Privacy Policy

Emelmujiro ('Company') establishes and publicly discloses this Privacy Policy pursuant to Article 30 of the Personal Information Protection Act (PIPA) to protect the personal information of data subjects and to promptly handle related complaints.

We collect the minimum personal information necessary to provide our services. [Required items] • Contact form (required): Name, email (auto-collected from submitter's Google account), inquiry category, inquiry details, preferred schedule, consent to data collection • Contact form (optional): Organization name, reply-to email, phone number, budget range, additional comments • Account registration: Email address, password (stored with one-way encryption) [Automatically collected] • IP address, browser type and version, operating system, visit timestamps, page views, service usage logs [Collection methods] • Website contact form (Google Forms-based), account registration, and automatic collection during service use

We process collected personal information for the following purposes only. • Responding to inquiries and providing consultation services • Member registration and management, identity verification • Statistical analysis for service improvement • Security threat detection and fraud prevention • Compliance with legal obligations

We destroy personal information without delay once the purpose of processing has been achieved. [Retention periods] • Member data: Until membership withdrawal • Inquiry records: 1 year after resolution • Visit logs (SiteVisit): Automatically deleted after 90 days • Legal retention: For the period required by applicable laws [Destruction procedures and methods] • Electronic files: Permanently deleted using irreversible methods • Paper documents: Not applicable (electronic processing only)

We do not disclose personal information to third parties, except in the following cases. • When the data subject has given separate prior consent • When there is a specific provision in law • When necessary for urgent protection of life, body, or property of the data subject or a third party, and prior consent cannot be obtained

We outsource personal information processing to the following service providers. • Google LLC (Google Forms): Inquiry form data collection and storage — the contact form on /contact is served via Google's infrastructure, and submissions (name, email, inquiry content, etc.) are stored on Google's servers. • Sentry (Functional Software, Inc.): Error tracking and service stability monitoring — technical information collection upon errors ※ Website usage statistics are processed on our own servers using a self-hosted analytics tool (Umami), with no external outsourcing. In outsourcing contracts, pursuant to Article 26 of PIPA, we specify provisions regarding prohibition of processing beyond the outsourced purpose, technical and administrative protection measures, restrictions on re-outsourcing, supervision of processors, and liability for damages.

Data subjects may exercise the following rights at any time. • Request to access personal information • Request correction of errors • Request deletion • Request suspension of processing Rights may be exercised in writing or by email ([email protected]). We will take prompt action. When a data subject requests correction or deletion, the relevant personal information will not be used or provided until the correction or deletion is completed.

We take the following measures pursuant to Article 29 of PIPA to ensure the security of personal information. [Administrative measures] • Minimization and training of personal information handlers [Technical measures] • One-way encryption (hashing) of passwords • JWT authentication tokens managed via httpOnly cookies (XSS prevention) • DOMPurify sanitization of blog HTML content • IP-based access restriction and abnormal request blocking (rate limiting) • Access log retention and tamper prevention • Upload file extension, MIME type, and size validation [Physical measures] • Server bound to 127.0.0.1 only, blocking direct external access • Secure traffic delivery through Cloudflare Tunnel

We operate the following automated collection devices for service usage information. • Authentication cookies: JWT token management via httpOnly cookies (session persistence) • Umami: Self-hosted web analytics — cookieless, anonymized visit statistics (page views, session duration, etc.) • Sentry: Technical environment information upon errors (browser, OS, etc.) • Google Forms cookies (S, COMPASS, NID): Third-party cookies set by Google via the iframe on /contact. Will be removed once the inquiry form is migrated to our own backend API. [How to refuse cookies] You can allow, block, or delete cookies through your web browser's settings. However, blocking cookies may limit some services such as login. • Chrome: Settings > Privacy and security > Cookies and other site data • Safari: Preferences > Privacy • Firefox: Settings > Privacy & Security

We do not knowingly collect personal information from children under 14 years of age. If we learn that such information has been collected, we will destroy it without delay.

The Company designates the following Privacy Officer to oversee personal information processing and handle complaints and remedies related to personal information. [Privacy Officer] • Name: Hojin Lee • Position: CEO • Email: [email protected] • Phone: +82 10-7279-0380 Data subjects may direct all inquiries, complaints, and remedy requests related to personal information protection to the Privacy Officer.

Data subjects may contact the following organizations for dispute resolution or consultation regarding personal information infringement. • Personal Information Infringement Report Center (KISA): 118 (no area code) / privacy.kisa.or.kr • Personal Information Dispute Mediation Committee: 1833-6972 / www.kopico.go.kr • Supreme Prosecutors' Office Cyber Investigation Division: 1301 (no area code) / www.spo.go.kr • National Police Agency Cyber Bureau: 182 (no area code) / ecrm.police.go.kr

This Privacy Policy may be updated due to changes in law, policy, or services. Changes will be announced on the website at least 7 days in advance, or 30 days in advance for significant changes affecting user rights.