.
3. When a user registers using an SNS account (e.g., Google or Apple), the Company receives only the minimum necessary personal information from such third-party providers. The personal information collected by the Company is categorized into required and optional items.

   Third-Party Provider	Information Provided	Purpose of Provision
   Google	Required: Name, email, profile photo, Google account information Optional: Nickname, mobile phone number, and other account-related information	For user registration and account management
   Apple	Required: Name, email, profile photo, Apple account information Optional: Nickname, mobile phone number, and other account-related information	For user registration and account management

Article 2 (Retention and Use Period of Personal Information)

1. The Company retains and uses personal information within the period agreed by the user at the time of collection, or as required or permitted under applicable laws and regulations.
2. The specific periods for which personal information is processed and retained are as follows:

   Purpose of Collection and Use	Retention Period
   Membership registration and management	Until the Member withdraws their membership
   Use and provision of Biz-Card services	Until the Member withdraws their membership or requests deletion
   Use and provision of subscription-based paid services	Five (5) years from the date of subscription cancellation
   Customer inquiries and support	One (1) year from the date of inquiry
   Marketing and advertising	Until the Member withdraws consent or cancels membership

3. Notwithstanding Paragraph 2, the following information is retained for the periods specified below:
   1. Retention Based on the Company’s Internal Policy

      Information Retained	Reason for Retention	Retention Period
      User ID, email, mobile phone number	To prevent improper use or confusion regarding service re-registration	Three (3) months after membership cancellation

   2. Retention Required by Law

      Information Retained	Reason for Retention	Retention Period
      Records related to contracts or withdrawal of subscription	Act on Consumer Protection in Electronic Commerce	Five (5) years
      Records related to payment and supply of goods/services	Same as above	Five (5) years
      Records related to consumer complaints or dispute resolution	Same as above	Three (3) years
      Records related to identity verification	Act on Promotion of Information and Communications Network Utilization and Information Protection	Six (6) months
      Records of service usage, access logs, and IP address	Protection of Communications Secrets Act	Three (3) months
      All transaction books and supporting documents required by tax law	Framework Act on National Taxes, Corporate Tax Act, Income Tax Act	Five (5) years

Article 3 (Procedures and Methods for Destroying Personal Information)

The Company will, in principle, promptly destroy users’ personal information once the purpose of collection and use has been fulfilled, or once the retention period has expired. The procedures and methods for destruction are as follows:

1. Destruction Procedure
   1. Personal information entered by the user for purposes such as membership registration is transferred to a separate database (or a separate storage cabinet in the case of paper records) after the intended purpose is fulfilled. It is then retained for a period of time in accordance with internal policies or applicable laws before being permanently destroyed.
   2. Personal information stored in a separate database shall not be used for any other purpose unless required by law.
2. Destruction Method
   1. Personal information printed on paper is destroyed by shredding or incineration.
   2. Personal information stored in electronic file format is deleted using a technical method that prevents the data from being recovered or reconstructed.

Article 4 (Provision of Personal Information to Third Parties)

The Company processes users’ personal information only within the scope outlined in Article 1 (Purpose of Collection and Use of Personal Information). The Company does not provide users’ personal information to any third party except in cases where the user has given explicit consent; there is a special provision under applicable law; or the provision is otherwise permitted under Articles 17 and 18 of the Personal Information Protection Act.

Data Sharing and Disclosure of Google User Data
We respect your privacy and handle Google user data with care.

1. No Third-Party Sharing: We do not share, sell, or transfer Google user data to any third parties, except as required by law or legal processes.
2. Limited Use: Google user data is only used within our services to provide the functionality that users request (such as authentication, profile display, and related features).
3. No Unauthorized Access: We do not allow any third-party service providers to access Google user data unless it is essential for our app to operate, and in such cases, they are bound by strict confidentiality and data protection obligations.
4. User Control: Users may revoke our access to their Google data at any time through their Google Account settings.

Article 5 (Outsourcing of Personal Information Processing)

1. To ensure service stability and deliver the latest technology to users, the Company engages third-party service providers located outside of Korea to process certain personal information. The personal data collected or generated by the Company is stored in overseas databases as described below. These service providers manage the physical infrastructure only and do not access user personal information directly.

   Service Provider (Data Processor)	Items Transferred	Destination Country	Time & Method of Transfer	Retention and Use Period
   VNIB Tech	Email address, mobile phone number, and information generated during service use	Vietnam	Transfer of marketing and event information upon each request	Until termination of the service outsourcing agreement
   Amazon Web Services, Inc.	1. User profile and social card information: Name, nickname, company, department, job title, email, mobile phone number, phone number, address, profile image, education, work experience, skills 2. User contact information: Name, phone number	Singapore	Transferred remotely via network at the time of service use	Until the use of the cloud service is changed
   Cloud Es	1. User profile and social card information: Name, nickname, company, department, job title, email, mobile phone number, phone number, address, profile image, education, work experience, skills 2. User contact information: Name, phone number	Singapore	Transferred remotely via network at the time of service use	Until the use of the cloud service is changed
   OpenAI OpCo, LLC	1. User profile and social card information: name, nickname, company, department, job title, email address, mobile phone number, telephone number, address, profile image, education, work experience, and skills 2. User contact information: name and telephone number	United States	Transferred remotely via network at the time of service use	Deleted immediately after data processing upon service use

2. When entering into an outsourcing agreement, the Company specifies, in writing (e.g., in a contract), the obligations of the service provider pursuant to Article 26 of the Personal Information Protection Act, including prohibition of processing personal information for purposes other than the commissioned work, implementation of technical and managerial safeguards, restrictions on re-outsourcing, oversight and supervision of the service provider, and liability for damages. The Company also supervises the service provider to ensure personal information is handled securely.
3. If there are any changes to the scope of outsourced services or the service providers, the Company will promptly disclose such changes through this Privacy Policy.

Article 6 (Rights of Users and Legal Guardians, and How to Exercise Them)

1. Users may exercise their rights at any time with respect to their personal information, including requests to access, correct, delete, or suspend the processing of their personal data.
2. Such requests may be submitted to the Company in writing, via email, fax, or other methods as prescribed under Article 41(1) of the Enforcement Decree of the Personal Information Protection Act. The Company will take appropriate action without undue delay.
3. A user’s rights may also be exercised through a legal representative or an authorized agent. In such cases, a power of attorney must be submitted using the form attached as Annex Form No. 11 of the Notification on the Method of Processing Personal Information (No. 2020-7).
4. Requests to access or suspend the processing of personal information may be restricted under Article 35(4) or Article 37(2) of the Personal Information Protection Act.
5. Requests for correction or deletion of personal information cannot be made if the data is required to be retained under applicable laws.
6. When a user requests access, correction, deletion, or suspension of processing, the Company will verify whether the requester is the individual concerned or a duly authorized representative.

Article 7 (Children’s Privacy)

The Company’s services are not directed to, and are not intended for use by, children under the age of 14. We do not knowingly collect personal information from anyone under the age of 14. If we become aware that we have collected personal information from a child under 14 without appropriate consent, we will delete such information without delay. If you believe that we may have collected personal information from a child under 14, please contact us at support@camon.social.

Article 7 (Measures to Ensure the Security of Personal Information)

Pursuant to Article 29 of the Personal Information Protection Act, the Company takes the following technical, administrative, and physical measures necessary to ensure the security of personal information:

1. Minimization and Training of Staff Handling Personal Information
   The Company limits the number of staff authorized to handle personal information by designating specific individuals and restricting access to authorized personnel only. Relevant training is also provided.
2. Regular Internal Audits
   To ensure the safety of personal information processing, the Company conducts internal audits on a regular basis (once per quarter).
3. Establishment and Implementation of Internal Management Plans
   The Company has established and implements internal management plans to ensure the safe handling of personal information.
4. Encryption of Personal Information
   User passwords are encrypted and stored in a way that only the user knows. Important data is encrypted during storage and transmission, or protected using features such as file locking and other security measures.
5. Access Restriction to Personal Information
   The Company controls access to personal information by granting, modifying, or revoking access rights to database systems that process personal information. Unauthorized access from outside is prevented through the use of intrusion prevention systems (IPS).
6. Retention and Protection of Access Logs
   The Company retains access logs to its personal information processing systems for at least six (6) months and uses security features to prevent tampering, loss, or theft of such records.
7. Protection Against Hacking and Malware
   The Company makes every effort to prevent unauthorized access, data leaks, or damage to personal information caused by hacking, computer viruses, or similar threats. It regularly backs up data to prevent loss or damage, uses the latest antivirus software to protect personal information and data, and ensures the secure transmission of information over networks through encryption. The Company also uses intrusion prevention systems to block unauthorized external access and employs all other available technical measures to ensure system security.

Article 8 (Use of Cookies and How to Refuse Them)

1. The Company uses “cookies,” which store and retrieve usage information, to provide users with personalized services.
2. A cookie is a small piece of data sent from the server (HTTP) used to operate the website to the user’s web browser. It may be stored on the user’s hard drive.
   1. Purpose of using cookies: Cookies are used to understand user behavior—such as service usage patterns, frequently visited sites, popular search terms, and security preferences—and provide optimized information accordingly.
   2. How to disable cookies: Users can refuse to store cookies by adjusting their browser settings under Tools > Internet Options > Privacy.
   3. If cookies are disabled, personalized service functionality may be limited.

Article 9 (Personal Information Protection Officer)

1. The Company appoints the following Personal Information Protection Officer to oversee all personal information-related tasks, handle user complaints, and resolve disputes:
   - Personal Information Protection Officer
   • Name: Eddy Chang
   • Title: Data Protection Officer
   • Email: support@camon.social
2. Users may contact the Personal Information Protection Officer with any inquiries, complaints, or requests for relief related to the protection of their personal information while using the Company’s services. The Company will respond without undue delay.
3. Users may also submit requests to access their personal information under Article 35 of the Personal Information Protection Act through the Personal Information Protection Officer, and the Company will make every effort to handle such requests promptly.

Article 10 (Remedies for Rights Infringement)

Users may contact the following organizations to seek dispute resolution or counseling in the event of a personal information rights violation:

• Personal Information Dispute Mediation Committee: http://www.kopico.go.kr / 1833-6972
• Personal Information Infringement Report Center: http://privacy.kisa.or.kr / 118
• Cyber Crime Investigation Division, Supreme Prosecutors’ Office: http://www.spo.go.kr / 1301
• Cyber Safety Bureau, National Police Agency: http://www.ctrc.go.kr / 182

Article 11 (Processing of Personal Location Information)

In accordance with the Act on the Protection and Use of Location Information, the Company safely manages users’ personal location information as follows:

1. Purpose and retention of location information: Location information is used temporarily to provide location-based services such as business card sharing and network sharing. It is destroyed without delay after its one-time or temporary use.
2. Retention of access logs related to location information: In accordance with Article 16(2) of the Location Information Act, the Company automatically logs records of collection, use, and provision of location information and retains them for at least six (6) months.
3. Provision to third parties: The Company does not provide personal location information to third parties without prior consent. If a user designates a third party to receive their location information, the Company will notify the user of the recipient, date, and purpose of each provision in real time.
4. Outsourcing of location information processing: If the Company outsources location information processing, such details will be posted on the official website, mobile site, or app for users to review. Currently, no such outsourcing arrangements exist.
5. Location Information Manager: The Company’s Personal Information Protection Officer also serves as the Location Information Manager.

Article 12 (Scope of this Privacy Policy)

This Privacy Policy applies to the official Camon Social Biz-Card website, mobile site, app, and related services. It does not apply to third-party websites linked within the Service that collect personal information independently.

Article 13 (Duty to Notify Prior to Amendment)

1. In the event of any additions, deletions, or modifications to this Privacy Policy, the Company will provide prior notice through its announcements section at least seven (7) days in advance.
2. However, if the amendment involves significant changes that may affect users’ rights—such as changes to the types of personal information collected or the purposes of use—notice will be given at least thirty (30) days in advance.

Article 14 (Compliance with Local Laws)

1. The Company operates its services in multiple jurisdictions and is committed to complying with the applicable laws and regulations of each country or region where its services are offered. While this Privacy Policy is primarily based on the Personal Information Protection Act of the Republic of Korea, the Company also seeks to align its data practices with applicable privacy and data protection laws in other jurisdictions, including those in the United States.
2. If you believe that our data handling practices violate the privacy laws of your jurisdiction, please contact us at support@camon.social. We will review and address your concerns in accordance with the relevant laws and our internal compliance procedures.

Effective date: May 26, 2025