Last Updated: November 7, 2025 Privacy Policy Cresco Inc. protects users' personal information in accordance with the Personal Information Protection Act and establishes and discloses this Privacy Policy to promptly and smoothly handle users' concerns related to personal information. 1. Purpose of Processing Personal Information The Company processes personal information for the following purposes. Personal information processed will not be used for purposes other than the following, and if the purpose of use changes, prior consent will be obtained. 1) Membership Registration and Management - Verification of membership intention, personal identification and authentication for member service provision - Maintenance and management of membership status, prevention of fraudulent use of services - Various notices and notifications, grievance handling 2) Service Provision - Cresco AI-based stock search and analysis services - DART disclosure information provision and AI summary services - Financial data inquiry and analysis services - Provision of customized content and identity verification 3) Service Improvement and Statistics - Development of new services and improvement of existing services - Service usage statistics analysis and quality improvement - AI model training and improvement (anonymized data) - Analysis of access frequency and usage patterns 4) Marketing and Advertising (Optional Consent) - Provision of events and promotional information - Provision of participation opportunities and customized service information 2. Personal Information Collection Items and Methods The Company collects the following personal information for membership registration, service application, and customer inquiry response. 1) Required Collection Items - Social Login Information • Kakao Login: Kakao account ID (required), email address (if provided optionally) • Apple Login: Apple ID (required), email address (if provided optionally, private relay email possible) - Username (nickname) 2) Automatically Collected Items The following information is automatically generated and collected during service use. - Service usage records: query content, conversation history, AI response records - Access logs: access date/time, access IP address, session information - Device information: device ID, device OS information, app version - Authentication tokens: JWT refresh tokens (encrypted storage) - Payment information: payment records, billing keys (for auto-renewal, encrypted storage) - Usage information: daily usage count, subscription status 3) Collection Methods - Collection through social login (Kakao, Apple) OAuth authentication process - Automatic generation and collection during service use - Voluntary provision when contacting customer service ※ The Company does not provide email/password-based membership registration and membership is only possible through social login. 3. Processing and Retention Period of Personal Information The Company processes and retains personal information within the retention and use period stipulated by laws or the retention and use period consented to by the data subject when collecting personal information. 1) Processing Upon Membership Withdrawal - When a member requests withdrawal, the account is immediately deactivated - Personal identification information (email, username, social ID) is immediately deleted or anonymized - Conversation records are anonymized and retained for service improvement and AI training purposes (User IDs are hashed and cannot be personally identified) 2) Legal Retention Obligations The following information is retained for a certain period in accordance with relevant laws. Act on Consumer Protection in Electronic Commerce: - Records of contracts or withdrawal of subscription: 5 years - Records of payment and supply of goods: 5 years - Records of consumer complaints or dispute resolution: 3 years - Records of display and advertising: 6 months Protection of Communications Secrets Act: - Login records: 3 months 3) Retention Period Summary - Social login information: Until membership withdrawal - Conversation records: Retained indefinitely after anonymization upon withdrawal - Payment records: 5 years (Electronic Commerce Act) - Access logs: 3 months (Protection of Communications Secrets Act) 4. Provision of Personal Information to Third Parties The Company, in principle, processes users' personal information within the scope of purposes specified in Article 1 and does not provide it to third parties beyond the original scope without prior consent. However, personal information may be provided to third parties in the following cases. 1) When users have consented to third-party provision in advance 2) When required by law or at the request of investigative agencies according to procedures and methods stipulated by law 3) When personal information is provided in a form that cannot identify specific individuals for purposes such as statistical preparation and academic research Third Party Provision Status: | Recipient | Purpose | Items | Retention Period | |-----------|---------|-------|------------------| | Nicepay Co., Ltd. | Payment processing and settlement | Payment amount, order number, billing key | Service use period and legal retention period | ※ The Company does not directly store members' credit card information, which is processed by Nicepay. 5. Outsourcing of Personal Information Processing The Company outsources personal information processing tasks as follows to fulfill services. | Outsourcee | Outsourced Tasks | Outsourced Items | Outsourcing Period | |-----------|------------------|------------------|-------------------| | Amazon Web Services Inc. (USA) | Cloud server operation and database management | Member information, conversation records, payment records, access logs | Until membership withdrawal or contract termination | | OpenAI, LLC (USA) | AI response generation and natural language processing | User query content, conversation history, search queries | Real-time processing then up to 30 days per OpenAI policy | | Redis Labs (USA) | Session management, usage management, real-time data processing | User ID, daily usage, session tokens, conversation event buffer | 24 hours (automatic deletion) | | Qdrant Solutions GmbH (Germany) | Vector search service | User query embeddings, search queries, stock codes | Until membership withdrawal or contract termination | | Tavily Inc. (USA) | Web search service | Search queries | Immediate deletion after real-time processing | | PostHog Inc. (USA) | Service usage analysis and session replay | User ID, usage records, session data, device information | Until membership withdrawal or contract termination | | Datadog Inc. (USA) | System monitoring and log management | User ID, API request records, error logs, access IP | Up to 90 days per log retention policy | | Nicepay Co., Ltd. (Korea) | Payment processing and settlement | Payment information, billing keys, order numbers | Legal retention period (5 years) | | Expo (USA) | Push notification delivery | Device tokens, notification content | Immediate deletion after delivery | We stipulate and supervise necessary matters in contracts to ensure outsourced companies handle personal information safely in accordance with the Personal Information Protection Act. 6. Cross-Border Transfer of Personal Information The Company transfers members' personal information abroad as follows to provide AI services. Notice pursuant to Article 17(3) of the Personal Information Protection Act: 1) Items of Personal Information Transferred - User query content and conversation history - User ID (hashed form) - Search queries and session data - Service usage records and access logs - Device information and error logs 2) Countries to Which Personal Information is Transferred - USA: OpenAI, Tavily, PostHog, Datadog, Redis Labs, AWS, Expo - Germany: Qdrant Solutions GmbH 3) Recipients - OpenAI, LLC: AI response generation - Tavily Inc.: Web search service - PostHog Inc.: Service usage analysis - Datadog Inc.: System monitoring - Redis Labs: Session management - Qdrant Solutions GmbH: Vector search - Amazon Web Services Inc.: Cloud infrastructure - Expo: Push notifications 4) Purpose of Use by Recipients - OpenAI: Natural language processing and AI response generation - Tavily: Real-time web search and information provision - PostHog: Service usage pattern analysis and improvement - Datadog: System stability monitoring and incident response - Others: Service provision and operation 5) Retention and Use Period of Personal Information - OpenAI: Up to 30 days after real-time processing (OpenAI policy) - Datadog: Up to 90 days - Redis Labs: 24 hours (automatic deletion) - Others: Until membership withdrawal or achievement of processing purpose 6) Time and Method of Transfer - Transfer time: Real-time transmission upon service use - Transfer method: API transmission via HTTPS encrypted communication Members have the right not to consent to the cross-border transfer of personal information above, but if they do not consent, AI services cannot be used. 7. Rights and Obligations of Data Subjects and How to Exercise Them Users can exercise the following rights as data subjects. 1) Request to View Personal Information - You can view your personal information held by the Company - Can be checked in the app at [My Page > Personal Information Management] 2) Request to Correct Personal Information - You can request correction if there are errors in personal information - Social login information must be modified on the respective platform (Kakao, Apple) 3) Request to Delete Personal Information - You can request deletion of personal information through membership withdrawal - However, information required to be retained by law will not be deleted - Processing within 10 days after deletion request 4) Request to Stop Processing Personal Information - You can request temporary suspension of personal information processing - However, information essential for service provision cannot be suspended 5) How to Exercise Rights - Direct processing through My Page in the app - Customer service inquiry (Support > Contact) - Email: [email protected] The Company will take action without delay when receiving a request from a data subject, and will notify the reason if there are legal restrictions. 8. Destruction of Personal Information When personal information becomes unnecessary, such as when the retention period has elapsed or the processing purpose has been achieved, the Company processes such personal information as follows. 1) Destruction Procedure - Upon membership withdrawal request, personal identification information is immediately deleted or anonymized - Anonymized conversation records are retained for service improvement purposes - Information required to be retained by law is transferred to a separate database and retained 2) Destruction Method - Electronic files: Complete deletion in an unrecoverable manner - Database: User ID hashing, email removal (anonymization) - Paper documents: Shredding or incineration 3) Anonymization Processing Conversation records and service usage data are anonymized as follows: - User ID → Converted to hash value (non-decryptable) - Email address → Complete deletion - Social login information → Complete deletion - Conversation content → Retained after removal of personal identification information 9. Measures to Ensure Safety of Personal Information In accordance with Article 29 of the Personal Information Protection Act, the Company takes the following technical, administrative, and physical measures necessary to ensure safety. 1) Technical Measures - Personal information encryption: Password (none), payment information, authentication token encrypted storage - Encryption in transit: All communication encryption via HTTPS/TLS protocol - Access control: Minimized database access permissions and IP whitelist application - Security programs: Operation of hacking and virus defense systems - Intrusion detection: Operation of AWS WAF and security monitoring systems 2) Administrative Measures - Minimization of personal information processing staff and regular training - Management of personal information access permissions and audit log recording - Establishment and implementation of internal personal information protection plan - Two-factor authentication for administrator accounts 3) Physical Measures - Use of physical security facilities in AWS Seoul region - Server room access control and CCTV monitoring (AWS responsibility) - Backup data encryption and distributed storage 4) Administrator Access Control - Only minimal administrators can view conversation history for customer support purposes - All administrator access records are retained as audit logs (minimum 1 year) - Access limited to the minimum necessary for work 10. Personal Information Protection Officer The Company designates a Personal Information Protection Officer as follows to take overall responsibility for matters related to personal information processing and to handle complaints and provide relief to data subjects related to personal information processing. Personal Information Protection Officer - Email: [email protected] - Department: Cresco Inc. - Role: Overall responsibility for personal information processing Data subjects can contact the Personal Information Protection Officer regarding all personal information protection-related inquiries, complaint handling, and damage relief arising from using the Company's services. The Company will respond to and process data subjects' inquiries without delay. 11. Notification in Case of Personal Information Leakage In the event of a personal information leakage incident, the Company will take measures as follows in accordance with Article 34 of the Personal Information Protection Act. 1) Matters to Notify Users - Items of personal information leaked - Time and circumstances of leakage - Actions users can take - Company's response measures and damage relief procedures - Department in charge and contact information 2) Notification Method - Email, app push notifications, service announcements - Notification within 24 hours after confirmation of leakage 3) Reporting Procedure - Report to Korea Internet & Security Agency Personal Information Infringement Report Center - Report to supervisory authority (Personal Information Protection Commission) 12. Remedies for Rights Infringement Data subjects can apply for dispute resolution or consultation with the following organizations to receive relief for personal information infringement. 1) Personal Information Infringement Report Center (Korea Internet & Security Agency) - Phone: 118 - Website: privacy.kisa.or.kr 2) Personal Information Dispute Mediation Committee - Phone: 1833-6972 - Website: www.kopico.go.kr 3) Supreme Prosecutors' Office Cybercrime Investigation Division - Phone: 1301 - Website: www.spo.go.kr 4) National Police Agency Cyber Safety Bureau - Phone: 182 - Website: cyberbureau.police.go.kr 13. Cookie and Token Policy The Company uses JWT (JSON Web Token) instead of cookies for authentication and session management. 1) JWT Token Use - JWT access tokens are encrypted and stored in the device's secure storage (Keychain/Keystore) - Token validity period: Access token 1 week - Refresh tokens are used for automatic login functionality 2) Token Information Included - User ID - Username - Subscription plan - Daily usage limit - Token issuance and expiration time 3) Token Management - All tokens are immediately invalidated upon membership withdrawal - Tokens are deleted from the device upon logout - Tokens can be forcibly invalidated when suspicious activity is detected 14. Changes to Privacy Policy This Privacy Policy applies from November 7, 2025, and if there are additions, deletions, or corrections to changes in laws and policies, they will be announced through notices from 7 days before the effective date to the day before the effective date. Change History: - November 7, 2025: Detailed disclosure of third-party AI service providers, establishment of cross-border transfer notice, clarification of data retention policy - October 20, 2025: Initial enactment