ZEP Co., Ltd. Integrated Privacy Policy

Integration Overview

This document was written by integrating the ZEP Core Privacy Policy (effective Nov 25, 2023) and the ZEP QUIZ Privacy Policy (effective Sep 24, 2024)

Key Changes

The Company complies with relevant laws, such as the Personal Information Protection Act (Republic of Korea), the Family Educational Rights and Privacy Act (FERPA), the Children's Online Privacy Protection Act (COPPA), and other applicable federal, state, and international data protection laws, in processing Customers' personal information, and to prevent the misuse of Customers' valuable personal information, the Company has established and operates the following Privacy Policy to clarify the purpose, method, and scope of collecting and using Customers' personal information. This Privacy Policy may be subject to change due to amendments in applicable laws and guidelines or changes in the Company's internal policies.

① The Company collects and processes the following personal information to provide the Service, and the collected personal information will not be used for any purposes other than the stated purposes of use.

1. Account Registration and Management

   1. General Account Registration

      1. Required Items: Email address (Account ID)

   2. Account Registration and Management via Social Media Account Linkage

      1. Google: (Required Item) Email address

2. Settlement-related Information (Limited to Creator Customers)

   1. Individual Customers

      1. Required Items: Name (Real name), Nationality, Account number (Bank name, Account number, Account holder name), Mobile phone number, Tax identification number (SSN, ITIN, or EIN as applicable), Email address (Account ID), PayPal information (PayPal email address, PayPal profile image)

   2. Individual/Corporate Business Customers

      1. Required Items: Corporate name, Representative's name, Email address (Account ID), Contact person information (Name, Mobile phone number, Email address), Account information (Bank name, Account number, Account holder name), Tax identification number

3. Identity Verification-related Information (Limited to Creator Customers)

   1. Name, Date of birth, Gender, Mobile phone number, Identity verification values

4. Information Automatically Generated and Collected During Service Use

   1. IP address, Service usage records, Visit records, Date and time of account registration, Bad usage records, Portable device information (for Service usage pattern analysis and prevention of abnormal use)

   2. Billing information (When using Paid Content/Services)

5. Service Introduction, Partnership Inquiries

   1. Required Items: Name, Email, Mobile phone number

6. Contact Inquiries

   1. Required Items: Email address, Inquiry details - Optional Item: Name

7. Marketing-related Information

   1. Optional Item: Email address

8. Additional Information for Creator Customers

   1. Additional personal information (Real name, Account information, Tax) may be collected for Creator activities and settlement.

② The Company collects personal information in the following ways:

1. Direct input by the Customer during the use of the website, Application, or Service.

2. Collection of generated information through automated collection and storage devices.

3. Receiving personal information through external companies or organizations partnered with the Company.

4. Collecting personal information through webpages, emails, phone calls, etc., during the consultation process via the customer service department.

➂ For students under the age of 13 accessing the Service under Article 2 of the Terms of Service, the Company shall collect only the minimum personal information necessary to provide the educational service and shall not require the student to provide more personal information than is reasonably necessary. No Social Security numbers, financial information, or biometric data shall be collected from students.

① The Company may process the collected personal information for the following purposes. The personal information being processed will not be used for purposes other than the following, and if the purpose of use changes, we will take necessary measures in accordance with applicable laws, such as obtaining separate consent

1. Website Account Registration and Customer Management

   1. Confirming the intent to register, identifying and authenticating identity for Service provision, maintaining and managing account status, confirming duplicate registrations, managing bad users, detecting abnormal users and restricting use, fulfilling contracts, handling disputes, etc.

2. Use of Service

   1. Handling complaints and providing other customer services, delivering notices, purchasing/selling Paid Goods and processing payments, confirming and paying settlement amounts, and processing taxes for settlement amounts.

3. Service Introduction and Partnerships

   1. Consulting and responding to Service introduction and partnership inquiries.

4. Utilization for Marketing and Advertising

   1. Providing event information, etc., and providing advertising information. This purpose shall not apply to Student PII or Education Records, which shall never be used for marketing or advertising purposes.

5. Other Uses According to Legal Requirements

   1. Fulfilling obligations stipulated in laws and regulations.

① The Company retains and uses the personal information collected from the Customer while the Customer's status is maintained, and destroys it without delay when the Customer's status is lost or when the purpose of using the information is completely achieved even if the Customer's status is maintained. However, if the Company has the following basis for retention, it will store and use the personal information until the stated retention period.

1. Basis for Retention: For the purpose of resolving consumer complaints and disputes upon account termination, restricting re-registration, etc.

2. Retention Period: 30 days

3. Retained Items: Email, Access records, Usage records, Nickname

② Notwithstanding Paragraph 1, if there is a reason to retain personal information according to applicable laws, the Company will store personal information for a certain period specified in the provisions of applicable laws. The retention periods are as follows:

1. Records on display and advertisement: 6 months (Act on the Consumer Protection in Electronic Commerce, etc.)

2. Records on contracts or withdrawal of subscription, etc.: 5 years (Act on the Consumer Protection in Electronic Commerce, etc.)

3. Records on payment and supply of Goods, etc.: 5 years (Act on the Consumer Protection in Electronic Commerce, etc.)

4. Records on consumer complaints or dispute resolution: 3 years (Act on the Consumer Protection in Electronic Commerce, etc.)

5. Books and evidential documents for all transactions prescribed by tax laws: 5 years (Framework Act on National Taxes / U.S. Internal Revenue Code)

6. Records on electronic financial transactions: 5 years (Electronic Financial Transactions Act / U.S. Electronic Fund Transfer Act)

7. Records on Service use, such as access logs and access IP information: 3 months (Protection of Communications Secrets Act)

③ For inquiries regarding Service introduction and partnerships, personal information is retained for up to 3 years after responding to the inquiry. When a phone number is provided, personal information is retained for up to 5 years from the completion of any other paid usage period.

④ If a Customer requests to terminate their use, the corresponding account will be processed for withdrawal immediately. Registration using the same email address is not possible for re-registration as a new customer after withdrawal.

⑤ Notwithstanding the foregoing retention periods, Student PII and Education Records shall be retained only for as long as necessary to fulfill the educational purpose of the Service. Upon termination of the educational service agreement or upon the school's or parent's request, the Company shall securely delete or de-identify student data within thirty (30) days. The 30-day post-withdrawal retention period in Paragraph 1 shall not apply to Student PII or Education Records unless required by the educational institution for legitimate educational purposes.

① The Company uses the Customer's personal information within the scope notified in Article 2 of this policy (Purpose of Collection and Use of Personal Information), and provides personal information to the minimum extent necessary with the Customer's consent for smooth Service provision in the following cases.

② If the Company provides personal information to a third party not specified in the Privacy Policy and Terms and Conditions, we will notify or inform the Customer in advance to seek consent. However, in the following cases, personal information may be provided to a third party exceptionally without the Customer's consent:

1. When there are special provisions in the law or when it is unavoidable to comply with legal obligations (including cases where investigative agencies and supervisory authorities request the provision of personal information for investigation purposes according to procedures and methods prescribed by applicable laws).

2. When necessary for statistics, academic research, or market research, provided that it is supplied in a form that cannot identify individuals.

3. Business transfer, corporate acquisition or merger, etc. (However, if a reason for business transfer, etc., occurs and the transfer of the Customer's personal information is required, the Company will notify in advance according to the procedures and methods prescribed by applicable laws and grant the Customer the right to withdraw consent regarding the transfer of personal information.)

③ Customers may choose not to consent to the provision of personal information to third parties, and may withdraw their consent to third-party provision at any time. Even if you refuse to consent, you can use Services other than those based on third-party provision, but the use/provision of related Services based on third-party provision may be restricted. Other changes regarding the provision of personal information to third parties will be announced through separate notifications.

④ Student PII and Education Records shall never be sold, rented, or traded to any third party. Disclosure to third-party service providers is permitted only when strictly necessary for providing the contracted educational service and only under binding data protection agreements that prohibit redisclosure and commercial use.

① To improve the Service, the Company consigns the processing of Customers' personal information to perform some of the essential tasks required for Service provision, as detailed in Paragraph 2 of this Article, and stipulates necessary matters in the consignment contract to ensure that personal information is safely managed in accordance with applicable laws. In addition, the information shared is limited to the minimum information necessary to achieve the respective purpose.

② The consignees and details of the consigned tasks are as follows:

1. Consignee: Amazon Web Service Inc.

   1. Details of Consigned Task: Operation and management of cloud servers storing personal information

2. Consignee: Amplitude, Inc.

   1. Details of Consigned Task: Usage log management and analysis

3. Consignee: Google LLC (Google Analytics)

   1. Details of Consigned Task: Usage log management, analytics, and conversion tracking.

   2. Note: Student PII and Education Records are excluded from Google Analytics and Google Ads tracking unless the educational institution has provided prior written consent. When student data is processed through analytics services, it is limited to de-identified or aggregated usage metrics only.

4. Consignee: NAVER Z Corporation

   1. Details of Consigned Task: Usage log management and analysis

5. Consignee: Toss Payments Co., Ltd.

   1. Details of Consigned Task: Provision of payment and settlement services

6. Consignee: Payple Co., Ltd.

   1. Details of Consigned Task: Provision of payment and settlement services

7. Consignee: Channel Corporation

   1. Details of Consigned Task: Operation and management of customer consultation systems

③ If the contents of the consigned tasks or the consignees change, the Company will disclose it through this Privacy Policy.

④ All consignees processing Student PII or Education Records are contractually bound to use such data solely for the purpose of providing the agreed-upon services, to implement appropriate security safeguards, and to return or delete the data upon termination of the consignment agreement.

① In principle, the Company destroys the Customer's personal information without delay once the purpose of collecting and using the personal information has been achieved. The Company's procedure and method for destroying personal information are as follows:

1. Information entered by the Customer for account registration, etc., is transferred to a separate DB (or a separate filing cabinet in the case of paper) after the purpose is achieved, and is destroyed after being stored for a certain period according to internal policies and other reasons for information protection under applicable laws (refer to Article 3 Retention and Use Period). Personal information is not used for any other purpose other than retention unless required by law.

2. Personal information printed on paper is destroyed by shredding with a shredder. Personal information stored in the form of electronic files is deleted using technical methods that cannot reproduce the records.

3. For Student PII and Education Records, the Company shall use NIST 800-88 compliant methods (or equivalent industry-standard secure deletion methods) to ensure that data is irrecoverably destroyed.

① Customers and their legal representatives may exercise the following rights related to personal information protection against the Company at any time: However, if the Customer's personal information is linked with external platforms such as Google, you must view or modify your personal information according to the methods provided by those platform operators.

1. Request to view personal information

2. Request for correction in case of errors, etc.

3. Request for deletion

4. Request to suspend processing

② The exercise of rights under Paragraph 1 can be made to the Company via email, etc., and you can contact the Chief Privacy Officer and the responsible department (hello@zep.us). The Company will take necessary measures without delay upon the Customer's request.

③ If a Customer requests the correction or deletion of personal information errors, the Company will not use or provide the personal information to third parties until the correction or deletion is completed.

④ The exercise of rights under Paragraph 1 can be done through a representative, such as the Customer's legal representative or a delegated person. For Customers in the Republic of Korea, a power of attorney in accordance with Form No. 11 of the Enforcement Rule of the Personal Information Protection Act must be submitted.

⑤ For U.S. parents and eligible students exercising rights under FERPA, or for U.S. school administrators acting on behalf of the educational institution, the submission of Form No. 11 is not required. The Company will verify identity through reasonable alternative means (such as school-issued email verification or institutional letterhead) and process requests in accordance with FERPA timelines (within 45 days).

⑥ Customers must not infringe on their own or others' personal information and privacy being processed by the Company in violation of applicable laws such as the Personal Information Protection Act.

① The Company installs and operates devices that automatically collect personal information, such as 'cookies' (connection information files) that frequently store and retrieve Customer information to provide personalized and customized services. A cookie is a very small text file sent by the server used to operate the Application to the Customer's Device and is stored in the Customer's Device storage. Later, when the Customer uses the Application, the server reads the contents of the cookie stored in the Customer's Device to maintain the Customer's preferences.

② The Company may use cookies, etc., for the following purposes:

1. To understand site visit and usage patterns to provide an optimized user environment for the Customer.

③ Customers have the option to install cookies. Therefore, Customers can allow all cookies, check each time a cookie is saved, or refuse to save all cookies from their Device settings or options.

④ However, if the Customer refuses to save all cookies, there may be restrictions on providing certain customized services or use may be impossible.

⑤ For students under the age of 13, the Company shall not use cookies or similar tracking technologies for purposes beyond what is strictly necessary for providing the educational service. No behavioral tracking, advertising cookies, or third-party analytics cookies shall be placed on devices used by students under 13 without verifiable parental consent.

① The Company implements the following technical/administrative measures to ensure safety so that personal information is not lost, stolen, leaked, altered, or damaged in processing Customers' personal information.

1. Password Encryption

   1. The Customer's password is encrypted, stored, and managed. Therefore, even if the Customer forgets their password, it is impossible to verify the password, and we adopt a method of issuing a new password after a designated identity verification procedure.

2. Enhancement of Network Security

   1. The Company takes various technical measures to prevent Customers' personal information from being leaked through abnormal network access, such as hacking and computer viruses, and conducts constant monitoring of network access. We use secure encrypted communication methods for communication between Company servers and databases, and we strive to equip all possible technical devices to systematically ensure security.

   2. We use secure encrypted communication methods for communication between Company servers and databases, and we strive to equip all possible technical devices to systematically ensure security.

3. Minimization and Training of Staff Processing Personal Information

   1. The Company's staff handling personal information is limited to the personnel in charge, and separate passwords are assigned for this purpose and updated regularly, and we constantly emphasize compliance with the Privacy Policy through frequent training for the personnel in charge.

   2. Upon hiring, we prevent information leakage by humans in advance through a security pledge from the personal information handler, and we have established internal procedures to audit the implementation of the Privacy Policy and employee compliance.

   3. The handover of tasks for personal information handlers is carried out thoroughly while security is maintained, and responsibilities for personal information accidents after hiring and resignation are clarified.

4. Access and Storage Control

   1. Areas where personal information is processed and stored are set as security zones and controlled so that only authorized persons can enter, and tangible materials and electronic records containing personal information are stored in locations with locking devices or computers with separate access permissions.

5. Operation of a Dedicated Personal Information Protection Organization

   1. Through an internal dedicated personal information protection organization, we check the implementation of the Privacy Policy and compliance by the personnel in charge, and strive to immediately correct and rectify any issues discovered.

② Customers have an obligation to protect themselves and not infringe on the information of others. Please be careful not to leak your personal information, including passwords, and be careful not to damage other people's personal information and posts. The Company is not responsible for personal information problems caused by the Customer's negligence, unless such problems arise due to the Company's gross negligence or willful misconduct.

① The Company is doing its best to provide the best service by safely using personal information. The Chief Privacy Officer is responsible for any accidents that occur contrary to the matters notified above regarding the protection of personal information. However, despite technical supplementary measures, we are not responsible whatsoever for information damage caused by unexpected accidents arising from basic network risks such as hacking, and various disputes regarding posts written by visitors.

② Customers may contact the designated officer below to deliver their opinions or complaints regarding the Company's Privacy Policy. The officer below will do their best to collect Customers' opinions and handle complaints.

1. Chief Privacy Officer

2. Name: Shangyup Kim

3. Position: CEO

4. Email Address: hello@zep.us

③ You may report any privacy-related civil complaints arising from using the Company's Services to the Chief Privacy Officer or the customer service department (hello@zep.us). The Company will quickly provide sufficient answers to Customers' reports.

④ If you need to report or consult about other personal information infringements, please contact the agencies below.

[In the case of the Republic of Korea]

1. Personal Information Infringement Report Center (privacy.kisa.or.kr / (without exchange number) 118)

2. Personal Information Dispute Mediation Committee (www.kopico.go.kr / (without exchange number) 1833-6972)

3. Supreme Prosecutors' Office (www.spo.go.kr / (without exchange number) 1301)

4. National Police Agency (ecrm.police.go.kr / (without exchange number) 182)

[In the case of the United States]

1. Federal Trade Commission (FTC) — ftc.gov/complaint / 1-877-FTC-HELP (1-877-382-4357)

2. U.S. Department of Education, Student Privacy Policy Office — studentprivacy.ed.gov / (202) 260-3887

3. State Attorneys General — Contact the Attorney General's office of your state of residence

[In the case of other countries]

The Company has established a channel to raise opinions and complaints regarding personal information protection. If you have any complaints regarding personal information, please give your opinion to the Company's Chief Privacy Officer, and we will take immediate action upon receipt and notify you of the processing results.

① Chief Privacy Officer Email Address: hello@zep.us

The Company's Privacy Policy may be subject to change due to amendments in applicable laws and regulations and the Company's internal policies, and in such cases, the Company will notify Customers of the changes on the Service platform or in a manner that Customers can verify within the Service.

① When the Service is used by U.S. educational agencies, institutions, or their students under the direction of a school, the Company acknowledges that it processes "education records" and "personally identifiable information" (PII) subject to the Family Educational Rights and Privacy Act (FERPA) and the Children's Online Privacy Protection Act (COPPA). In the event of a conflict between this Article and the rest of the Privacy Policy, this Article shall govern regarding educational data.

② Notwithstanding Article 2, the Company will never use student PII or education records for targeted advertising, behavioral marketing, or profiling purposes.

③ Notwithstanding Article 5, the Company shall not redisclose student PII to third-party sub-processors or analytics providers (e.g., Amplitude) for non-essential commercial analysis without the prior written consent of the parent, eligible student, or authorizing school. Any third-party service provider utilized for core educational service delivery is bound by the same strict data protection and redisclosure limitations.

④ Notwithstanding the commercial retention periods in Article 3, the Company retains student PII only for as long as necessary to fulfill the educational purpose of the Service. Upon termination of the educational contract or upon the school's request, the Company will securely delete or de-identify student data.

⑤ In accordance with FERPA and COPPA, the Company provides schools and parents with a reasonable method to review, amend, and delete student data. The strict legal requirement to submit a power of attorney (Form No. 11) in Article 7 does not apply to authorized U.S. parents or school administrators requesting access to student records. The Company will comply with school-authorized requests to inspect education records within a reasonable period, but in no case more than forty-five (45) days after the request has been received.

⑥ The Company shall provide annual notice to educational institution customers regarding the types of student data collected, the purposes of processing, and any changes to data handling practices. Schools retain the right to audit the Company's compliance with these provisions upon reasonable written notice.

⑦ In the event of a data breach involving Student PII or Education Records, the Company shall notify affected educational institutions within forty-eight (48) hours of confirming the breach and shall cooperate fully with the institution's incident response and parent notification obligations under FERPA and applicable state breach notification laws.

This Privacy Policy will be applied starting from March 30, 2026