Privacy Policy

1. Purpose of Collection/Use of Personal Information

□ Purpose of Collection and Use of Personal Information The Company uses the collected personal information for the following purposes: ο Contract fulfillment for service provision and provision of content in connection with service provision ο Identity verification for service use, personal identification, prevention of fraudulent use by problematic members and unauthorized use, handling of complaints such as grievances, and delivery of notices ο Marketing and advertising use Provision of events and advertising information and participation opportunities, service provision and advertisement placement according to demographic characteristics, identification of access frequency, or statistics on service usage ο Verification of complainants' identity, confirmation of complaints, contact and notification for fact-finding investigations, and notification of processing results

2. Items of Personal Information to be Collected

□ We collect the following personal information for membership registration, consultation, service application, etc. ο Collected Items: Name, date of birth, login ID, password, mobile phone number, email address, access logs, cookies, service usage records ο Optional Items: Branch/location, areas of interest, event selection items, registration path, consent to receive mailing and SMS services ο Retention Period: Retained semi-permanently until a separate request for opt-out or membership withdrawal is made ο Personal Information Collection Methods: Website (membership registration, consultation board, reservation board, simple login, etc.)

3. Retention and Usage Period of Personal Information

① <Company> processes and retains personal information within the retention and usage period agreed upon when collecting personal information from data subjects, or within the retention and usage period stipulated by relevant laws and regulations. ② The specific personal information processing and retention periods are as follows: ο Customer registration and management: Until termination of service use contract; however, if creditor-debtor relationships remain, until such relationships are settled ο Records of contracts, withdrawal of subscription, payment, and supply of goods in e-commerce: 5 years ο Information collected for diagnosis and treatment: In accordance with the Medical Service Act standards ο Even when the purpose of collection or provision has been achieved, personal information may be retained if there is a need to preserve it in accordance with the Commercial Act or other laws and regulations.

4. Provision of Personal Information to Third Parties

Cellin Clinic does not provide personal information to third parties except in cases falling under Article 17 of the Personal Information Protection Act, such as separate consent from the data subject or special provisions of the law.

5. Rights and Obligations of Data Subjects and How to Exercise Them

Data subjects may exercise the following personal information protection-related rights with respect to Cellin Clinic at any time: ① Request for inspection of personal information ② Request for correction if there are errors, etc. ③ Request for deletion ④ Request for suspension of processing These requests may be made in writing, via email, or via facsimile (FAX) in accordance with Form No. 8 attached to the Enforcement Rules of the Personal Information Protection Act, and Cellin Clinic will take action without delay. If a data subject requests correction or deletion of errors in personal information, the personal information in question will not be used or provided until the correction or deletion is completed. Rights may be exercised through a legal representative of the data subject or an agent such as an authorized representative. In this case, a power of attorney in accordance with Form No. 11 attached to the Enforcement Rules of the Personal Information Protection Act must be submitted.

6. Items of Personal Information Processed

Cellin Clinic processes the following items of personal information: ο Collected Items: Name, date of birth, login ID, password, mobile phone number, email address, access logs, cookies, service usage records ο Optional Items: Branch/location, areas of interest, event selection items, registration path, consent to receive mailing and SMS services.

7. Destruction of Personal Information

① In principle, Cellin Clinic destroys personal information without delay once the purpose of processing personal information has been achieved. The procedures, deadlines, and methods of destruction are as follows: If the retention period of personal information has expired, it shall be destroyed within 5 days from the end date of the retention period. When personal information becomes unnecessary due to the achievement of the processing purpose, abolition of the relevant service, termination of business, etc., it shall be destroyed within 5 days from the date on which the processing of such personal information is deemed unnecessary. ② Cellin Clinic destroys personal information by the following methods: ο Electronic files: File deletion, disk formatting, or using technical methods that make records irreproducible ο Paper documents: Shredding or incinerating

8. Installation, Operation, and Rejection of Automatic Personal Information Collection Devices

Cellin Clinic operates "cookies" and similar technologies that periodically store and retrieve users' information to provide specialized customized services to users. ο Cookies are used to provide personalized services by analyzing access frequency and visit duration, identifying users' preferences and areas of interest and tracking activities, and determining the degree of participation in various events and number of visits. ο Users can set options in their web browser to allow all cookies, confirm each time a cookie is stored, or reject the storage of all cookies.

9. Measures to Ensure the Safety of Personal Information

Cellin Clinic takes the following technical, administrative, and physical measures necessary to ensure safety in accordance with Article 29 of the Personal Information Protection Act: ο Regular internal audits Internal audits are conducted regularly (once a year) to ensure the stability of personal information handling. ο Minimization and training of personal information handling staff Measures are implemented to manage personal information by designating and limiting staff who handle personal information to minimize access. ο Establishment and implementation of internal management plans Internal management plans are established and implemented for the safe processing of personal information. ο Technical measures against hacking, etc. To prevent leakage and damage of personal information by hacking or computer viruses, security programs are installed and periodically updated and inspected. Systems are installed in areas with controlled external access and are monitored and blocked technically and physically. ο Encryption of personal information Users' personal information, including passwords, is encrypted for storage and management, so that only the user can know it. Important data is additionally secured through encryption of files and transmitted data or by using file lock functions. ο Restriction of access to personal information Necessary measures are taken to control access to personal information by granting, changing, and revoking access rights to database systems that process personal information, and unauthorized external access is controlled using intrusion prevention systems.

10. Personal Information Protection Officer

Cellin Clinic designates a Personal Information Protection Officer as follows to oversee and be responsible for overall personal information processing operations, and to handle complaints and remedy damages related to personal information processing by data subjects. ο Personal Information Protection Officer - Name: ROH KYOUNG SOO, KIM JONG WOO, PARK TAE WOOK - Contact: 1551-1996

11. Processing in Case of Non-consent

Users (data subjects) have the right to refuse consent to the collection and use of personal information. However, if you do not consent, the provision of related services will be restricted.

12. This Privacy Policy is effective from November 1, 2025.