1.0

Privacy Policy for Travel Wallet Corporate Services

Travel Wallet Co., Ltd. (“Company”) processes and manages personal information of data subjects (customers) lawfully and securely in accordance with the Personal Information Protection Act and other relevant laws. This Privacy Policy has been established and disclosed to ensure that data subjects can easily check the standards and procedures for handling personal information and smoothly exercise their rights.

1. Purpose of Processing Personal Information

To provide consultation for business partnership inquiries, guide related matters, and enable subscription and use of Travel Wallet’s corporate services.

The Company processes personal information only to the minimum extent necessary to fulfill the above purposes. Personal information is not used for purposes other than those specified above. In the event of any change to the processing purpose, the Company will obtain separate consent from the data subject and take necessary actions.

2. Period of Retention and Use of Personal Information

The Company processes or retains personal information until the purpose of collection and use agreed upon by the data subject is achieved. When the retention period has expired or the processing purpose has been achieved and the personal information is no longer needed, the Company shall promptly destroy such personal information.

Notwithstanding paragraph 1, the Company may retain personal information as required under relevant laws and regulations for the period specified by such laws. The following table outlines the details:

Retention Item	Retention Period	Legal Basis
Records on contract or withdrawal of subscription	5 years	Act on Consumer Protection in Electronic Commerce
Records on payment and supply of goods	5 years	Act on Consumer Protection in Electronic Commerce
Records on consumer complaints or dispute resolution	3 years	Act on Consumer Protection in Electronic Commerce
Records on labeling and advertising	6 months	Act on Consumer Protection in Electronic Commerce
Electronic financial transaction records (over KRW 10,000)	5 years	Electronic Financial Transactions Act
Electronic financial transaction records (KRW 10,000 or less)	1 year	Electronic Financial Transactions Act
Records on provision of real-name financial transaction information	5 years	Real Name Financial Transactions Act
Suspicious transaction reports (STR)	5 years	Specific Financial Information Act
Customer due diligence (KYC) documents	5 years	Specific Financial Information Act
Information on remitters and recipients of wire transfers	5 years	Specific Financial Information Act
Foreign exchange documents including currency exchange ledgers	5 years	Foreign Exchange Transaction Regulations
Payment records for small-sum remittance services	5 years	Foreign Exchange Transaction Regulations
Settlement and transaction records for small-sum remittances	5 years	Foreign Exchange Transaction Regulations
Tax-related books and evidence	5 years	Framework Act on National Taxes
Telecommunications data (e.g., time, call numbers)	12 months	Protection of Communications Secrets Act
Log data, IP addresses	3 months	Protection of Communications Secrets Act
Personal location information usage/provision records	6 months	Location Information Act
Records related to collection/use/processing of credit information	3 years	Credit Information Use and Protection Act

3. Items of Personal Information Processed

The Company processes and retains the following personal information items for the stated purposes:

Purpose of Collection	Items Collected	Retention Period
Service application	- Required: Applicant’s name, mobile number, email- Required (for corporate remittance): Major remittance countries, purpose, transaction count and amount	Until contract termination
Contract execution and customer due diligence	- Required:• Representative: Name (KOR/ENG), gender, ID number, birth date, nationality, residence, address, contact info, email• Beneficial owner: Same items as above• Agent: Name, occupation, gender, ID number, birth date, nationality, residence, address, contact info, email• Verification documents: ID of representative and agent, power of attorney- Optional: Agent’s city of birth	Until contract termination
Membership registration	- Required: Name (KOR/ENG), birth date, gender, nationality, residence, mobile number- Optional: City of birth, occupation	Until membership withdrawal
Settlement and remittance	- Required: Bank account number, account type, bank name, account holder name	Until contract termination
Inquiries & support	- Required: Applicant’s name, mobile number, email	Until inquiry is resolved

Note: The Company may retain personal information for longer as required by relevant laws and regulations (see Section 2).

4. Provision of Personal Information to Third Parties

The Company may provide personal information to third parties only in cases where the data subject has consented, or where it is permitted under Article 17(1) and Article 18(2) of the Personal Information Protection Act, such as when there are special provisions in other laws, or when it is deemed necessary to protect the urgent life, body, or property interests of the data subject or a third party. The recipients and purposes of such provision are as follows:

Recipient	Purpose of Provision	Items Provided	Retention and Use Period*
ㅤ	ㅤ	ㅤ	ㅤ

The Company may additionally retain personal information in accordance with relevant laws (refer to the Guidelines, Article 2).

5. Matters Regarding Outsourcing of Personal Information Processing

In order to provide diverse services to users, the Company outsources a portion of its business operations to external entities.

When concluding outsourcing contracts, the Company includes provisions in the agreement in accordance with Article 26(1) of the Personal Information Protection Act, stipulating matters such as prohibition of processing personal information beyond the scope of the commissioned tasks, technical and managerial protective measures, the scope and purpose of outsourcing, restrictions on re-outsourcing, security measures, monitoring of the personal information processing status, and liability for breaches by the trustee, and supervises the trustee to ensure safe handling of personal information.

The following table discloses the outsourced business and the trustees (processors) so that data subjects can easily verify them at any time.

Outsourced Task	Trustee	Retention and Use Period*
Individual and Corporate AML	GTOne Co., Ltd.	Until the end of the outsourcing agreement

The Company may additionally retain personal information in accordance with relevant laws (refer to the Guidelines, Article 2).

The following table discloses the sub-trustees to whom the trustees have re-outsourced the personal information processing tasks entrusted by the Company, allowing the data subjects to verify such information at any time.

Sub-Outsourced Task	Trustee	Sub-Trustee	Retention and Use Period*
ㅤ	ㅤ	ㅤ	ㅤ

The Company may additionally retain personal information in accordance with relevant laws (refer to the Guidelines, Article 2).

6. Matters Regarding Overseas Transfer of Personal Information

The Company outsources international remittance operations to an overseas corporation, Visa Worldwide Pte. Ltd., and transfers customers’ personal information abroad within the scope of the entrusted tasks.

Category	Details
Recipient	- Company Name: Visa Worldwide Pte. Ltd. - Contact: gcas.gfc@visa.com, +65-800-4481-250
Items of Personal Information Transferred	Purpose of remittance, Sender’s name, Sender’s account information, Sender’s address, Sender’s nationality, Sender’s contact information, Recipient’s name, Recipient’s address, Recipient’s account information, Recipient’s nationality
Country of Transfer	Singapore
Timing and Method of Transfer	Transmitted via encrypted network (system) at the time of service execution through the Travel Wallet application
Purpose and Retention Period at Recipient	- Purpose of use: To perform overseas account remittance tasks - Retention and use period: Until 5 years after the end of the financial transaction
Right to Refuse and Disadvantages	Users have the right to refuse overseas transfer of personal information. However, consent for overseas transfer is essential for international remittance services, and refusal may result in restrictions on the use of such services.

7. Procedures and Methods for Destroying Personal Information

The Company promptly destroys personal information without delay once the purpose of collection and use has been fulfilled or the retention period has expired. The procedures and methods are as follows:

Destruction Procedure:

After the purpose is fulfilled, the user’s personal information is retained for a certain period in accordance with internal policies and relevant laws and is then destroyed.

Destruction Method:

Personal information recorded and stored in electronic file format is deleted using technical methods that make data recovery impossible.

Personal information recorded and stored in paper documents is destroyed by shredding or incineration.

8. Rights of Data Subjects and Legal Representatives, and Method of Exercise

Data subjects may exercise the following rights concerning the protection of personal information at any time with respect to the Company:

Request access to personal information

Request correction of personal information

Request deletion of personal information

Request suspension of processing of personal information

Requests for access or suspension of processing may be restricted under Article 35(4) and Article 37(2) of the Personal Information Protection Act.

Requests for correction or deletion cannot be accepted if the personal information is specified as a mandatory collection item by other laws.

When a data subject makes a request for access, correction, deletion, or suspension of processing, the Company verifies whether the requester is the data subject or a legitimate representative.

9. Personal Information Protection Officer and Department in Charge

The Company has designated a Personal Information Protection Officer and a department in charge as follows to take overall responsibility for personal information processing and to handle complaints and damage relief related to personal information.

Department in Charge	Personal Information Protection Officer	Title	Contact Information
Security/IT Division	Lee Byunghee	CISO/CPO	business@travel-wallet.com, 02-522-0400

Data subjects may contact the Personal Information Protection Officer or the department in charge regarding any inquiries, complaints, or requests for damage relief related to personal information while using the Company’s services (or business). The Company will respond promptly.

10. Measures to Ensure the Security of Personal Information

To ensure the security of personal information, the Company takes the following measures in accordance with Article 29 of the Personal Information Protection Act:

Regular Internal Audits

The Company conducts regular internal audits (at least once per year) to ensure the safety of personal information handling.

Minimization and Training of Staff Handling Personal Information

The Company designates personnel in charge of handling personal information and restricts their access to the minimum necessary.

Establishment and Implementation of Internal Management Plans

The Company establishes and implements internal management plans for the safe handling of personal information.

Technical Measures Against Hacking and Viruses

The Company installs security programs, regularly updates and checks them, and monitors systems to prevent leakage or damage due to hacking or computer viruses. Access is controlled through secure zones.

Encryption of Personal Information

Personal information and passwords are encrypted and stored according to the “Encryption Guidelines” of the Personal Information Protection Commission. Data transmission between servers and clients uses SSL encrypted communication.

Retention and Protection of Access Logs

Access records to the personal information processing system are retained and managed for at least 2 years, with security features to prevent tampering, theft, or loss.

Access Restriction to Personal Information

Access rights to the database systems processing personal information are granted, changed, and revoked as necessary. The Company uses intrusion prevention systems to block unauthorized external access.

Use of Locks for Document Security

Documents and storage media containing personal information are stored in secure locations with locking devices.

Access Control to Physical Storage Areas

Physical storage areas containing personal information are separated and subject to entry control procedures.

11. Remedies for Infringement of Rights of Data Subjects

The Company strives to guarantee the data subject’s right to self-determination over personal information and to provide relief and consultation in case of infringement. For reports or consultation, please contact the Customer Service Department (see Article 9 of these guidelines).

Data subjects may contact the following institutions for remedies or consultation regarding personal information infringement:

Personal Information Dispute Mediation Committee: 1833-6972 (http://kopico.go.kr)

Personal Information Infringement Report Center: 118 (http://privacy.kisa.or.kr)

Supreme Prosecutors’ Office Cybercrime Investigation Department: 1301 (http://spo.go.kr)

Cyber Bureau of the National Police Agency: 182 (http://cyberbureau.police.go.kr)

In accordance with Articles 25, 26, and 37 of the Personal Information Protection Act, a data subject who believes their rights or interests have been infringed due to actions or omissions by public institutions may file an administrative appeal in accordance with the Administrative Appeals Act.

12. Enforcement and Amendment of the Privacy Policy

This Privacy Policy shall take effect from the date of enforcement. If any additions, modifications, or deletions are made in accordance with relevant laws or policies, such changes will be notified via the notice section at least 7 days prior to the effective date.

Announcement Date: January 13, 2025

Effective Date: January 20, 2025