Re:catch Privacy Policy

Business Canvas Inc. complies with the Personal Information Protection Act and related laws to protect the freedom and rights of data subjects. We lawfully process personal information and manage it safely. In accordance with Article 30 of the Personal Information Protection Act, we establish and disclose this Privacy Policy to inform data subjects of the procedures and standards regarding the processing of personal information and to handle related complaints promptly and smoothly.

Scope of Application of the Privacy Policy

1. When accessing or using the recatch.com service

2. When applying for adoption of the service

3. When registering for a Recatch webinar or seminar

4. When making inquiries or consultations related to the service

Scope of Non-Application of the Privacy Policy

1. Personal information of clients' customers collected through the use of recatch.com services

2. Personal information that is anonymized in accordance with relevant laws and regulations

Article 1. Purpose of Processing Personal Information

Business Canvas Inc. (hereinafter referred to as the "Company") processes personal information based on the consent of data subjects in accordance with number 15 and 22 of the Personal Information Protection Act for the following purposes. The personal information being processed will not be used for purposes other than those specified below. If the purpose of use changes, necessary measures such as obtaining separate consent will be taken in accordance with Article 18 of the Personal Information Protection Act. The Company does not process personal information of children under the age of 14.

Purpose

1. Re:catch and Growth service inquiries and applications, membership registration managementInformation of Re:catch paid customers

   • ID (Email address), Password, Company Name, Name, Phone number, Number of employees, Job Title / Role, Position / Title, Email address used for SSO (Single Sign-On)

2. Information of Re:catch paid customers

   • Business Registration Certificate, Company Name, Name, Email address

3. Utilization for Re:catch improvement, issue response, new service development, and marketing/advertising (automatically generated or collected during service usage or service provision processing)

   • Service usage history, Cookies, Access IP information, Device information, OS information, Account information

4. Sending Re:catch user guides and essential usage-related notifications

   • Email address

5. Customer consultation regarding Re:catch usage

   • Contact number, Email address, Name

Article 2. Items of Personal Information Processed

Based on contract performance according to Article 15, Paragraph 1, Item 4 of the Personal Information Protection Act, the company processes email addresses for sending 'Re:catch User Guides and Essential Usage-related Notifications' without the separate consent of the data subject.

Purpose

1. Re:catch and Growth service inquiries and applications, membership registration management

   • ID (Email address), Password, Company Name, Name, Phone number, Number of employees, Job Title / Role, Position / Title, Email address used for SSO (Single Sign-On)

2. Information of Re:catch paid customers

   • Business Registration Certificate, Company Name, Name, Email address

3. Utilization for Re:catch improvement, issue response, new service development, and marketing/advertising (automatically generated or collected during service usage or service provision processing)

   • Service usage history, Cookies, Access IP information, Device information, OS information, Account information

4. Sending Re:catch user guides and essential usage-related notifications

   • Email address

5. Customer consultation regarding Re:catch usage

   • Contact number, Email address, Name

Article 3. Personal Information Processing and Retention Period

The company processes and retains personal information according to laws and regulations on personal information retention and usage periods or within the personal information retention and usage period consented to by the data subject at the time of collecting the personal information.

| Personal Information Processing and Retention Period according to Service Provision

Purpose

1. Re:catch service inquiries and applications

   • For up to 1 year after completion of Re:catch consultation

2. Re:catch paid customer management

   • until service withdrawal, or

   • until the request for withdrawal of consent for personal information collection and use

   • (Information related to service subscription and termination) For up to 5 years from the subscription or termination date

   • (Information related to service subscription payment) For up to 5 years from the payment date
     * However, even if the above period has arrived, if the minimum retention period required by law, as listed below, has not been met, the information is retained for the minimum retention period according to the law.
     <Act on Consumer Protection in Electronic Commerce>

   • Records on contracts or subscription withdrawal, etc.: 5 years

   • Records on payment and supply of goods, etc.: 5 years

   • Records on consumer comlaints or dispute resolution: 3years

   • Records on display and advertising: 6 months
     <Commercial Act>

   • Commercial books: 10years

3. Utilization for Re:catch improvement, issue response, new service development, and marketing/advertising (automatically generated or collected during service usage or service provision processing)

   • until service withdrawal, or

   • until opt-out (refusal to receive), or

   • until the request for withdrawal of consent for personal information collection and use

4. Sending Re:catch user guides and essential usage-related notifications

   • until service withdrawal, or

   • until opt-out (refusal to receive), or

   • until the request for withdrawal of consent for personal information collection and use

5. Customer consultation regarding Re:catch usage

   • For up to 3 years from the consultation completion date

Article 4. Matters concerning the Procedure and Method of Personal Information Destruction

1. The company destroys the relevant personal information without delay when personal information becomes unnecessary, such as upon expiration of the personal information retention period or achievement of the processing purpose.

2. Notwithstanding the expiration of the personal information retention period consented to by the data subject or achievement of the processing purpose, if personal information must continue to be preserved according to other laws and regulations, as stated in Article 3, the relevant personal information is transferred to a separate database (DB) or stored in a different storage location.

3. The procedures and methods for personal information destruction are as follows

   1. Destruction Procedure The company selects the personal information for which 1 a destruction reason has occurred and destroys the personal information periodically or non-periodically (e.g., upon separate request by the data subject) after receiving approval from the company's personal information protection officer

   2. Method of Desturction For personal information recorded and stored in electronic file format, the company destroys it in a way that the records cannot be reproduced, and for personal information recorded and stored as paper documents, it is destroyed by shredding or incineration.

Article 5. Matters concerning the Outsourcing of Personal Information Processing Tasks

1. The company outsources personal information processing tasks as follows for smooth personal information processing operations.

2. The company stipulates necessary matters and conducts management and supervision to ensure that the entrusted companies safely process personal information in accordance with the Personal Information Protection Act and other relevant laws and regulations.

3. In case the content of the outsourced task or the entrusted party changes, we will disclose it through this personal information processing policy. (List of Re:catch Personal Information Entrusted Companies and Collection Tools)

Article 6. Matters concerning the International Collection and Transfer of Personal Information

1. The company entrusts some of its personal information processing tasks to overseas business operators as follows, in accordance with Article 28-8 (1) 3 (a) of the Personal Information Protection Act (Overseas processing entrustment and storage for contract performance). International transfer of personal information is essential for providing the Re:catch service (customer behavior analysis, consultation and email sending, payment processing), therefore, if you refuse the international transfer of personal information, service use is not possible. If you do not wish for international transfer, you can proceed with service withdrawal through the customer center (privacy@business-canvas.com).

2. When the company uses the services of overseas cloud service providers (e.g., Google API) for business processing, it uses them after carefully reviewing the service provider's information protection and personal information protection compliance status, and cloud service providers cannot access the company's customer personal information.

3. Notice on the Use of Google API

   • When Re:catch uses information received from the Google API or transfers it to other apps, it complies with the Google API Services User Data Policy(Google API Services User Data Policy), including the Limited Use requirements.

4. Notice on the Use of Microsoft API

   • When Re:catch uses information received from the Microsoft API or transfers it to other apps, it complies with Microsoft's Terms of Service and Microsoft API Terms of Use(Microsoft APIs Terms of Use).

• List of Recipients of International Personal Information Collection and Transfer

Article 7. Matters concerning Measures to Ensure the Safety of Personal Information

The company takes the following measures to ensure the safety of personal information.

1. Administrative Measures

   • Establishment and implementation of internal personal information management plan

   • Designation of a personal information protection officer

   • Additional information protection training for personal information handlers

2. Technical Measures

   • Access control management for personal information processing systems, etc.

   • Installation of access control systems

   • Encryption of personal information

3. Physical Measures

   • Access control to data storage areas

Article 8. Matters concerning the Installation/Operation of Devices that Automatically Collect Personal Information and the Right to Refuse Them

1. To provide individual services and convenience to users, the company uses cookies to store usage information and retrieve it from time to time.

2. A cookie is a small amount of information that a server used for website operation (http) sends to the data subject's browser and is stored on the data subject's PC or mobile device.

3. Data subjects can set options in their web browsers to allow or block cookies, etc. However, if cookie storage is refused, there may be difficulties in using customized services.

< How to Allow / Block Cookies >

▶ Allowing/Blocking Cookies in Web Browsers

• Chrome: Web browser settings > Privacy and security > Clear Browse data

• Edge: Web browser settings > Cookies and site permissions > Manage and delete cookies and site data

▶ Allowing/Blocking Cookies in Mobile Browsers

• Chrome: Mobile browser settings > Privacy and security > Clear Browse data

• Safari: Mobile device settings > Safari > Advanced > Block All Cookies

• Samsung Internet: Mobile browser settings > Browse history > Clear Browse data

Article 9. Matters concerning the Collection, Use, Provision, and Refusal of Behavioral Data

1. The company analyzes the behavioral data of Re:catch service users and collects and uses behavioral data to provide customized online advertisements and optimal services. However, for the purpose of customized advertising, we do not collect behavioral data of children under 14 years of age whom we know to be under 14, and we do not provide customized advertisements to children.

2. The behavioral data collected by the company includes Re:catch user's visit history within the Re:catch service, Re:catch activity logs, user's browser information, and advertising identifiers. We collect only the minimum behavioral data necessary for customized online advertising and service improvement, and we do not collect sensitive behavioral data that could clearly infringe on an individual's rights, interests, or privacy, such as ideology, beliefs, family and relative relationships, educational background, medical history, and other social activity history.

3. When a user visits or uses the website, the company uses tags, including SDKs provided by third parties, to provide customized online advertising and effective services. Based on Article 15 (1) 1 of the Personal Information Protection Act (when the data subject has given consent), the list of the company's behavioral data collection tools can be found on this page.

4. The company provides behavioral data to online customized advertising businesses as follows:

   • Advertising businesses collecting behavioral data: Meta (formerly Facebook), Google LLC

   • Method of behavioral data collection: Automatic collection and transmission when the user visits the company website or launches the app

   • Behavioral data items collected: User's service visit history, activity logs, and search history via cookies or unique identifiers (including advertising ID), web/app history installed and used, Google account name (when logging in with Google)

   • Purpose of behavioral data collection: Customized advertising based on user behavioral data, content provision, user analysis

   • Retention and usage period

     • Meta: https://www.facebook.com/privacy/policy

     • Google LLC.: https://policies.google.com/technologies/retention?hl=ko

   • Legal Basis: Article 17 (1) 1 of the Personal Information Protection Act

5. Data subjects can contact the personal information protection department in Article 11 and inquire about matters related to behavioral data, exercise their right to refuse, report damages, etc.

6. Data subjects can block or allow behavioral data collection by changing the cookie settings in web browsers as follows. However, when cookie settings are changed, use of some services, such as website auto-login, may be restricted.

   <Setting for collection of behavioral data collected by the company>

   (1) Chrome

   • In Chrome, click the ‘⋮’ icon in the upper right corner, then click 「Settings」.

   • On the left side of the settings page, click 「Privacy and security」, and click 「Clear Browse data」 to select whether to clear Browse data.

   • Similarly, on the left side of the settings page, click 「Privacy and security」, click 「Third-party cookies」, and select whether to 「Block third-party cookies」.

   (2) Edge

   • In Edge, click the ‘…’ icon in the upper right corner, then click 「Settings」.

   • Click 「Privacy, search, and services」 on the left side of the settings page, then in the 「Tracking prevention」 section, select whether and to what level to enable 「Tracking prevention」.

   • Select whether to 「Always use “Strict” tracking prevention when Browse InPrivate」.

   <Setting for whether to provide behavioral data to third parties>

   (1) Chrome

   • In Chrome, click the ‘⋮’ icon in the upper right corner, then click 「Settings」.

   • On the left side of the settings page, click 「Privacy and security」, click 「Third-party cookies」, and select whether to 「Block third-party cookies」.

   • If you want to allow specific sites, click 「Add」 next to 「Sites allowed to use third-party cookies」 at the bottom of the 「Third-party cookies」 section, and enter the website address.

   (2) Edge

   • In Edge, click the ‘…’ icon in the upper right corner, then click 「Settings」.

   • Click 「Privacy, search, and services」 on the left side of the settings page, then in the 「Tracking prevention」 section, select whether and to what level to enable 「Tracking prevention」.

   • If you want to allow specific sites, click 「Exceptions」 at the bottom of the 「Tracking prevention」 section, select 「Add a site」, and enter the website address.

   <Setting for blocking/allowing online customized advertising>

   Data subjects can collectively block or allow customized advertising by changing the cookie settings in web browsers. However, changing cookie settings may restrict the use of some services, such as website auto-login.

   (1) Chrome

   • In Chrome, click the ‘⋮’ icon in the upper right corner, then click 「Settings」.

   • On the left side of the settings page, click 「Privacy and security」, and click 「Clear Browse data」 to select whether to clear Browse data.

   • Similarly, on the left side of the settings page, click 「Privacy and security」, click 「Third-party cookies」, and select whether to 「Block third-party cookies」.

   (2) Edge

   • In Edge, click the ‘…’ icon in the upper right corner, then click 「Settings」.

   • Click 「Privacy, search, and services」 on the left side of the settings page, then in the 「Tracking prevention」 section, select whether and to what level to enable 「Tracking prevention」.

   • Select whether to 「Always use “Strict” tracking prevention when Browse InPrivate」.

Article 10: Matters concerning the Rights and Obligations of Data Subjects and Legal Representatives and Methods of Exercise

1. Data subjects who have directly provided personal information to the company may at any time exercise rights against the company, such as demanding access to, correction of, deletion of, or suspension of processing of personal information. The exercise of rights can be done through the personal information protection department under Article 11, 1. b.

2. The exercise of rights against the company can be done through written request, email, chat consultation, etc., in accordance with Article 41 (1) of the Enforcement Decree of the Personal Information Protection Act, and the company will take action without delay accordingly.

3. The exercise of rights may also be done through an agent, such as a legal representative of the data subject or a person who has received delegation. In this case, you must submit a power of attorney in the format of Annex Form No. 11 of the Notice on Personal Information Processing Methods (No. 2023-12).

4. The demand for access to personal information and suspension of processing may, according to Article 35 (4) and Article 37 (2) of the Personal Information Protection Act, have the rights of the data subject restricted.

5. The demand for correction and deletion of personal information cannot be demanded for deletion if the collection of that personal information is explicitly stipulated as a collection target in other laws and regulations.

6. Regarding the fact that automated decisions are made, if the data subject's consent has been received, or if notified in advance through contracts, etc., or if there is a clear provision in the law, refusal of automated decisions is not recognized, and only requests for explanation and review are possible. Furthermore, the demand for refusal or explanation regarding automated decisions may be refused if there is a legitimate reason, such as a concern that it may unduly infringe upon the life, body, property, and other interests of others.

7. When receiving a demand for access, correction/deletion, or suspension of processing according to the data subject's rights, the company confirms whether the person making the demand (for access, etc.) is the data subject themselves or a legitimate agent.

Article 11: Matters concerning the Personal Information Protection Officer

1. The company is responsible for overseeing all tasks related to personal information processing and designates a personal information protection officer as follows to handle data subjects' complaints and provide remedies related to personal information processing.

   [Personal Information Protection Officer and Responsible Department]

   a. Personal Information Protection Officer

   • Name: Park Jinwoo

   • Position and Rank: CISO

   • Contact Information: 070-4012-0700, privacy@business-canvas.com

     • ※ Connected to the Personal Information Protection Department.

   b. Personal Information Protection Department

   • Department: Security Team

   • Contact Information: 070-4012-0700, privacy@business-canvas.com

2. Data subjects can inquire about all matters related to personal information protection, complaint handling, and remedies for damages occurring while using the company's services to the Personal Information Protection Officer and the responsible department. The company will provide answers and process data subjects' inquiries without delay.

Article 12: Matters concerning Changes to the Personal Information Processing Policy

1. This personal information processing policy is effective 1 from April 1, 2025.