GI INNOVATION

GI Innovation Inc. (the “Company”) legally processes and safely manages personal information in compliance with the Personal Information Protection Act and related laws and regulations to protect the freedom and rights of the data subjects. Accordingly, in accordance with Article 30 of the Personal Information Protection Act, the Company establishes and discloses the following privacy policy in order to inform the data subjects of the procedures and standards for processing and protecting personal information and to promptly and smoothly handle complaints related thereto.

Indication of Processing Key Personal Information (Labeling)
Personal Information Collected Please check the main text of the privacy policy for details	Collection of Unique Identification Information	Collection of Sensitive Information	Period for Processing and Retention of Personal Information
Purpose of Processing Personal Information	Outsourcing Personal Information Processing	Provision of Personal Information to 3rd Parties	Collecting Opinions and Handling Complaints

Swipe left and right.

Article 1. Purpose of Personal Information Processing, Processed Items, Retention and Use Period

The Company processes personal information for the following purposes in accordance with the Personal Information Protection Act. Personal information being processed will not be used for any other purposes. If the purpose of use changes, the Company will take necessary measures, including obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act.

1. Personal information items processed without the consent of the data subject

Legal basis	Type	Purpose of processing	Personal information items	Retention and use period
Article 32, Paragraph 1 (Tax Invoices, etc.) of the Value-Added Tax Act, Article 67, Paragraph 2 (Tax Invoices) of the Enforcement Decree of the Value-Added Tax Act, Article 134 (Timing and Method of Withholding Tax on Wage Income), Article 145 (Timing and Method of Withholding Tax on Other Income and Issuance of Withholding Tax Receipts), Article 164 (Submission of Payment Statements) of the Income Tax Act, and Article 116 (Receipt and Storage of Expenditure Proof Documents) of the Corporate Tax Act.	Personal information	Fulfillment of legal and administrative obligations imposed on the company, such as reporting and payment of various taxes, including corporate tax and value-added tax, and issuance and delivery of receipts and tax invoices.	Name, address, payment amount	5 years
Article 24-2 of the Personal Information Protection Act, Article 32 Paragraph 1 (Tax Invoices, etc.) of the Value-Added Tax Act, Article 67 Paragraph 2 (Tax Invoices) of the Enforcement Decree of the Value-Added Tax Act, Article 134 (Timing and Method of Withholding Tax on Wage and Salary Income), Article 145 (Timing and Method of Withholding Tax on Other Income and Issuance of Withholding Tax Receipts), and Article 164 (Submission of Payment Statements) of the Income Tax Act, and Article 116 (Acquisition and Storage of Expenditure Proof Documents) of the Corporate Tax Act.	Personally identifiable information	Reporting and payment of various taxes, including corporate tax and value-added tax	Resident registration number and alien registration number of the person who signed the contract with the company (if the information subject is a foreigner)	5 years
Article 15, Paragraph 1, Subparagraph 4 (Contract Conclusion and Performance) and Subparagraph 6 (Legitimate Interests of Personal Information Processors) of the Personal Information Protection Act	Personal information	Confirmation of the identity of the contracting parties, contract conclusion, payment of costs, etc., performance of the contract and proof of performance, business contact, response to contract violation, and computer management of contract status	The name, address, phone number, business name, mobile phone number, email address, business registration number, and financial institution account information of the company's contractual counterparty (in the case of a corporation, the representative of the corporation) (in the case of a corporation, the name, phone number, email address, and work address of its employees are included)	Until the later of the following: (i)Until the purpose of processing is achieved (ii)In the case of an ongoing investigation or inquiry due to a violation of relevant laws and regulations, until the conclusion of such investigation or inquiry (iii)In the case of a remaining creditor-debtor relationship related to the purpose of collection, until the settlement of such creditor-debtor relationship (iv)In the case of a mandatory retention period under relevant laws and regulations such as the Commercial Act and the National Tax Basic Act, until the expiration of such period

Swipe left and right.

2. Personal information items processed with the consent of the data subject

Type	Purpose of processing	Personal information items	Retention and use period
Recruitment/HR	applicant identity verification, recruitment process, identity, career, and qualification verification, employment suitability assessment, recruitment result notification, notice delivery, and administrative processing related to job application	name (Korean, English), date of birth, photo, address, email, phone number, gender, nationality, academic background, eligibility for veterans' benefits, military service, career history, language skills, qualifications/licenses, education/training, research experience and research content, research portfolio, self-introduction, current compensation, desired compensation upon joining, recommender, possible date of joining, and other personal information included in documents submitted to the company (resume, self-introduction, certificate, letter of recommendation, transcript, etc.), or personal information provided during the interview.	[180] days from the date of notification of recruitment results (If a deletion request is made, it will be destroyed immediately.)
	Review of cover letter and resume	Sensitive information written in a cover letter or resume (information on ideology and beliefs, membership in or withdrawal from labor unions or political parties, political views, health, sexual life, genetic information, criminal record information, information on an individual's physical, physiological, or behavioral characteristics, information created through certain technical means for the purpose of identifying a specific individual, information on race or ethnicity)	[180] days from the date of notification of recruitment results (If a deletion request is made, it will be destroyed immediately.)
	Checking the applicant's past application history and whether there are any duplicate applications	Name, date of birth, gender, application date	12 months from the date of consent
HR	Career management, including the preparation and management of employee list, issuance of certificates of employment and career history, and verification of relevant information.	Name (Korean, English, Chinese), date of birth, gender, address (resident registration address, residence), appointment details, special skills, and information required for proof of career experience	10 years from the date of resignation
	Reviewing and verifying compliance with legal requirements, including corporate standards, contractual obligations, and penalties, and with regulatory bodies.	Rewards and punishments	10 years from the date of resignation
	managing retirees and handling various administrative processes	Contact information, email, and copy of retirement account	10 years from the date of resignation
Patent	Domestic and international patent application, amendment, registration, and related dispute response, intellectual property administration, and various management tasks	[Required] Name (Korean/English/Chinese characters), date of birth, address, contact information (email, address, mobile phone number, or telephone number, if listed as contact information)	For up to 150 days after the end of the patent term and the maximum extension period (25 years) under the Patent Act (However, after the purpose of use is achieved, the information may be retained and used only to the extent necessary for resolving relevant disputes, handling complaints, and fulfilling statutory obligations)
Speak up	Confirmation of the details of the report, confirmation of the reception/processing results, complaint handling, delivery of notices	Name (anonymous reporting possible), email address, phone number, mobile phone number, and other contact information, activity history such as posting, log records	Until the conclusion/end of the report (except in cases where separate storage is required, such as cases subject to disciplinary action)
Newsletter Subscription	Providing the latest news and promotional information about the company	[Required] Name, Email Address	Until the cancellation of the subscription
Access Control	server room access control, security, and inspection	[Required] Server room entry records (date and time of entry, purpose, affiliation, name, contact information) and personal video information of the person entering the server room recorded on CCTV	Entry/exit log records: until the purpose of use is achieved, CCTV recording video information: for up to [90] days from the date of filming.
Research	Acquisition/transmission of medical information, utilization in medical research activities, and organization, analysis, and reporting of the results.	- Healthcare professional’s name, affiliation, position/title, workplace address, email address, contact information, medical license details, educational background, information on research activities, and career history - Information obtained in the course of clinical trials and other clinical activities conducted with the patient’s explicit consent, as well as in the fulfillment of obligations under applicable laws and regulations, including year and month of birth, gender, and disease-related health information	- Healthcare Professional (HCP) Information: 10 years after the completion of the clinical trial or after marketing authorization - Patient Information: At least 25 years after the end of the clinical trial (if domestic or international laws require retention for more than 25 years, for that period)
Adverse event reporting	Fulfillment of obligations for adverse event reporting	- Reporter Information: Name, initials, country, affiliation (organization), telephone number, fax number, occupation (profession), and email address. - The patient’s (subject’s) age at the time of the adverse event, height, gender, pregnancy status, lactation status, weight, race/ethnicity, medical history, diagnosis, information on administered medications, details of the adverse event and related tests, and relevant clinical progress/outcomes	10 years after the expiration or withdrawal of the marketing authorization for the relevant product

Swipe left and right.

Article 2 Provision of Personal Information to Third Parties

1. The Company provides personal information only to the minimum extent necessary with the consent of the data subject, in accordance with Article 17(1)1 of the Personal Information Protection Act. Currently, there is no personal information provided to third parties based on the data subject’s consent.

2. The Company may provide personal information to the following institutions without the consent of the data subject as follows.

Legal basis	Recipient	Purpose of Use by the Recipient	Personal Information Provided
Article 21(1)(19) (Other Income), Article 127(1)(6) (Withholding Tax Obligations), and Article 145 (Timing and Method of Withholding Tax on Other Income and Issuance of Withholding Tax Certificates) of the Income Tax Act	National Tax Service (126)	Filing and payment of various taxes, including income tax, and submission of statements for employment income, retirement income, and other income in accordance with the Income Tax Act	Name and Resident Registration Number of individuals with business relations with the company, and income settlement (year-end tax adjustment) information of employees and their family members
Article 113-2 (Processing of Sensitive Information and Unique Identifying Information) of the Enforcement Decree of the National Pension Act, Article 81 (Processing of Sensitive Information and Unique Identifying Information) of the Enforcement Decree of the National Health Insurance Act, Article 145-2 (Processing of Unique Identifying Information) of the Enforcement Decree of the Employment Insurance Act, Article 127-2(Processing of Sensitive Information and Unique Identifying Information) of the Enforcement Decree of the Industrial Accident Compensation Insurance Act	The 4 Major Social Insurance Agencies: National Pension Service (1355), National Health Insurance Service (1577-1000), Employment Insurance (1577-7114), Korea Workers’ Compensation & Welfare Service (1588-0075)	Management of social insurance eligibility, enrollment, and benefit payments	Employees and their Dependents’ Resident Registration Number (or Alien Registration Number for foreigners), Address and Contact Information, Income Information
Article 34 (Approval, etc. of Clinical Trial Plan) of the Pharmaceutical Affairs Act, Article 30(1) (Standards for Conducting Clinical Trials, etc.) of the Regulation on Safety of Pharmaceuticals, etc.,	Ministry of Food and Drug Safety(1577-1255) and other domestic/international regulatory authorities	Processing is conducted for various reporting obligations in accordance with relevant laws and regulations, including: (i)Submission of applications for Clinical Trial Protocol (and amendments) review, (ii)Reporting on the status of clinical trial implementation, (iii) Reporting of Adverse Drug Reactions (ADR), (iv)Submission of Clinical Trial Results Reports.	- Healthcare Professional (HCP) Information: Name (Initials), country, job title/position, contact information, name and address of the affiliated medical institution (medical care institution). - Patient (Subject) Information: gender, age, pregnancy status, lactation status, height, weight, race/ethnicity, past medical history, diagnosis (disease name), information on administered medications, Adverse Event (AE) information, relevant tests, and details of clinical progress/outcomes.

Swipe left and right.

3. Notwithstanding Paragraphs 1 and 2, the Company may provide personal information to relevant authorities without the consent of the data subject in the event of emergencies—such as disasters, infectious diseases, events or accidents posing imminent danger to life or limb, or urgent risk of property loss—in accordance with the "Rules for Processing and Protection of Personal Information in Emergency Situations" jointly announced by relevant government ministries. For further details, please refer to the URL provided below.
(https://www.pipc.go.kr/np/cop/bbs/selectBoardArticle.do?bbsId=BS217&nttId=7641)

Article 3 Outsourcing personal information processing

1. The Company outsources personal information processing to external companies stated below. Any change in the outsourced companies and the outsourced services will be disclosed through this Privacy Policy. However, outsourcing the processing of the Company’s executives and employees’ personal information will be found on the Company’s internal bulletin board.

Correct as of: 1st February 2026

Outsourced company name	Description of outsourced services
Webmoa	Operation of the website
Jobkorea	Operation of the recruitment system
Syneos Health LLC, Syneos Health UK Limited, IQVIA RDS Inc., IQVIA RDS East Asia Pte. Ltd., MediRama, DreamCIS, KCSG Datacenter, Novotech (Australia) Pty Limited	Organizing, analyzing, and reporting clinical trial data
Zuellig Pharma Korea, Fisher Clinical Services Inc.	Delivery and management of pharmaceutical products and related supplies
University Industry Foundation, Yonsei University (Daan), Macrogen, GCCL, SCL Healthcare(SCLH), U2XLab, Theragen Bio, Geninus, GI Longevity, Labconnect, Perceptive, Adaptive Biotechnologies Corporation, Agilex, CMBIO, PPD, Theranovis	Analysis, transportation, and management of clinical trial specimens
Veeva Systems Inc., Medidata, JNPMEDI, IQVIA, Xactus Onco	Collection and management of clinical trial data, and operation and management of electronic clinical trial document filing systems
Oracle health sciences (Argus Safety)	Collection, management, and analysis of adverse event information arising from clinical trials

Swipe left and right.

2. In accordance with Article 26 of the Personal Information Protection Act, when entering into an outsourcing agreement, the Company specifies in the contract or other written documents matters concerning responsibilities such as the prohibition of processing personal information for purposes other than performing the outsourced tasks, implementation of technical and administrative safeguards, restrictions on re-outsourcing, management and supervision of the service provider, and liability for damages. The Company also supervises whether the service provider processes personal information safely.

Article 4 Cross-Border Transfer of Personal Information

1. The Company transfers personal information overseas as described below. If you wish to refuse the overseas transfer of personal information, please contact us using the contact information set forth in Article 9. However, if you refuse the overseas transfer, it may be difficult to process the related services.

Recipient (Contact Information): Veeva (https://www.iqvia.com/ 4280 Hacienda Drive, Pleasanton, CA 94588, USA, Tel: +1-925-452-6500)
Legal Basis: Article 28-8, Paragraph (1), Subparagraph 3 of the Personal Information Protection Act (Entrustment/Storage)
Country to Which Personal Information Is Transferred: United States
Timing and Method of Transfer: Transmitted via network upon uploading clinical documents
Items of Personal Information Transferred:Investigator and site staff information (name, title/role, affiliated institution, contact information, education, work experience, medical license number, signature);Subject information (screening number, gender, age or age range, visit date, consent date);User information (user ID, email address, names of document author, reviewer, and approver)
Purpose of Use by the Recipient: Operation and management of the electronic Trial Master File (TMF) system
Retention and Use Period by the Recipient: For the duration of the clinical trial

Recipient (Contact Information): IQVIA (https://www.iqvia.com/PrivacyOfficer@IQVIA.com)
Legal Basis: Article 28-8, Paragraph (1), Subparagraph 3 of the Personal Information Protection Act (Entrustment/Storage)
Country to Which Personal Information Is Transferred: United States
Timing and Method of Transfer: Transmitted via network upon clinical data entry and document upload
Items of Personal Information Transferred:Investigator and site staff information (name, title, affiliated institution, office address, email address, contact information, work experience, license number);User information (user ID, access logs);Subject information (date of birth or age, gender, diagnosis, dosing records)
Purpose of Use by the Recipient: Operation and management of the electronic Trial Master File (TMF) system
Retention and Use Period by the Recipient: For the duration of the clinical trial

Recipient (Contact Information): Medidata (https://www.medidata.com/en/contact-us/#akopelman@mdsol.com)
egal Basis: Article 28-8, Paragraph (1), Subparagraph 3 of the Personal Information Protection Act (Entrustment/Storage)
Countries to Which Personal Information Is Transferred: United States, France, Germany
Timing and Method of Transfer: Transmitted via network upon clinical data entry
Items of Personal Information Transferred:Subject information (screening number, gender, visit date, age or age range, height, weight, medical history, investigational product administration information, test results, adverse event information, concomitant medication information);Investigator and user information (name, affiliated institution, role, business email address, user ID, electronic signature, date and time of electronic signature, access authorization information)
Purpose of Use by the Recipient: Collection and management of clinical trial data
Retention and Use Period by the Recipient: For the duration of the clinical trial

Recipient (Contact Information): Oracle Health Sciences (https://www.oracle.com/ privacy_ww@oracle.com)
Legal Basis: Article 28-8, Paragraph (1), Subparagraph 3 of the Personal Information Protection Act (Entrustment/Storage)
Country to Which Personal Information Is Transferred: United States
Timing and Method of Transfer: Transmitted via network upon entry of adverse event data
Items of Personal Information Transferred:-Subject information: subject identification number, gender, year and month of birth or age, pregnancy status, lactation status, height, weight, medical history, diagnosis (name of disease/condition), investigational product administered medication(s), adverse event details, relevant laboratory/test results, clinical outcomes, race/ethnicity;-Reporter and user information: name, contact information, country, affiliated institution, role, workplace address, user ID, affiliated department
Purpose of Use by the Recipient: Collection, reporting, and management of adverse events
Retention and Use Period by the Recipient: Ten (10) years after the expiration or withdrawal of the marketing authorization

Article 5 Operation and Management of Fixed Visual Data Processing Devices

The Company uses and manages personal visual data processed by fixed visual data processing devices for the following purposes and methods.

1. The statutory ground and purpose for installing the fixed visual data processing devices:

The Company installs and operates fixed visual data processing devices for the following purposes in accordance with Article 25, Paragraph 1 of the Personal Information Protection Act.

Facility safety and management, fire prevention
Crime prevention, e.g. theft prevention

2. The number of the fixed visual data processing devices installed, the locations of installation, and the scope of filming:

Locations of installation	Number of devices installed	Locations of installation and scope of filming
Room 1008, Building B, Terra Tower 1, Munjeong-dong, Seoul	Two CCTVs One Network Video Recorder (NVR)	Entryway
Room 1358, Building B, Seongnam SK V1 Tower, 124 Sagimakgol-ro, Jungwon-gu, Seongnam-si, Gyeonggi-do	One CCTV	Entryway
Room 1359, Building B, Seongnam SK V1 Tower, 124 Sagimakgol-ro, Jungwon-gu, Seongnam-si, Gyeonggi-do	One CCTV	Entryway
Room 1551, Building B, Seongnam SK V1 Tower, 124 Sagimakgol-ro, Jungwon-gu, Seongnam-si, Gyeonggi-do	One CCTV	Entryway
Room 1553, Building B, Seongnam SK V1 Tower, 124 Sagimakgol-ro, Jungwon-gu, Seongnam-si, Gyeonggi-do	One CCTV	Entryway
Rooms 1553~1554, Building B, Seongnam SK V1 Tower, 124 Sagimakgol-ro, Jungwon-gu, Seongnam-si, Gyeonggi-do	Two CCTVs	Hallways
Room 1559, Building B, Seongnam SK V1 Tower, 124 Sagimakgol-ro, Jungwon-gu, Seongnam-si, Gyeonggi-do	One CCTV	Entryway
Room 1560, Building B, Seongnam SK V1 Tower, 124 Sagimakgol-ro, Jungwon-gu, Seongnam-si, Gyeonggi-do	One CCTV	Entryway
Room 1561, Building B, Seongnam SK V1 Tower, 124 Sagimakgol-ro, Jungwon-gu, Seongnam-si, Gyeonggi-do	One CCTV	Entryway
Room 1562, Building B, Seongnam SK V1 Tower, 124 Sagimakgol-ro, Jungwon-gu, Seongnam-si, Gyeonggi-do	One CCTV	Entryway
Room 1563, Building B, Seongnam SK V1 Tower, 124 Sagimakgol-ro, Jungwon-gu, Seongnam-si, Gyeonggi-do	One CCTV	Interior Areas of the Building
Rooms B111~B112, Seongnam SK V1 Tower, Sangdaewon-dong, Jungwon-gu, Seongnam-si, Gyeonggi-do	One (1) 4-Channel Recorder (NVR/DVR), Four (4) IP Cameras	Entryway and interior area of the workplace
Room B134, Seongnam SK V1 Tower, Sangdaewon-dong, Jungwon-gu, Seongnam-si, Gyeonggi-do	One (1) 8-Channel Recorder (NVR/DVR), Six (6) IP Cameras	Entrance and interior area of the Cafeteria

Swipe left and right.

3. The manager and the person who is entitled to access the visual data:

The Company has appointed the manager and the person who is entitled to access the visual data and handle complaints related to personal visual data.

Division	Name	Position	Department	Contact details
Manager	Sung-jin Park	Team leader	Information Strategy Team	+82 70 4141 7820
Person with Access Rights	Guchan Kwon	Team member	HR Team	+82 70 4141 7820

Swipe left and right.

4. Duration of filming, retention period, retention place, and processing method of the visual data:

Duration of filming	Retention period	Retention place
Continuous 24-hour filming and recording	Terra Tower1 (Munjeong-dong, Seoul): up to [90] days from the date of filming	Office on the 10th floor
	Building B, SK V1 Tower (Seongnam-si, Gyeonggi-do): up to [20] days from the date of filming	Office on the 15th floor
	Rooms B111~B112, SK V1 Tower (Seongnam-si, Gyeonggi-do): up to [20] days from the date of filming	Rooms B111~B112
	Room B134, SK V1 Tower (Seongnam-si, Gyeonggi-do): up to [20] days from the date of filming	Room B134

Swipe left and right.

Processing method: the Company records and manages the matters related to the use of personal visual data for purposes other than its intended purpose, the provision of personal visual data to third parties, and the requests for destruction or access, etc. of personal visual data, and permanently deletes the data in a way that it cannot be restored when the retention period expires (by shredding or incineration in the case of printed materials).

5. Outsourcing of the installation and management of visual data processing devices:

The Company outsources the installation and management of fixed visual data processing devices as follows, and stipulates the necessary matters to ensure that personal data is safely managed at the time of the outsourcing contract in accordance with relevant laws and regulations.

Outsourced Company Name	Person in charge	Contact details
SK Shieldus	Yunchan Song	1800-6400

Swipe left and right.

6. Method and location for checking personal visual data:

A data subject’s visual data can be checked in the head office or branch office where the data subject wants to check such data, after submitting an access request to the Company and obtaining prior approval from manager.

7. Measures to deal with the data subject’s request to access the personal visual data:

A data subject may request access to his or her personal visual data by submitting the request to the Company to access, verify the existence of, or delete such visual data. The Company will allow such access, verification, or deletion:

Only for footage containing the data subject;
Otherwise only when it is necessary for the protection of life, bodily or property interests of the data subject from imminent danger

When visiting the head office or branch office to access such information, the visitor must bring the request form (review, confirmation of existence, deletion), and the following documents to confirm his/her identity as the data subject or the data subject’s appointed representative:

If the visitor is the data subject: proof of identity of the visitor as the data subject
If the visitor is an appointed representative of the data subject: document proving the appointment of the visitor as a representative of the data subject (e.g. power of attorney), and document proving the identity of the visitor

The data subject’s request can be rejected by the Company in any of the following cases:

When the personal visual data has been destroyed after the retention period
When there are other legitimate reasons to reject such a request

In the case of rejection, the data subject will be notified of the reasons for rejection in writing or other means within 10 days.

8. Technical, managerial, and physical measures for protecting the visual data:

The personal visual data that the Company processes is managed in a safe and secure manner using encryption measures and the following :

Measures to control and restrict access to personal visual data
Application of technology to store and transmit personal visual data securely (e.g. encrypted transmission of network camera feeds and passwords)
Measures to prevent forgery and modification of stored access logs and records, e.g. creation date/time of personal visual data, purpose of access, identity of visitor, date/time of access etc.
Physical measures and locking facilities to provide and ensure safe and secure storage of personal visual data.

Article 6 Rights of Data Subjects and Exercise of Rights

1. A data subject may exercise the following rights regarding the collection, use, sharing of personal information by the Company in accordance with applicable laws such as the Personal Information Protection Act :

The right to access to his or her personal information;
The right to make corrections or deletion;
The right to make temporary suspension of treatment of personal information; or
The right to request the withdrawal of their consent provided before;

At any time by sending Form 1-1 [Personal Information (Access, Correction, Deletion, Processing Suspension, Withdrawal of Consent) Request] or Form 1-2 [Personal Visual Information (Access, Confirmation of Existence, Deletion) Request] by e-mail to the Company or the Data Protection Officer of the Company.

<Form1-1> (Personal Information (Access, Correction, Deletion, Processing Suspension, Withdrawal of Consent) Request) Downloads

<Form1-2> Personal Visual Information (Access, Confirmation of Existence, Deletion Downloads

2. A data subject can exercise the rights provided in Section 7.1 through an agent, including a legal representative and a power of attorney (“Representatives”) by sending Form 2 (the Power of Attorney).

<Form 2> The Power of Attorney Downloads

3. The Company shall verify whether the person exercising their rights is the data subject themselves or a duly authorized representative.

4. Data subjects may exercise their rights by contacting the Company or the Privacy Officer (Personal Information Protection Officer) specified in Article 9. The Company will respond within 10 days (or without delay in the case of a data portability request) from the date the request to exercise such rights is received.

5. The Company will take measures regarding the request from data subjects or their Representatives without delay, in accordance with applicable laws such as the Personal Information Protection Act. However, where any of the following is applicable, the Company may notify the data subject of the reason and deny the request of such data subject:

Where special provisions in other laws so require or it is inevitable to observe legal obligations;
Where access may cause damage to the life or body of a third party, or unjustified infringement of property and other interests of any other person;
Where it is impracticable to perform a contract such as the provision of services as agreed upon with the said data subject without processing the personal information in question, and the data subject has not clearly expressed the desire to terminate the agreement.

Article 7 Procedures and Methods for Destroying Personal Information

1. The Company will destroy a data subject’s personal information without delay, after the personal information becomes unnecessary owing to the expiration of the retention period, attainment of the purpose of processing the personal information, etc.

2. Even after the retention period consented to by the data subject has expired or the purpose of processing has been achieved, if the personal information is required to be retained under other applicable laws and regulations, such personal information shall be transferred to a separate database or stored in a different location.

3. The procedures and methods for destroying personal information are as follows.

1) Destruction procedure

The Company selects personal information for which a reason for destruction has occurred and destroys the personal information with the approval of the Company’s data protection officer.

2) Destruction method

The Company destroys personal information recorded and stored in electronic files so that it cannot be reproduced as a record, and destroys personal information recorded and stored in paper documents by shredding or incinerating.

Article 8 Measures for Ensuring Safety of Personal Information

The Company, in accordance with Article 29 of the Personal Information Protection Act, takes the following technical, administrative and physical measures necessary to ensure safety:

1. Administrative Measures:

Establishment and implementation of internal management plans, regular employee training, and operation of a dedicated organization responsible for personal data protection.

2. Technical Measures:

Management of access rights to personal information processing systems; installation of access control systems and other relevant protective measures; network isolation from the Internet; encryption of personal information; retention and review of access logs; installation and regular updating of security programs; and inspection and remediation of vulnerabilities in personal information processing systems.

3. Physical Measures:

Access control to server rooms, research labs, and office areas; secure storage of documents and auxiliary storage media in locked and protected locations; implementation of safety measures against disasters and emergencies; and control over the removal and entry of auxiliary storage media.

Article 9 Data Protection Officer

To protect personal information and deal with complaints related to personal information, the Company designates the following Data Protection Officer (DPO). Data subjects may inquire about personal information, complaints, etc. to the Data Protection Officer (DPO) and the department in charge of Data Protection.

[Data Protection Officer]

Name: Sung-jin Park
Position: Head of Information Strategy Team
Contact: +82 70 7700 3862, niceca@gi-innovation.com

[Department in Charge of Data Protection]

Name: HR Team
Contact: +82 70 7717 0308, srlee@gi-innovation.com

Article 10 Remedies for Violation of Rights and Interests

Data subjects may file a petition for settlement of a dispute, consultation, etc. with the Personal Information Dispute Mediation Committee, the Korea Internet and Security Agency, or the Personal Information Infringement Reporting Center to seek remedies for breach of privacy. In addition, you may contact any of the following agencies to report or receive counselling on the breach of privacy:

Personal Information Dispute Mediation Committee: 1833-6972 (without area code) (www.kopico.go.kr)
Personal Information Infringement Reporting Center (Korea Internet and Security Agency): 118 (without area code) (privacy.kisa.or.kr)
National Police Agency: 182 (without area code) (ecrm.police.go.kr)

Article 11 Amendment of Privacy Policy

This Privacy Policy will be applied from 1st February 2026. Previous privacy policies can be found below.
In case there is any inconsistency or conflict between the Korean version and the English version of this Privacy Policy, the Korean version shall prevail.

See our previous Privacy Policy: Effective from 18^th September 2020 to 11^th July 2021 [Download]

See our previous Privacy Policy: Effective from 12^th July 2021 to 24^th October 2022 [Download]

See our previous Privacy Policy: Effective from 25^th October 2022 to 31^st March 2024 [Download]

See our previous Privacy Policy: Effective from 1^st April 2024 to 31^st January 2026 [Download]

PRIVACY POLICY