Privacy Policy

1. Upon Registration (Social Login) Kakao Login - Required: Kakao account identifier (ID), nickname, profile photo URL - Optional: Email address LINE Login - Required: LINE account identifier (sub), display name, profile photo URL - Optional: Email address WeChat Login - Required: WeChat account identifier (unionid/openid), nickname, profile photo URL If a user refuses to consent to the collection of required items, registration will be restricted. Refusing to consent to optional items will not restrict use of the service. 2. Automatically Collected During Service Use - IP address, access date/time: Ensuring service stability, preventing unauthorized use - Device information (User-Agent, screen resolution, language setting, timezone, hardware info): Non-member identification (duplicate prevention), service optimization - Cookies (authentication status, language setting): Maintaining login sessions, providing language preferences - Service usage records (search terms, viewed pages, click data): Service improvement, personalized content, statistical analysis - Error and performance data (error logs, HTTP request info, session replay data): Ensuring service stability, error diagnosis - Service analytics data (page views, click events, search events, login events): Service improvement, usage statistics analysis - Ad conversion data (page views, search events, conversion events): Ad performance analysis (with separate consent) - AI service usage (token usage, request count): Usage management, preventing unauthorized use 3. Additional Collection by Service - Clinic ratings: Rating content (satisfaction, consultation satisfaction, hidden cost), rated clinic name - AI consultation (JISOO Chat): Conversation content, uploaded photos - Surveys: Survey response content - Handoff (consultation referral): Contact info (KakaoTalk/LINE/WeChat/email ID), name (optional), referred clinic name, inquiry content, IP address - Clinic reports: Report content, procedure name, reporter IP address - AI consultation image upload: Photos taken or selected (up to 3), stored on Google Cloud Storage 4. Collection Methods - Collected via the respective platform API during social login integration - Automatically generated/collected during service use (cookies, access logs, etc.) - Directly entered by users (ratings, chat, survey participation, etc.) - Automatically collected through the error monitoring system (Sentry) - Automatically collected through web analytics (Google Analytics) - Automatically collected through ad tracking (Meta Pixel) (with separate consent)

1. Member management: Providing membership services, identity verification, preventing unauthorized use, maintaining records for dispute resolution 2. Service provision: Providing services including price comparison, procedure information, AI consultation, clinic ratings, charts, fact-checking, consultation referral (connecting with human consultants), and information verification request handling 3. Service improvement and development: Usage statistics analysis, AI model training and quality improvement, user behavior analysis, development of new services, personalized content provision 4. Secure service environment: Detecting and preventing unauthorized use, ensuring system stability, addressing terms of service violations 5. Marketing and advertising: Delivering event/promotion information, providing personalized advertising (only with separate consent) 6. Service stability: Error monitoring, performance tracking, service incident diagnosis and prevention, usage management

The Company retains users' personal information until the purpose of collection and use has been fulfilled. 1. Retention Periods Under Company Internal Policy - Registration information: Until account deletion - AI consultation conversation data: 3 years from the last conversation date - Clinic rating data: Retained during service operation period. IP addresses are stored for 3 months from collection for unauthorized use prevention and then destroyed. Rating content is de-identified and permanently retained for statistical purposes. - Survey response data: 3 years from collection date - Consultation referral request information: 1 year from request date (IP address destroyed after 3 months) - Clinic report data: 3 years from report date (IP address destroyed after 3 months) - Error monitoring data: 90 days from collection date (Sentry retention period) - Service analytics data: 14 months from collection date (Google Analytics retention period) - Ad conversion data: Per Meta advertising policies - AI consultation uploaded images: 3 years from last conversation date (same as conversation data) - AI quality monitoring data: 14 days from collection date (auto-deleted by LangSmith) - Service usage records (searches, views): 1 year from collection date 2. Retention Periods Under Applicable Laws - Records of contracts or withdrawal of subscription: 5 years (Act on the Consumer Protection in Electronic Commerce) - Records of consumer complaints or dispute resolution: 3 years (Act on the Consumer Protection in Electronic Commerce) - Records of access (logs): 3 months (Protection of Communications Secrets Act) - Records of display/advertising: 6 months (Act on the Consumer Protection in Electronic Commerce) * Upon account deletion, personal information is immediately destroyed. Information required to be retained by law is stored separately and destroyed after the applicable retention period expires.

The Company does not, in principle, provide users' personal information to third parties. However, the following cases are exceptions: 1. When the user has given prior consent 2. When required by law or requested by investigative authorities in accordance with applicable laws 3. When necessary for the performance of a contract for service provision [Third-Party Provision During Social Login Authentication] During the registration/login process, authentication information is transmitted to social platforms. - Kakao: Authentication request information -> Kakao social login authentication -> Immediately destroyed upon authentication completion - LINE Corporation: Authentication request information -> LINE social login authentication -> Immediately destroyed upon authentication completion - Tencent (WeChat): Authentication request information -> WeChat social login authentication -> Immediately destroyed upon authentication completion

The Company outsources personal information processing as follows for service provision: - Trustee: Google Cloud Platform (Google LLC) Outsourced tasks: Cloud server operation, database hosting, authentication services (Firebase) Retention period: Until termination of outsourcing contract or fulfillment of purpose - Trustee: Functional Software, Inc. (Sentry) Outsourced tasks: Error monitoring, performance tracking, service incident diagnosis through session replay Retention period: 90 days from collection date - Trustee: Google LLC (Google Analytics) Outsourced tasks: Service usage statistics analysis, user behavior analysis Retention period: 14 months from collection date - Trustee: Meta Platforms, Inc. (Meta Pixel) Outsourced tasks: Ad performance analysis, conversion tracking Retention period: Per Meta advertising policies - Trustee: LangChain, Inc. (LangSmith) Outsourced tasks: AI service quality monitoring, LLM response tracking and analysis Retention period: 14 days from collection date - Trustee: SerpAPI Inc. Outsourced tasks: Clinic review data collection (Google Maps reviews) Retention period: Processed immediately upon collection, originals not retained In accordance with Article 26 of the Personal Information Protection Act, the Company specifies in outsourcing contracts prohibitions on processing personal information beyond the purpose of the outsourced work, security measures, restrictions on re-outsourcing, and management/supervision of the trustee, and supervises whether the trustee processes personal information safely.

1. The Company destroys personal information without delay when it becomes unnecessary due to expiration of the retention period, fulfillment of the processing purpose, or other reasons. 2. Destruction methods: - Electronic files: Permanently deleted using methods that prevent recovery - Paper documents: Shredded or incinerated 3. Personal information that must be retained under other laws despite expiration of the retention period is transferred to a separate database (DB) or stored in a different location.

1. Users (or their legal representatives) may exercise the following rights at any time: - Request to access personal information - Request correction of errors - Request deletion - Request to suspend processing 2. Rights may be exercised through in-service settings or by contacting the Chief Privacy Officer in writing or via email (contact@galddae.com). The Company will take action without delay (within 10 days at most). 3. If a user requests correction of errors in personal information, the Company will not use or provide such information until the correction is completed. 4. Rights may also be exercised through a legal representative or authorized agent. 5. However, the exercise of rights may be restricted in cases where the personal information is specified as a subject of collection under other laws, or where there is a risk of harm to the life or body of another person.

This article is based on Article 37-2 of the Personal Information Protection Act (Rights of Data Subjects Regarding Automated Decisions, effective March 13, 2025). 1. The Company may make decisions (including profiling) through automated systems in AI consultation (JISOO Chat), procedure recommendations, price analysis, and other services. 2. Users may exercise the following rights when an automated decision significantly affects their rights or obligations: - Right to refuse: Users may refuse the automated decision and request alternative processing. - Right to explanation: Users may request an explanation of the criteria and basis for the automated decision. 3. These rights may be exercised through in-service settings or by emailing contact@galddae.com. The Company will respond within 30 days of receiving the request. 4. However, if the AI service merely provides reference information and does not significantly affect the user's rights or obligations, the above rights to refuse and request explanation may not apply.

1. The Company may de-identify and pseudonymize users' conversation content, ratings, search records, and other data for use in AI training to improve service quality. 2. Information used for AI training: - Training data: AI consultation conversation content (de-identified), procedure search patterns, rating data (statistically processed) - Training purpose: Improving AI consultation response quality, improving procedure recommendation accuracy, developing new AI services - Training data retention: Retained until training purposes are fulfilled after de-identification 3. Users may request suspension of the use of their personal information for AI training. However, data that has already been de-identified or pseudonymized such that specific individuals cannot be identified is not subject to exclusion. 4. Suspension requests: contact@galddae.com 5. In accordance with Article 28-2 of the Personal Information Protection Act, the Company may process pseudonymized personal information for purposes of compiling statistics, scientific research, and preservation of records in the public interest. 6. For AI service quality management, the Company transmits portions of conversation content (up to 200 characters) and AI responses (up to 4,000 characters) to an external AI monitoring service (LangSmith) for analysis. Personally identifiable information is removed from the transmitted data, and the transmitted data is automatically deleted after 14 days.

In accordance with Article 15(3) and Article 17(4) of the Personal Information Protection Act, the Company may additionally use or provide personal information without the user's consent. In such cases, the following matters are considered: 1. Whether there is relevance to the original purpose of collection 2. Whether there is predictability of additional use or provision in light of the circumstances of collection or processing practices 3. Whether the user's interests are unfairly infringed 4. Whether necessary measures for ensuring safety, such as pseudonymization or encryption, have been taken

The Company uses the following cookies: [Essential Cookies] - oauth_state: CSRF prevention during social login (validity: 10 minutes) - auth_token: One-time login authentication processing (validity: 60 seconds) - auth_locale: Language/country information transfer during social login (validity: 1 minute) - admin_token: Administrator authentication maintenance (validity: 24 hours, admin only) [Functional Cookies] - preferred-locale: Language setting retention (validity: 1 year) [Analytics Cookies] - _ga, _ga_*: Google Analytics visitor identification (validity: 2 years) [Advertising Cookies] - _fbp: Meta Pixel visitor identification (validity: 90 days) Users may refuse the storage of cookies through browser settings; however, refusing essential cookies may restrict the use of certain services such as login. Users may separately opt out of analytics and advertising cookies; opting out may limit personalized analytics and advertising features.

1. The Company uses cookies, local storage (localStorage), session storage (sessionStorage), and other browser storage technologies to provide personalized services to users. 2. The following information is stored in local storage (localStorage): - jisoo_has_rated: Whether the user has submitted a rating (for unlocking full price comparison access) - jisoo_pending_rating: Rating linkage information (temporarily used during social login connection) - jisoo_cheered: Whether the user has participated in cheering - anonymous_uid: Non-member identifier (Firebase anonymous authentication ID) 3. The following information is stored in session storage (sessionStorage). Data in session storage is automatically deleted when the browser tab is closed. - Search filter state (for restoration when leaving the page) - Wiki filter state (for restoration when leaving the page) - Login attempt state (for analytics event integration) 4. The Firebase Authentication SDK automatically stores authentication tokens in the browser's IndexedDB. 5. Users may delete cookies and local storage through browser settings. - Chrome: Settings > Privacy and security > Cookies and other site data - Safari: Preferences > Privacy > Manage Website Data

The Company takes the following measures to ensure safety in accordance with Article 29 of the Personal Information Protection Act: 1. Administrative measures: Minimizing personnel handling personal information, conducting regular training, establishing and implementing internal management plans 2. Technical measures: Encryption of personal information (TLS/SSL for transmission, encryption for storage), access rights management, security program operation, retention of access logs 3. Physical measures: Utilizing the security environment of cloud servers (Google Cloud Platform asia-northeast3 region), access control

The Company does not collect personal information of children under 14 years of age and restricts registration by children under 14. If the Company becomes aware that personal information of a child under 14 has been collected, it will immediately destroy such information and delete the associated account.

The Company transfers personal information overseas as follows for service provision: Google LLC (United States) - Transferred items: Service usage data, authentication information, database stored data, AI consultation conversation content (Gemini API processing), service usage statistics (Google Analytics) - Transfer purpose: Cloud server operation, Firebase authentication, database hosting, AI consultation response generation (Gemini), service usage statistics analysis (Google Analytics) - Retention period: Until termination of outsourcing contract or fulfillment of purpose - Contact: privacy@google.com LINE Corporation (Japan) - Transferred items: LINE account identifier, authentication request information - Transfer purpose: LINE social login authentication - Retention period: Immediately destroyed upon authentication completion - Contact: dl_priv_response@linecorp.com Tencent (China) - Transferred items: WeChat account identifier, authentication request information - Transfer purpose: WeChat social login authentication - Retention period: Immediately destroyed upon authentication completion - Contact: Dataprivacy@tencent.com Functional Software, Inc. (United States) - Transferred items: Error logs, HTTP request information, browser information, session replay data - Transfer purpose: Service error monitoring and performance tracking - Retention period: 90 days from collection date - Contact: compliance@sentry.io Meta Platforms, Inc. (United States) - Transferred items: Page view data, search/conversion event data - Transfer purpose: Ad performance analysis, conversion tracking - Retention period: Per Meta advertising policies - Contact: https://www.facebook.com/help/contact/540977946302970 LangChain, Inc. (United States) - Transferred items: AI consultation conversation content (partial), model responses, tool call records - Transfer purpose: AI service quality monitoring and response quality analysis - Retention period: 14 days from collection date - Contact: privacy@langchain.dev SerpAPI Inc. (United States) - Transferred items: Clinic name, address (search queries) - Transfer purpose: Google Maps review data collection - Retention period: Processed immediately upon collection - Contact: support@serpapi.com Users may refuse consent to overseas transfer; in such cases, registration through the applicable social login may be restricted.

1. Data generated during non-member (anonymous) use, such as AI consultation conversations and ratings, will be automatically linked to the member account when the user registers through social login. 2. Data subject to linking: AI consultation conversation content, conversation threads, service usage records 3. After linking, the anonymous identifier is deleted, and the data is thereafter managed according to the member account's retention period.

[Chief Privacy Officer (CPO)] Name: Inho Jung Title: CEO Organization: PLAAD Inc. Email: contact@galddae.com [Privacy Grievance Handling Department] Department: PLAAD Inc. Email: contact@galddae.com

Users who need relief from or consultation regarding personal information infringement may contact the following organizations: - Personal Information Infringement Report Center (Korea Internet & Security Agency): 118 / privacy.kisa.or.kr - Personal Information Dispute Mediation Committee: 1833-6972 / kopico.go.kr - Supreme Prosecutors' Office Cyber Investigation Division: 1301 / spo.go.kr - National Police Agency Cyber Investigation Bureau: 182 / ecrm.police.go.kr

1. This Privacy Policy shall be effective from the effective date. 2. In the event of additions, deletions, or corrections to the content in accordance with laws or this policy, the Company will notify users through in-service announcements at least 7 days prior to the effective date of the changes. However, for significant changes affecting users' rights, notice will be given at least 30 days in advance. 3. Previous versions of the Privacy Policy will be retained and made available within the service.