Personal Information Management Policy

COMMAX Co., Ltd. (hereinafter, the “Company”) has established the personal information management policy as follows (the “Policy”) in accordance with the Personal Information Protection Act and Act on Promotion of Information and Communication Network Utilization and Information Protection to protect the rights and interests of the users of the Company’s services and to handle any problems that the users may face in respect of their personal information. This Policy is applied to all the Smart Home solution provided by the Company, and any amendment of this Policy will be publicly announced by a posting on the application of the Smart Home solution of the Company. (or individual notice)

1. Purpose of Personal Information Management Company processes user’s personal information for the following purposes. Processed information will not be used for any purposes other than for the following purposes. Company will seek prior consent of the persons who are the subject of the personal information (the “Users”) before any change to the intended use is implemented. 1) Membership Registration and Management Company processes personal information for the following purposes: - To confirm the User’s intention to be a registered member - To maintain or manage membership status - To prevent unauthorized use of service - To give public announcement or notice - To handle customer complaints; and - To keep records for dispute resolution purposes. 2) Complaint Handling Company processes personal information for the following purposes: - To verify the complaining person’s identification - To review complaints - To contact or notify the complaining persons to investigate the cause of the complaints - To notify complaint review results. 3) Provision of Smart Home Solution Company processes personal information for the following purposes. - To provide Smart Home solution by data collection/analysis - To provide customized/intelligent solution

2. Collecting and use of Personal Information Company collects, uses, and provides the personal information with user’s consent. 1) Types of Personal Information • ID, password, email address, BLDG/Unit No and size, nickname, gender, age • During the use/provision of services, the following information may be automatically collected. (device information, service use history, access log, etc.) 2) Method of collection: Manual/automatic collection by using sign-up, device/application installation information, modifying membership information, telephone, customer service, application, or voluntary provision of users while using the service 3) Retention basis: Provision of Solution and response 4) Retention periods: In the event of withdrawal of membership or consent and not using services for a year, his/her personal information will be promptly destroyed. However, if retention of any of the above information is required by law, the Company shall process and retain such information during the required period in accordance with the law.

3. Right of the users and method to exercising such rights As the subject of the personal information, User may exercise the following rights. 1) User may at any time exercise the following rights against the Company in order to protect his/her personal information: ① Right to have access to personal information; ② Right to request correction of any error; ③ Right to request deletion of information; ④ Right to request discontinuance of personal information processing. 2) The rights may be exercised by the Form No. 8 of the Enforcement Regulation of the Personal Information Protection Act and submitting to the Company in writing, or by telephone or email. The Company will immediately take action upon receipt of such request. 3) In case User requests correction or deletion of any error in his/her personal information, the Company will not use or provide the concerned information until such correction or deletion is completed. 4) The rights may be exercised by a legal agent or an authorized representative of the User. In such a case, power of attorney as provided in Form No. 11 of the Enforcement Regulation of the Personal Information Protection Act must be submitted to the Company.

4. Destruction of personal information In principle, the company destroys the personal information without delay if the purpose of personal information processing is achieved. The procedure, deadline and method of destruction are as follows. 1) Destruction Procedure The information entered by the user is transferred to a separate DB after achieving the purpose(in case of paper, separate documents) and destroyed immediately after being stored for a certain period of time in accordance with the internal policy and other related statutes. At this time, personal information transferred to the DB will not be used for any other purpose unless required by law. 2) Method of destruction • Information in electronic file formats is deleted using technical methods that cannot reproduce the records. • Personal information printed on paper is shredded or destroyed by incineration.

5. Measures to secure the safety of personal information In accordance with Article 29 of the Personal Information Protection Act, the company takes technical, administrative and physical measures necessary for securing safety as follows: 1) Encryption of personal information The user’s personal information is stored and managed by encryption, and only the user can know the password. Important data is managed by separate security functions such as encryption files and transmission data or using file lock function. 2) Technical measures against hacking, etc. In order to prevent personal information leakage or damage caused by hacking or computer viruses, the company installs security programs, updates and checks regularly, installs systems in areas where access from outside is controlled, and monitors and blocks them technically and physically. 3) Restrict access to personal information We take necessary measures to control access to personal information through granting, changing, and canceling access rights to the database system that processes personal information, and control unauthorized access from the outside using an intrusion prevention system. 4) Minimization and training of personal information handling staff We are taking measures to manage personal information by designating and minimizing the number of employees who handle personal information. 5) Personal ID and Password management In principle, the ID and password used by the user are intended to be used only by the user. The company is not responsible for the problems caused by the leakage of personal information such as ID and password due to the user’s personal carelessness and the basic internet risks.

6. Personal information protection officer and person in charge The company is responsible for the handling of personal information, and designates a person in charge of personal information protection and a person in charge as follows to handle complaints and remedy damages of information subjects related to personal information processing. and answers questions related to personal information promptly and sincerely. Personal Information Protection Head Manager Name : Kang Min Soo Team : R&D Center Position : R&D Director Personal Information Protection General Manager Name : Kwon Hee Hoon Team : R&D Center / Cloud Team Position : Chief Researcher Inquiry : COMMAX Customer Service 1599-8866

7. Remedy for infringement of rights and interests (Request for personal information access) If you need to report or consult about personal information infringement, please contact the institution below for help. Personal Information InfringementReporting Center http://privacy.kisa.or.kr Cyber Investigation Division of theSupreme Prosecutors’ Office http://cybercid.spo.go.kr Cyber Security Bureau of the NationalPolice Agency http://cyberbureau.police.go.kr

8. Notice of Privacy Policy Notice • Personal information processing policy version number : v1.0 • Personal information processing policy implementation date : August 31, 2020