The Korea Hydrogen Alliance (hereinafter referred to as the “Company”) complies with the Personal Information Protection Act, the Act on Promotion of Information and Communications Network Utilization and Information Protection (hereinafter referred to as the “Information and Communications Network Act”), and other relevant laws to protect the personal information of individuals (hereinafter referred to as “users” or “individuals”) who use the services provided by the Company (hereinafter referred to as the “Company’s services”). To swiftly and efficiently address any privacy-related complaints from users, the Company establishes the following privacy policy (hereinafter referred to as the “Policy”).

Article 1 (Purpose of Processing Personal Information)

The Company processes personal information for the following purposes. Personal information processed will not be used for any purpose other than those specified below, and in the event of a change in usage purposes, the Company will take necessary actions, such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act.

1. Membership registration and management

Personal information is processed for the purposes of confirming membership intent, providing membership services, identifying and verifying the user, maintaining and managing membership, preventing fraudulent use of services, imposing sanctions (including acts that violate laws and company terms, and acts that interfere with the smooth operation of services), issuing notices and notifications, and resolving complaints.

2. Company service operations

Personal information is processed for purposes related to the operation of the Company’s services, such as identity verification and membership verification.

Article 2 (Processing and Retention Period of Personal Information)

1. The Company processes and retains personal information within the period agreed upon when collecting personal information from users or individuals.

2. Personal information related to membership registration and management and the operation of the Company’s services will be retained and used from the date of collection and consent until the user's withdrawal from membership. However, for the purpose of preventing fraudulent registration and use, personal information related to fraudulent use will be retained for one year after membership withdrawal according to the Company’s internal policy.

3. The Company retains and processes personal information as follows, in accordance with relevant laws:

1) Under the Consumer Protection Act in Electronic Commerce:

a. Records on contracts or withdrawal of offers: 5 years

b. Records on payment and supply of goods: 5 years

c. Records on consumer complaints or dispute resolution: 3 years

d. Records on displays and advertisements: 6 months

2) Under the Telecommunications Secrecy Protection Act:

a. Website log records: 3 months

b. Records on consumer complaints or dispute resolution: 3 years

3) Under the Electronic Financial Transactions Act:

a. Records on electronic financial transactions: 5 years

4) Under the Act on the Protection and Use of Location Information:

a. Records on personal location information: 6 months

Article 3 (Items of Personal Information Processed)

In accordance with the Personal Information Protection Act, the Company collects and uses the minimum necessary personal information for providing services to users as follows:

1. Mandatory account information: Email, password, ID, name, contact information, business registration number, service usage records, access logs, cookies, and IP information.

2. Optional account information: Date of birth, etc.

1) Password, ID, and name: Used for identifying the user for service usage, preventing duplicate registrations, and preventing fraudulent use.

2) Email, contact information, and business registration number: Used for sending mail, providing information in case of password loss, and handling complaints.

3) User's IP information, cookies, access logs, and service usage records: Used for preventing fraudulent use, imposing sanctions, and statistical analysis.

Article 4 (Methods of Collecting Personal Information)

The Company collects personal information in the following ways:

1. When the user enters personal information on the Company’s website.

2. When the user enters personal information via services other than the Company’s website, such as applications.

3. When a member logs into the member company’s bulletin board and enters the person in charge’s information.

Article 5 (Provision of Personal Information with Prior Consent)

1. The personal information collected may be provided to third parties only if the user has previously consented to its disclosure. However, even in such cases, the Company will provide the minimum amount of personal information necessary, as permitted by relevant laws.

2. The Company may provide the information collected for membership registration and service use to Word & Code Co., Ltd. for the purpose of website and system management (hosting/maintenance) only if the user has given prior consent.

3. If there are changes to the third-party provision relationships or if the third-party provision relationship ends, the Company will notify users and obtain their consent again through the same procedure.

4. Notwithstanding Paragraph 1, if the provision of a user’s personal information to a third party is lawfully mandated by regulations, the Company may provide such information without prior consent.

Article 6 (Procedures and Methods for Destroying Personal Information)

1. In principle, the Company will promptly destroy personal information when the purpose of processing the personal information has been achieved or when the retention and usage period has expired.In principle, the Company will promptly destroy personal information when the purpose of processing the personal information has been achieved or when the retention and usage period has expired.

2. Information entered by users for membership registration or other purposes will be transferred to a separate database (for paper documents, a separate filing cabinet) after the purpose of processing has been achieved and stored for a certain period in accordance with Article 2 before being destroyed.Information entered by users for membership registration or other purposes will be transferred to a separate database (for paper documents, a separate filing cabinet) after the purpose of processing has been achieved and stored for a certain period in accordance with Article 2 before being destroyed.

3. The Company will destroy personal information after obtaining approval from the person responsible for personal information protection.The Company will destroy personal information after obtaining approval from the person responsible for personal information protection.

4. Personal information stored in electronic file formats will be deleted using technical methods that prevent record recovery. Paper documents containing personal information will be shredded or incinerated.Personal information stored in electronic file formats will be deleted using technical methods that prevent record recovery. Paper documents containing personal information will be shredded or incinerated.

Article 7 (User and Legal Representative Rights, Obligations, and Exercise Methods)

1. Users have the right to withdraw consent to the collection and use of personal information by requesting "membership withdrawal" at any time.

2. The rights stated in Paragraph 1 can be exercised by the user via written notice, email, or fax in accordance with Article 41, Paragraph 1 of the Enforcement Decree of the Personal Information Protection Act, and the Company will act on the request without delay.

3. The rights specified in Paragraph 1 may also be exercised by the user’s legal representative or authorized agent. In such cases, a power of attorney form must be submitted in accordance with the format specified in the “Notice on the Methods of Processing Personal Information.” The Company will confirm whether the requester is the user or an authorized representative.

4. The user’s right to request access or suspension of personal information processing may be restricted under Article 35, Paragraph 4, and Article 37, Paragraph 2 of the Personal Information Protection Act.

5. If other laws require the collection of certain personal information, the user cannot request the deletion of that information.

6. Users are responsible for maintaining the accuracy of their personal information and are liable for any issues caused by the submission of inaccurate information.

7. If a user joins with stolen personal information, they may lose their membership and be subject to penalties under applicable laws related to personal information protection.

8. Users are responsible for maintaining the security of their email addresses and passwords and may not transfer or lend them to third parties.

Article 8 (Designation of the Company’s Personal Information Protection Officer)

The Company has designated the following department and personal information protection officer to protect users’ personal information and handle complaints related to personal information:

1. Personal Information Protection Officer:

1) Name: No Bo-Eun

2) Position: Senior Researcher

3) Phone: +82-2-6258-7450

4) Email: h2korea@h2korea.or.kr

Article 9 (Measures for Sending Advertising Information)

1. In accordance with Article 50, Paragraph 1 of the Information and Communications Network Act, the Company will obtain the user’s explicit prior consent before sending commercial information for profit-making purposes via electronic transmission media. However, prior consent is not required in the following cases: a. When the Company collects contact information directly from the recipient during a transaction, and the commercial information is sent regarding goods similar to those traded within 6 months of the transaction's completion. b. When telephone solicitation is made by a sales agent in accordance with the Door-to-Door Sales Act and the agent informs the recipient of the source of personal information.

2. If the recipient expresses their intention to reject receiving advertising information or withdraws their prior consent, the Company will cease sending commercial information for profit-making purposes. The Company will notify the recipient of the result of the opt-out or withdrawal request within 14 days of the request.

3. Notwithstanding Paragraph 1, the Company will obtain separate prior consent from the recipient if it sends commercial information for profit-making purposes via electronic transmission media between 9 PM and 8 AM.

4. When sending commercial information for profit-making purposes via electronic transmission media, the Company will clearly disclose the following information in the advertisement: a. The Company’s name and contact information. b. Information on how to opt-out or withdraw consent.

5. The Company will not engage in the following practices when sending commercial information for profit-making purposes: a. Avoiding or obstructing the recipient’s opt-out or consent withdrawal. b. Automatically generating contact information (phone numbers or email addresses) by combining numbers, symbols, or characters. c. Automatically registering phone numbers or email addresses for the purpose of sending commercial information for profit-making purposes. d. Taking actions to hide the sender’s identity or the source of the commercial message. e. Engaging in deceptive practices to induce replies from the recipient.

6. The Company will verify the recipient’s consent every two years from the date of obtaining their prior consent by clearly indicating the following: a. The Company’s name. b. The fact that the recipient has consented to receiving commercial information, and the date of consent. c. Methods for maintaining or withdrawing consent to receive commercial information.

Article 10 (Installation and Operation of Automatic Personal Information Collection Devices and Rejection Methods)

1. To provide personalized services to users, the Company uses cookies, which store and retrieve user information. A cookie is a small amount of data sent from the web server (including for PC and mobile browsers) to the user’s web browser and stored in the user's storage.

2. Users have the option to accept or reject the installation of cookies. By adjusting the settings on their web browser, users can choose to allow all cookies, require confirmation each time a cookie is stored, or block all cookies.

3. However, if cookies are disabled, users may experience difficulties using certain services that require login.

Article 11 (How to Configure Cookie Preferences)

Users can configure cookie preferences through web browser settings:

1. Edge: Settings Menu > Cookies and Site Permissions > Manage and delete cookies and site data.

2. Chrome: Settings Menu > Privacy and Security > Cookies and other site data.

3. Whale: Settings Menu > Privacy Protection > Cookies and other site data.

Article 12 (Remedies for Violations of Rights)

Users can seek dispute resolution or counseling regarding violations of personal information by contacting the Personal Information Dispute Mediation Committee or the Korea Internet & Security Agency's Personal Information Infringement Report Center. For other complaints or inquiries related to personal information violations, users may contact the following institutions:

a. Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)

b. Personal Information Infringement Report Center: 118 (privacy.kisa.or.kr)

c. Supreme Prosecutors' Office: 1301 (www.spo.go.kr)

d. National Police Agency: 182 (ecrm.cyber.go.kr)

2. The Company is committed to ensuring the protection of users’ personal information and self-determination rights and will promptly address complaints and requests for counseling regarding privacy violations. For any inquiries, users can contact the designated department in Paragraph 1.

3. If an individual's rights or interests are infringed upon due to actions or inaction by a public institution as a result of requests for access, correction, deletion, or suspension of processing personal information under Articles 35, 36, and 37 of the Personal Information Protection Act, the individual may file an administrative appeal as provided by the Administrative Appeals Act. a. Central Administrative Appeals Committee: 110 (www.simpan.go.kr)

Article 13 (Disclosure of this Policy)

1. The Company publicly discloses this Policy on the main page of its website or a linked page to ensure that users can easily access it at any time.

2. When disclosing this Policy under Paragraph 1, the Company will use appropriate font sizes and colors to make the Policy easy for users to read.

Article 14 (Changes to this Policy)

1. This Policy may be amended due to changes in relevant laws, guidelines, notices, or government or Company service policies.

2. If the Company amends this Policy, it will notify users through one or more of the following methods: a. Posting on the main page of the Company’s website or via a pop-up window. b. Notification by written notice, fax, email, or other similar methods.

3. The Company will notify users of changes at least 7 days before the effective date of the revised Policy. If the changes significantly affect users' rights, the Company will notify them at least 30 days in advance.

Addendum

1. This Policy will take effect from 2025.01.06.

2. Users can view the previous version of this Policy via the notice section.