Privacy Policy of Hexcon Inc.

Article 1 (Purpose)

Hexcon Inc. ("Company") establishes this Privacy Policy ("Policy") to protect the personal information of individuals ("Users"or “Individuals”) using the services provided by the Company ("Company Services"). The Company complies with relevant laws, including the Personal Information Protection Act and the Act on Promotion of Information and Communications Network Utilization and Information Protection ("Information and Communications Network Act"), and strives to promptly and effectively address grievances related to the protection of Users' personal information.

Article 2 (Principles of Personal Information Processing)The Company may collect Users' personal information in accordance with relevant laws and this Policy. Collected personal information may be provided to third parties only with the User's consent, except in cases where it is legally required under applicable laws, in which case the Company may provide such information to third parties without prior consent.

Article 3 (Disclosure of the Policy)
The Company makes this Policy publicly available on the homepage or a connected page so that Users can easily access it at any time.
The Company ensures that the Policy is displayed in a manner that is easy for Users to read, using appropriate font sizes and colors.

Article 4 (Amendment of the Policy)
This Policy may be revised in accordance with changes in relevant laws, guidelines, notices, or the Company's service policies or content.
In the event of an amendment to this Policy, the Company will notify Users through one or more of the following methods: a. Posting a notice on the homepage’s notice section or a separate window. b. Notifying Users via written communication, fax, email, or similar methods.
The Company will provide notice of amendments at least 7 days prior to their effective date. However, if the amendment significantly affects Users' rights, notice will be provided at least 30 days in advance.

Article 5 (Information for Membership Registration)
The Company collects the following information for Users' membership registration to the Company Services:
Mandatory Information: Email address, password, name, nickname, date of birth, and mobile phone number.

Article 6 (Information for Identity Verification)
The Company collects the following information for User identity verification:
Mandatory Information: Mobile phone number, email address, name, date of birth, gender, identity verification values (CI, DI), mobile carrier, i-PIN information (if i-PIN is used), and nationality status (domestic/foreign).

Article 7 (Information for Legal Representative Consent)
When the consent of a legal representative is required, the Company collects the following information:
Mandatory Information: Legal representative’s name, date of birth, gender, nationality status (domestic/foreign), mobile phone number, mobile carrier, i-PIN information (if i-PIN is used), identity verification values (CI, DI), and relationship to the User.

Article 8 (Information for Payment Services)
The Company collects the following information to provide payment services:
Mandatory Information: Card number, card password, expiration date, first six digits of date of birth (yy/mm/dd), bank name, and account number.

Article 9 (Information for Issuing Cash Receipts)
The Company collects the following information to issue cash receipts:
Mandatory Information: Name of the cash receipt recipient, date of birth, address, mobile phone number, and cash receipt card number.

Article 10 (Information for Providing Company Services)
The Company collects the following information to provide its services:
Mandatory Information: ID, email address, name, date of birth, and contact information.

Article 11 (Information for Service Usage and Fraud Prevention)
The Company collects the following information for statistical analysis, fraud detection, and prevention: (Fraud refers to activities such as repeatedly canceling purchases after obtaining discounts or event benefits, engaging in prohibited activities under the Terms of Service, or identity theft.)
Mandatory Information: Service usage records, cookies, access location information, and device information.

Article 12 (Methods of Personal Information Collection)
The Company collects Users' personal information through the following methods:
Users entering their personal information on the Company’s website.
Users entering their personal information through services provided by the Company, such as applications, outside the website.

Article 13 (Use of Personal Information)
The Company uses personal information for the following purposes:
Delivering notices and other operations necessary for the Company.
Responding to inquiries, handling complaints, and improving services for Users.
Providing the Company’s services.
Implementing restrictions, preventing, and addressing fraudulent activities or behaviors that disrupt the smooth operation of services, including violations of laws or Company terms.
Developing new services.
Providing event and marketing information.
Conducting demographic analysis and analyzing service usage records.
Facilitating relationships between Users based on personal information and interests.

Article 14 (Provision of Personal Information with Prior Consent)
Despite restrictions on providing personal information to third parties, the Company may provide personal information to third parties if the User has given prior consent or explicitly agreed to the following matters. In such cases, the Company will provide the minimum information required under relevant laws.
The Company will follow the same notification and consent procedures if there are changes or terminations in third-party provision relationships.

Article 15 (Outsourcing of Personal Information Processing)
To ensure smooth service provision and efficient operations, the Company outsources personal information processing as follows:
Outsourcing to credit information companies, such as NICE Information Service, for issuing cash receipts and tax invoices until membership termination or the end of the outsourcing contract.

Article 16 (Retention and Use Period of Personal Information)
The Company retains and uses personal information for the period necessary to achieve the purposes of collection and use.
Notwithstanding the above, the Company retains records of fraudulent use for up to one year after membership termination to prevent fraudulent activities.

Article 17 (Retention and Use Period Under Relevant Laws)
The Company retains and uses personal information in accordance with the following laws:
Act on Consumer Protection in Electronic Commerce: a. Records of contracts or subscription cancellations: 5 years. b. Records of payments and supply of goods: 5 years. c. Records of consumer complaints or dispute resolutions: 3 years. d. Records of advertisements: 6 months.
Protection of Communications Secrets Act: a. Website log records: 3 months.
Electronic Financial Transactions Act: a. Records of electronic financial transactions: 5 years.
Act on the Protection and Use of Location Information: a. Records of personal location information: 6 months.

Article 18 (Principle of Personal Information Destruction)
The Company promptly destroys personal information when it is no longer needed due to the achievement of the processing purpose or the expiration of the retention period.

Article 19 (Personal Information Destruction Procedure)
Information entered by Users for membership registration or other purposes is transferred to a separate database (or a separate filing system for paper records) after the processing purpose is achieved and stored for a certain period based on internal policies or relevant laws before being destroyed.
The Company destroys personal information upon the occurrence of a destruction reason, following approval by the personal information protection officer.

Article 20 (Personal Information Destruction Methods)
The Company deletes electronically stored personal information using technical methods that prevent data recovery and destroys printed personal information by shredding or incineration.

Article 21 (Measures for Transmitting Commercial Information)
When transmitting commercial information for profit via electronic means, the Company obtains the User’s explicit prior consent, except in the following cases:
a. When the Company has directly collected contact information from the recipient through a transaction and sends commercial information about similar goods or services within 6 months of the transaction’s completion.
b. When a telemarketer under the Act on Door-to-Door Sales verbally informs the recipient of the source of personal information collection during a phone call.
If the recipient expresses refusal or withdraws consent, the Company ceases sending commercial information and notifies the recipient of the processing results.
For commercial information sent via electronic means between 9:00 PM and 8:00 AM the next day, the Company obtains separate prior consent, regardless of the above.
When sending commercial information via electronic means, the Company clearly specifies:
a. Company name and contact information.
b. Information on how to refuse or withdraw consent.
The Company does not engage in the following actions when sending commercial information:
a. Evading or obstructing the recipient’s refusal or withdrawal of consent.
b. Automatically generating phone numbers or email addresses using numbers, codes, or characters.
c. Automatically registering phone numbers or email addresses for sending commercial information.
d. Concealing the identity of the sender or the source of the advertisement.
e. Deceiving recipients to induce responses for commercial purposes.

Article 22 (Protection of Children’s Personal Information)
The Company restricts membership registration to Users aged 14 or older to protect the personal information of children under 14.
If a User is a child under 14, the Company obtains consent for the collection, use, and provision of the child’s personal information from their legal representative.
In such cases, the Company collects additional information from the legal representative, including name, date of birth, gender, ID, and mobile phone number.

Article 23 (Access and Withdrawal of Consent for Personal Information)
Users and their legal representatives may access or modify their registered personal information at any time and may request the withdrawal of consent for information collection.
To withdraw consent for information collection, Users or their legal representatives may contact the personal information protection officer or responsible department in writing, by phone, or via email, and the Company will promptly take action.

Article 24 (Correction of Personal Information)
Users may request the correction of errors in their personal information using the methods described in the previous article.
The Company will not use or provide incorrect personal information until corrections are completed and will promptly notify third parties if incorrect information has already been provided to ensure corrections are made.

Article 25 (User Responsibilities)
Users are responsible for keeping their personal information up to date, and the Company is not liable for issues arising from inaccurate information provided by Users.
Users who register with stolen personal information may lose their membership or face penalties under relevant personal information protection laws.
Users are responsible for maintaining the security of their email addresses, passwords, and other credentials and may not transfer or lend them to third parties.

Article 26 (Management of Personal Information)
The Company implements necessary technical and managerial measures to ensure the security of Users’ personal information and prevent loss, theft, leakage, alteration, or damage.

Article 27 (Handling of Deleted Information)
Personal information terminated or deleted at the request of Users or their legal representatives is processed in accordance with the retention and use periods specified in this Policy and is not used or accessed for other purposes.

Article 28 (Password Encryption)
Users’ passwords are stored and managed using one-way encryption, and personal information can only be accessed or modified by the User who knows the password.

Article 29 (Measures Against Hacking)
The Company takes utmost care to prevent the leakage or damage of Users’ personal information due to hacking or computer viruses.
The Company uses the latest antivirus programs to prevent the leakage or damage of Users’ personal information or data.
The Company employs intrusion prevention systems to ensure security in case of unforeseen incidents.
The Company uses encrypted communication to securely transmit sensitive personal information over networks.

Article 30 (Minimization and Training for Personal Information Processing)
The Company limits the number of personnel handling personal information to the minimum necessary and emphasizes compliance with laws and internal policies through training and other managerial measures.

Article 31 (Measures for Personal Information Breaches)
Upon discovering a personal information breach (loss, theft, or leakage), the Company promptly notifies the affected User and reports to the Korea Communications Commission or the Korea Internet & Security Agency, including the following details:
The personal information items affected by the breach.
The time of the breach.
Actions the User can take.
The Company’s response measures.
Contact information for consultations or inquiries.

Article 32 (Exceptions to Breach Notification)
If the Company is unable to contact the User due to unknown contact information or other justifiable reasons, the Company may post a notice on its website for at least 30 days as an alternative to direct notification.

Article 33 (Protection of Personal Information Transferred Overseas)
The Company does not enter into international contracts that violate the Personal Information Protection Act or other relevant laws concerning Users’ personal information.

Article 34 (Installation, Operation, and Rejection of Automatic Personal Information Collection Devices)
The Company uses automatic personal information collection devices (hereinafter "cookies") to store and retrieve User information for providing personalized services. Cookies are small amounts of data sent by the server (http) to the User’s web browser (including PCs and mobile devices) and may be stored on the User’s device.
Users have the option to accept or reject cookies. Users may configure their web browser to accept all cookies, confirm each cookie, or reject all cookies.
However, rejecting cookies may cause difficulties in using certain Company services that require login.

Article 35 (Methods for Configuring Cookie Settings)
Users can configure cookie settings through their web browser options:
Edge: Settings menu in the top-right corner > Cookies and Site Permissions > Manage and Delete Cookies and Site Data.
Chrome: Settings menu in the top-right corner > Privacy and Security > Cookies and Other Site Data.
Whale: Settings menu in the top-right corner > Privacy > Cookies and Other Site Data.

Article 36 (Designation of Personal Information Protection Officer)
The Company designates the following department and officer to protect Users’ personal information and handle related complaints: a. Personal Information Protection Officer:
Name: Hojong(Roy) Choi
Position: CEO
Phone: 070-7700-4888
Email: ceo@refacx.com b. Personal Information Protection Department:
Department: RefacX Mission Team
Contact Person: Hojong(Roy) Choi
Phone: 070-7700-4888
Email: ceo@refacx.com
Article 37 (Remedies for Infringement of Rights)

Users may seek dispute resolution or consultation through the Personal Information Dispute Mediation Committee, the Korea Internet & Security Agency’s Personal Information Infringement Report Center, or other agencies. For further inquiries regarding personal information infringement, contact: a. Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr) b. Personal Information Infringement Report Center: 118 (privacy.kisa.or.kr) c. Supreme Prosecutors’ Office: 1301 (www.spo.go.kr) d. National Police Agency: 182 (ecrm.cyber.go.kr)

The Company strives to ensure Users’ right to self-determination regarding personal information and to provide consultation and remedies for personal information infringements. For inquiries or consultations, please contact the department listed in Article 36.

Users whose rights or interests have been infringed due to actions or inactions by a public institution regarding requests under Articles 35 (Access to Personal Information), 36 (Correction or Deletion of Personal Information), or 37 (Suspension of Personal Information Processing) of the Personal Information Protection Act may file an administrative appeal as prescribed by the Administrative Appeals Act. a. Central Administrative Appeals Commission: 110 (www.simpan.go.kr)

⸻

DATA PROTECTION RIGHTS

Under the Personal Information Protection Act of the Republic of Korea (“PIPA”), Clients and Suppliers have rights regarding the collection, use, and processing of personal and business-related information.

RefacX does not sell personal or business information and shall not do so in the future. Likewise, RefacX does not provide financial incentives in connection with the collection, use, or disclosure of such information.

In the course of processing Requests for Quotation (“RFQ”) and related services, RefacX may collect limited categories of information necessary for business operations, including company identifiers, business registration details, professional contact information, and electronic communications.

The categories of data collected and their use are described in Article 13 (Use of Personal Information). The types of third parties with whom information may be shared are described in Article 14 (Provision of Personal Information with Prior Consent), Article 15 (Outsourcing of Personal Information Processing)

Clients and Suppliers have the right to request access to, correction of, or deletion of their information, subject to applicable legal and contractual requirements. Such requests may be submitted by contacting RefacX at the address below. RefacX shall not impose unfair restrictions or discriminatory treatment on any Client or Supplier for exercising these rights.

⸻

CHANGES AND UPDATES TO THIS PRIVACY POLICY

This Privacy Policy may be updated from time to time in response to operational, legal, or regulatory changes. RefacX reserves the right to amend this Privacy Policy at its sole discretion. Updates shall be posted on the RefacX website, and the effective date shall be revised accordingly. Clients and Suppliers are encouraged to review this Privacy Policy periodically to remain informed of current practices.

⸻

QUESTIONS OR CONTACT INFORMATION

For any questions, concerns, or requests regarding this Privacy Policy, please contact:

RefacX Inc.

Attn: RefacX Mission Team

Address: 2002, Tower Building, Urban Bricks,47 Jungdongjungang-ro, Uichang-gu,Changwon-si, Gyeongsangnam-do,51473, Republic of Korea

Email: ceo@refacx.com

This Policy takes effect on August 31, 2025.