THE BLACK LABEL Inc. (the “Company”) hereby establishes and implements this Privacy Policy in accordance with the Personal Information Protection Act of the Republic of Korea (the “PIPA”) to protect the rights of data subjects using the Company’s online store (the “Store”). This Privacy Policy shall be made readily accessible at all times in the Store, enabling the user of the Store (the “User”) to understand how their personal information is processed by the Company, as well as the protective measures the Company has established to secure such information.

Purposes of Processing Personal Information
Items of Personal Information and Retention Periods
Personal Information of Children Under Age 16
Provision of Personal Information to Third Parties
Entrustment of Personal Information Processing
Installation, Operation, and Refusal of Automatic Personal Information Collection Devices
Destruction of Personal Information
Rights of User
Security Measures for Personal Information
Personal Information Protection Officer
Remedies for Infringement of Rights and Interests
Amendment to Privacy Policy

Article 1. Purposes of Processing Personal Information

The Company processes the User’s personal information for the following purposes. The Company does not process personal information for any purposes other than those specified herein. In the event of any changes to the purposes of processing, the Company shall take all necessary measures, including obtaining separate prior consent from the User.

Membership Registration and Management

To verify the intent of membership registration or withdrawal, to manage and maintain membership eligibility, to prevent unauthorized access to services, and to issue notices.

Provision of Purchase Services

To verify the User’s identity, to accept purchase orders, to enter into sales agreements, to process payments, and to deliver goods or services (collectively, the “Products”).

Return of Goods and Refund of Payments

To accept requests for return of goods and refund of payments, to process the return of goods, and to refund payments.

Complaint Resolution and Service Improvement

To address complaints, including acknowledging and resolving the complaints, and communicating the outcome to the complainant, to establish plans for service improvement, and to maintain records related to dispute resolution.

Article 2. Items of Personal Information and Retention Periods

The items of personal information processed by the Company, as well as the corresponding retention and usage periods are as follows:

Purpose of Processing	Item of Personal Information	Retention and Usage Period
Membership Registration and Management	Name, date of birth, gender, nationality, email address (ID), and password	Until the User withdraws from membership (provided that personal information required to be retained under applicable laws or regulations shall be retained until the later of: (i) the expiration of the statutory retention period; or (ii) the date of membership withdrawal)
Provision of Purchase Services	Identity verification information (name, date of birth, mobile telephone number, mobile carrier information, CI, DI), buyer information (name, address, mobile telephone number, email address, date of birth (only when purchasing membership service vouchers)), recipient information (name, address, mobile telephone number, email address), and payment information (credit card or debit/check card information, bank account information (bank name, account number, account holder))	Until the User withdraws from membership (provided that personal information required to be retained under applicable laws or regulations shall be retained until the later of: (i) the expiration of the statutory retention period; or (ii) the date of membership withdrawal)
Return of Goods and Refund of Payments	Buyer information (name, address, mobile telephone number, email address, date of birth (only when purchasing membership service vouchers)), recipient information (name, address, mobile telephone number, email address), and payment information (credit card or debit/check card information, bank account information (bank name, account number, account holder))	Until the User withdraws from membership (provided that personal information required to be retained under applicable laws or regulations shall be retained until the later of: (i) the expiration of the statutory retention period; or (ii) the date of membership withdrawal)
Complaint Resolution and Service Improvement	Name, mobile telephone number, country code, email address, and access and activity log information (including IP information, computer and mobile device information, log history, history of service usage and payment, and history of change in User information)	Until the User withdraws from membership (provided that personal information required to be retained under applicable laws or regulations shall be retained until the later of: (i) the expiration of the statutory retention period; or (ii) the date of membership withdrawal)

The items of personal information that the Company is obligated to retain under applicable laws and regulations, along with the respective retention periods, are as follows:

Item of Personal Information	Legal Basis for Retention	Retention Period
Access IP information, access and activity log history	Article 15-2 of the Protection of Communication Secrets Act of the Republic of Korea	Three (3) months from the date of creation of the information
Records of agreements, records of exercising the consumer right of revocation	Article 6 of the Act on the Consumer Protection in Electronic Commerce of the Republic of Korea	Five (5) years from the date of creation of the information
Records of payments and provision of goods/services		Five (5) years from the date of creation of the information
Records of resolving consumer complaints or dispute		Three (3) years from the date of creation of the information
Books and records of all transactions, as required by applicable tax laws	Article 85-3 of the Framework Act on National Taxes of the Republic of Korea and Article 144 of the Framework Act on Local Taxes of the Republic of Korea	The periods specified in Article 85-3 of the Framework Act on National Taxes of the Republic of Korea and Article 144 of the Framework Act on Local Taxes of the Republic of Korea

Article 3. Personal Information of Children Under Age 16

The Company does not process personal information of children under the age of sixteen (16).
In the event that the Company becomes aware that it has inadvertently processed personal information of children under the age of sixteen (16), it shall promptly destroy such personal information and notify the children or their legal representatives thereof.

Article 4. Provision of Personal Information to Third Parties

The Company does not provide the User’s personal information to any third party, except under the following circumstances:

(i) The User has provided prior consent;

(ii) The Company is obligated to provide the personal information of the User to third parties pursuant to applicable laws or regulations;

(iii) It is deemed necessary by the Company to protect the User from imminent danger to their life or safety; or

(iv) Any of the circumstances set forth in Article 17, Paragraph 1 or Article 18, Paragraph 2 of the PIPA.

Article 5. Entrustment of Personal Information Processing

The Company entrusts the processing of personal information to the following trustees to facilitate efficient processing and improve service quality.

Trustee	Entrusted Work
Cafe 24 Co., Ltd.	Operation of IT system, identity verification, customer service
GenesisNest Corp.	Establishment, maintenance, and management of IT system
SmileShark Co., Ltd.	Establishment, maintenance, and management of AWS server system
Fastbox Corp.	Storage, delivery and return of goods
NHNKCP Co., Ltd.	Payment
Eximbay Co., Ltd.	Payment
UBASE Inc.	Customer service

In the event that the Company enters into an entrustment agreement with a trustee, the Company specifies the following in such agreement or similar documents: (i) the prohibition on processing personal information for purposes other than the performance of the entrusted work; (ii) the technical and administrative measures to be implemented for the protection of personal information; (iii) restrictions on re-entrustment; (iv) the monitoring and supervision of the trustee; (v) the trustee’s liability for damages; and (vi) any other matters prescribed in Article 26, Paragraph 1 of the PIPA. The Company supervises the trustee to ensure the secure processing of personal information.
In the event that the trustee re-entrusts the processing of entrusted personal information to a third party, the trustee obtains the Company’s prior consent in accordance with Article 26, Paragraph 6 of the PIPA.
The Company shall promptly disclose any additions or changes to the trustee or the entrusted work in this Privacy Policy.

Article 6. Installation, Operation, and Refusal of Automatic Personal Information Collection Device

The Company uses “cookies” to store and retrieve the User’s information to provide personalized services and enhance User convenience. Cookies are small pieces of information sent by the server operating the website/mobile website to the User’s browser, which are then stored on the User’s computer or mobile device.
The User may adjust cookie settings on their website/mobile website browser to allow or block cookies. However, if cookies are disabled, personalized services may not be available.

Chrome: Browser Settings > Privacy and Security > Clear Browsing Data

Edge: Browser Settings > Cookies and Site Permissions > Manage and Delete Cookies and Site Data

Chrome: Mobile Browser Settings > Privacy and Security > Clear Browsing Data

Safari: Mobile Device Settings > Safari > Advanced > Block All Cookies

Samsung Internet: Mobile Browser Settings > Clear Browsing History > Delete Browsing Data

Article 7. Destruction of Personal Information

The Company shall promptly destroy personal information when it is no longer necessary, including when the retention period has expired, or the purposes of processing have been accomplished.

The procedures and methods for the destruction of personal information are as follows:

- Destruction Procedure: The Company selects personal information subject to destruction and proceeds with destruction after obtaining approval from the Personal Information Protection Officer.

- Destruction Method: Personal information in electronic form is destroyed using technical methods that render it irretrievable. Personal information in physical form is destroyed by shredding or incineration.

In the event that the Company is required to retain personal information pursuant to applicable laws or regulations, even after the expiration of the retention period consented to by the User or the accomplishment of the processing purposes, the Company transfers such personal information to a separate database (DB) or stores it in a different location.

Article 8. Rights of User

The User may exercise their rights stipulated under applicable laws or regulations, including the right to request inspection, modification, deletion, or cessation of processing of their personal information, as well as the right to withdraw consent, at any time via written notice, email, fax, or other methods.
The User may exercise the above rights through their authorized representative, in which case the power of attorney must be submitted to the Company.
The User’s request for inspection of, and cessation of processing of personal information may be restricted or denied in accordance with Article 35, Paragraph 4 and Article 37, Paragraph 2 of the PIPA.
The User may not exercise the right to request deletion of their personal information to the extent that the Company is required to retain such information pursuant to applicable laws or regulations.
The Company verifies whether the User’s rights are exercised by the User themselves or their authorized representative.

Article 9. Security Measures for Personal Information

In accordance with Article 29 of the PIPA, the Company implements the following technical, administrative, and physical measures to ensure the secure processing of personal information:

Technical Measures

- The User’s personal information is protected by password and encryption, and separate security protocols, including encryption of files and data transmissions, are implemented to safeguard important data.

- The Company implements protective measures, including the use of antivirus programs and software that are regularly updated, to prevent damage from computer viruses.

- The Company implements an intrusion detection and firewall system, which are monitored and managed twenty-four (24) hours a day, to prevent the leakage or damage of the User’s personal information caused by hacking, viruses, and other cyber threats.

Administrative Measures

- The Company implements an internal management plan to ensure the secure processing of the User’s personal information.

- The Company grants access to the User’s personal information only to a minimum number of authorized personnel.

- The Company conducts regular training sessions for officers and employees who process the User’s personal information to ensure they are up to date with security technologies and legal obligations regarding data protection of personal information.

- All officers and employees processing the User’s personal information are required to submit security pledges. The Company has established internal procedures to prevent information leakage and to monitor compliance with this Privacy Policy.

- The transfer of responsibilities among officers and employees processing the User’s personal information is conducted under secure conditions. The Company clearly defines accountability for any personal information breaches that occur during the onboarding and offboarding of its staff.

Physical Measures

- The User’s personal information is stored separately from other data.

- The Company has designated specific areas as data centers or data storage rooms and restricts access to such areas.

Article 10. Personal Information Protection Officer

The Company designates the following individual as its Personal Information Protection Officer, responsible for supervising the processing of personal information, addressing User complaints, and providing remedies. The User may contact either the Personal Information Protection Officer or the Personal Information Protection Manager regarding any matters related to the processing of their personal information that may arise while using the Store.

Classification	Name	Position / Department	Email Address	Telephone Number
Personal Information Protection Officer	Kyung-In Jung	CEO	contact@theblacklabel.com	+82 1551-0391
Personal Information Protection Manager	Chang-Hoon Lee	Director / Business Strategy Development	contact@theblacklabel.com	+82 1551-0391

Article 11. Remedies for Infringement of Rights and Interests

If the User is not satisfied with the Company’s response to a complaint or remedy, or if a dispute arises between the Company and the User, the User may contact the following institutions in the Republic of Korea to seek assistance.

Institution	Website	Telephone Number (only available in the Republic of Korea)
Personal Information Infringement Report Center	https://privacy.kisa.or.kr	118
Personal Information Dispute Mediation Committee	https://www.kopico.go.kr	1833-6972
Cybercrime Investigation Division of the Supreme Prosecutors’ Office	https://www.spo.go.kr	1301
Cyber Security Division of the National Policy Agency	https://cyber.go.kr	182

Article 12. Amendment to Privacy Policy

This Privacy Policy shall take effect as of January 1, 2026.
If any amendments are made to this Privacy Policy, the Company shall disclose the amendment history in an appropriate manner.