Privacy Policy

Effective Date: May 5, 2026

Flat (hereinafter "Company") establishes and discloses the following Privacy Policy pursuant to applicable personal information protection laws, in order to protect the personal information of users and to handle related inquiries promptly.

Article 1 (Purpose of Processing Personal Information)

The Company processes personal information for the following purposes only. If the purpose of processing changes, the Company will take necessary measures, including obtaining separate consent.

1. Website Membership Registration and Management
   Confirming intent to register, identifying and authenticating members, maintaining membership, preventing misuse, sending notices, and handling complaints.
2. Provision of Goods or Services
   Providing software sales and download services, issuing and emailing license keys, managing purchase history, identity verification, and processing payments.
3. Handling Complaints
   Verifying identity of complainants, confirming complaint details, contacting for fact-finding, and notifying of processing results.

Article 2 (Retention and Processing Period)

① The Company processes and retains personal information within the period stipulated by law or agreed upon when collecting personal information.

② Retention periods by category:

1. Membership registration and management: Until withdrawal from the website
   Exceptions:

   - Ongoing investigation due to legal violations: until investigation is completed

   - Outstanding creditor-debtor relationship from website use: until settlement

2. Provision of goods or services: Until supply is complete and payment is settled
   Exceptions under applicable consumer protection laws:

   - Display/advertising records: 6 months

   - Contract, withdrawal, payment, and supply records: 5 years

   - Consumer complaint or dispute records: 3 years

   - Internet log records and connection tracking data: 3 months

Article 3 (Provision to Third Parties)

① The Company processes personal information only within the scope specified in Article 1 and provides it to third parties only with the consent of the data subject or as required by law.

② Currently, the Company does not provide personal information to third parties.

Article 4 (Delegation of Processing)

① The Company delegates personal information processing as follows:

② The Company specifies in contracts matters including prohibition of processing beyond delegated work, protective measures, and liability, and supervises trustees.

③ Changes to delegated work or trustees will be promptly disclosed through this Privacy Policy.

Article 5 (Rights of Data Subjects)

① Data subjects may exercise the following rights at any time:

1. Request for access to personal information
2. Request for correction of errors
3. Request for deletion
4. Request for suspension of processing

② Rights may be exercised via written request, phone, or email; the Company will respond promptly.

③ The Company will not use or provide personal information under correction or deletion review until the process is complete.

④ Rights may be exercised through a legal representative or authorized agent, with a power of attorney.

⑤ Data subjects must not infringe on the personal information or privacy of others.

Article 6 (Items of Personal Information Processed)

The Company processes the following personal information:

1. Membership registration and management

   - Required: Name, email address, password (encrypted)

   - Optional: Phone number, country

2. Provision of goods or services (software purchase and license issuance)

   - Required: Name, email address, purchased product information, payment information (card numbers are processed directly by KG Inicis and Eximbay; the Company does not retain them)

   - Issued: License key, download link (sent by email)

   - Optional: None

3. Automatically collected

   - IP address, cookies, service usage records, visit records, browser type and OS information

Article 7 (Destruction of Personal Information)

① The Company destroys personal information without delay when it becomes unnecessary.

② If retention is required by law despite the expiry of the agreed period, the information is moved to a separate database or stored separately.

③ Destruction procedures:

1. Procedure
   The Company selects personal information to be destroyed and destroys it with the approval of the Personal Information Protection Officer.
2. Method
   Electronic files are destroyed so records cannot be reproduced. Paper documents are shredded or incinerated.

Article 8 (Safety Measures)

The Company takes the following measures to ensure the safety of personal information:

Article 9 (Cookies)

① The Company uses cookies to store and retrieve usage information to provide personalized services.

② Cookies are small pieces of information sent by the website server to the user's browser and stored on the user's device.

③ Users can manage cookie settings through their browser options. Blocking cookies may affect the quality of personalized services.

Article 10 (Personal Information Protection Officer)

① The Company designates a Personal Information Protection Officer as follows:

② Data subjects may direct all inquiries and complaints to the above officer or department. The Company will respond promptly.

Article 11 (Access Request)

Data subjects may submit access requests to the following department. The Company will process requests promptly.

Article 12 (Remedies for Rights Violations)

Data subjects may contact the following agencies for damage relief and consultation (Korean authorities):

Article 13 (Implementation and Changes)

This Privacy Policy is effective from May 5, 2026.