Article 1. Purpose

Refresh ("Company," "we," "us," or "our") provides this Privacy Policy ("Policy") to explain how we collect, use, disclose, and protect personal information when individuals use our services. This Policy is intended to comply with applicable privacy laws, including the Personal Information Protection Act and the Act on Promotion of Information and Communications Network Utilization and Information Protection.

Article 2. Core Principles

We collect and process personal information in accordance with applicable law and this Policy. We share personal information with third parties only when we have a lawful basis to do so, including your consent or a legal obligation.

Article 3. How We Publish This Policy

1. We make this Policy available on our website so users can review it at any time. 2. We present this Policy in a format designed to make it easy to read, including through layout, font size, and visual emphasis where appropriate.

Article 4. Changes to this Policy

1. We may update this Policy to reflect changes in applicable law, regulatory guidance, or our services and internal policies. 2. If we update this Policy, we may notify users in one or more of the following ways: 1. By posting a notice on the main page of our website or in a separate notice window 2. By sending notice through writing, fax, email, or a similar method 3. We will generally provide notice at least 7 days before an updated Policy takes effect. If a change materially affects user rights, we will provide notice at least 30 days in advance.

Article 5. Information We Collect for Account Registration

We collect the following information to create and maintain your account. 1. Required information: Email address, password, and nickname

Article 6. Information We Collect for Identity Verification

We collect the following information to verify your identity. 1. Required information: Email address

Article 7. Information Collected Through Google Sign-In

We offer sign-in through Google OAuth and collect the following information in that process: 1. Information collected: The email address and profile name associated with your Google account 2. Purpose of collection: Account registration, sign-in, account verification, and service delivery 3. Use of Google data: We use Google user data only to provide and improve our services. 4. Third-party sharing: We do not sell, disclose, or share Google user data with third parties, except for information that users choose to make public themselves or where disclosure is required by law. 5. Security: Information collected through Google OAuth is encrypted, stored securely, and managed in accordance with this Policy.

Article 8. Information We Collect to Provide the Service

We collect the following information to provide our services. 1. Required information: User ID, email address, and name

Article 9. Information We Collect for Service Analytics and Fraud Prevention

We collect the following information to analyze service usage and detect or investigate abusive or fraudulent activity. Fraudulent use may include conduct such as re-registering after account deletion, repeatedly canceling purchases after obtaining benefits, improperly obtaining coupons or promotional rewards, violating our terms, or engaging in misconduct such as identity theft. 1. Required information: Service usage records, cookies, and device information

Article 10. Other Information We Collect

We also collect the following information. 1. Purpose of collection: To provide resume-based services and data-driven insights 2. Information collected: Resume content

Article 11. How We Collect Personal Information

We collect personal information through the following methods: 1. Information you enter directly on our website 2. Information you enter through services we provide outside the website, such as applications

Article 12. Use of Personal Information

We use personal information for the following purposes: 1. To operate the service and deliver notices 2. To respond to questions, requests, and complaints and improve the service 3. To provide the service and related features 4. To enforce our terms and prevent, investigate, or address conduct that interferes with the safe and reliable operation of the service, including fraud 5. To develop new services and features

Article 13. Sharing Personal Information With Your Consent

1. As a general rule, we do not provide users' personal information to third parties. In particular, data collected through Google OAuth is used only to provide and improve our services. 2. We may provide personal information to third parties only in the following cases: - When you have given explicit consent in advance - When disclosure is required by law or requested by an investigative agency through lawful procedures - When disclosure is necessary to provide the service, such as to a payment processor 3. We do not sell, share, or transfer user data to third parties for advertising, marketing, or other purposes unrelated to providing product features. 4. If third-party sharing is necessary, we will explain the recipient, the purpose, the information shared, and the retention period, and we will obtain consent where required. 5. If a third-party sharing relationship changes or ends, we will notify users and obtain consent again where required by law.

Article 14. Retention Period for Personal Information

1. We retain and use personal information for as long as necessary to fulfill the purposes for which it was collected. 2. Even after account deletion, we may keep records related to service abuse for up to 1 year under our internal policies to prevent fraudulent registration and misuse.

Article 15. Retention Required by Law

We also retain personal information for the periods required by applicable law, including the following: 1. Under the Act on Consumer Protection in Electronic Commerce: 1. Records related to contracts or subscription withdrawals: 5 years 2. Records related to payments and the supply of goods or services: 5 years 3. Records related to consumer complaints or dispute resolution: 3 years 4. Records related to labeling and advertising: 6 months 2. Under the Protection of Communications Secrets Act: 1. Website access log records: 3 months 3. Under the Electronic Financial Transactions Act: 1. Records of electronic financial transactions: 5 years 4. Under the Act on the Protection and Use of Location Information: 1. Records related to personal location information: 6 months

Article 16. When We Delete Personal Information

As a general rule, we delete personal information without undue delay once it is no longer needed, including when the purpose of processing has been fulfilled or the applicable retention period has ended.

Article 17. How We Delete Personal Information

1. Information collected for account registration or similar purposes is moved to a separate database or storage location once the original processing purpose has been completed. Paper records are stored separately where applicable. The information is then kept only for the period required under internal policy or applicable law before deletion. 2. Personal information is deleted through an approval process overseen by the personal information protection officer.

Article 18. Methods Used to Delete Personal Information

We delete electronically stored personal information using technical methods designed to prevent recovery. Paper records are destroyed by shredding, incineration, or a comparable secure method.

Article 19. Marketing Communications

1. If we send promotional messages through electronic means, we will obtain your prior consent where required by law. Prior consent is not required in the following cases: 1. When we directly collected your contact information in connection with a transaction and send information about goods or services of the same type within 6 months after that transaction ends 2. When a telemarketing seller covered by the Door-to-Door Sales Act informs the recipient of the source of the personal information and makes the call directly 2. If a recipient opts out or withdraws consent, we will stop sending promotional messages and notify the recipient of the result of that request. 3. If we send promotional messages between 9:00 PM and 8:00 AM, we will obtain any additional consent required by law. 4. Promotional messages sent electronically will clearly identify: 1. The company name and contact information 2. How to opt out or withdraw consent 5. We will not: 1. Interfere with or bypass a recipient's right to opt out or withdraw consent 2. Automatically generate phone numbers or email addresses by combining numbers, symbols, or letters for promotional messaging 3. Automatically register phone numbers or email addresses for the purpose of sending promotional messages 4. Conceal the sender's identity or the source of the advertisement 5. Mislead recipients in order to induce a response for promotional purposes

Article 20. Children's Privacy

1. To protect the personal information of children under 14, we generally allow membership registration only for users who are 14 or older. 2. If a user is under 14, we will obtain consent from that child's legal representative before collecting, using, or disclosing the child's personal information. 3. In that case, we may additionally collect the legal representative's name, date of birth, gender, duplicate registration verification information (ID), and mobile phone number.

Article 21. Access to Personal Information and Withdrawal of Consent

1. Users and legal representatives may review or update registered personal information at any time and may request withdrawal of consent to collect personal information. 2. To withdraw consent, users and legal representatives may contact the personal information protection officer or the responsible team by writing, phone, or email, and we will respond without undue delay.

Article 22. Changes and Corrections to Personal Information

1. Users may request correction of inaccurate personal information through the methods described above. 2. Until a requested correction is completed, we will not use or disclose the inaccurate information. If incorrect information has already been provided to a third party, we will promptly notify that third party of the correction so the record can be updated.

Article 23. Your Responsibilities

1. You are responsible for keeping your personal information accurate and up to date. You are also responsible for issues caused by inaccurate information you provide. 2. If you create an account using someone else's personal information without authorization, your account may be suspended or terminated and you may be subject to penalties under applicable law. 3. You are responsible for safeguarding your email address, password, and other credentials, and you may not transfer or lend them to a third party.

Article 24. How the Company Protects Personal Information

We implement reasonable technical and administrative safeguards to help prevent personal information from being lost, stolen, disclosed, altered, or damaged.

Article 25. How We Handle Deleted Information

If personal information is deleted or removed at the request of a user or legal representative, we handle it in accordance with our retention rules so that it cannot be accessed or used for any purpose other than those permitted by law.

Article 26. Password Encryption

Passwords are stored and managed using one-way encryption. Access to or changes to personal information are permitted only for the person who knows the password.

Article 27. Security Measures Against Hacking and Other Threats

1. We work to prevent the disclosure or damage of personal information caused by hacking, malware, or other unauthorized access. 2. We use up-to-date security software, including antivirus protections, to help protect user data. 3. We operate intrusion-prevention and related security systems to respond to unexpected threats. 4. When we collect or store sensitive personal information, we use secure transmission methods such as encrypted communications where appropriate.

Article 28. Data Minimization and Employee Training

We limit access to personal information to the smallest number of people reasonably necessary and reinforce compliance with applicable law and internal policy through training and administrative controls.

Article 29. Response to Personal Information Breaches

If we learn of the loss, theft, or unauthorized disclosure of personal information, we will promptly notify affected users and report the matter to the Korea Communications Commission or the Korea Internet & Security Agency, as required by law. That notice will include: 1. The categories of personal information involved 2. When the incident occurred 3. Steps users can take 4. The measures taken by the service provider 5. The department and contact information users can use for assistance

Article 30. Exceptions to Breach Notice

If there is a legitimate reason we cannot contact affected users directly, such as when contact information is unavailable, we may substitute that notice by posting it on our website for at least 30 days.

Article 31. Protection of Personal Information Transferred Overseas

1. We do not enter into international agreements that would violate the Personal Information Protection Act or other applicable laws with respect to users' personal information. 2. If we provide, process, or store personal information overseas (collectively, an "overseas transfer"), we will obtain user consent where required. Consent may not be required where the relevant information is disclosed or notice is otherwise provided in the manner permitted by law. 3. When consent is required, we will notify users in advance of the following: 1. The categories of personal information to be transferred 2. The destination country, transfer date, and transfer method 3. The name of the recipient, or for a corporation, the company name and contact information of the person responsible for information management 4. The purpose of use by the recipient and the applicable retention period 4. If we transfer personal information overseas, we will implement the safeguards required under the Personal Information Protection Act, its Enforcement Decree, and other applicable laws.

Article 32. Cookies and Similar Technologies

1. We use cookies and similar technologies to store and retrieve usage information so we can provide tailored services. Cookies are small pieces of information sent by the website server to your web browser on a PC or mobile device and may be stored on your device. 2. Our separate Cookie Policy describes the current categories of cookies and similar technologies we use, including example providers, retention periods, and available controls. 3. You can choose whether to allow cookies. In your browser settings, you can allow all cookies, receive a prompt each time a cookie is stored, or block all cookies. 4. If you block cookies, some parts of the service that require sign-in may not work properly.

Article 33. How to Manage Cookie Settings

You can manage cookie settings in your web browser. 1. Edge: Settings > Cookies and site permissions > Manage and delete cookies and site data 2. Chrome: Settings > Privacy and security > Cookies and other site data 3. Whale: Settings > Privacy > Cookies and other site data

Article 34. Personal Information Protection Officer

We have designated the following person to protect users' personal information and handle privacy-related complaints: 1. Personal Information Protection Officer 1. Name: Ham Jong Hyun 2. Title: CEO 3. Phone: 4. Email: contact@refresh.cv

Article 35. How to Seek Relief

1. If you believe your personal information rights have been violated, you may seek consultation or dispute resolution from the following organizations: 1. Personal Information Dispute Mediation Committee: 1833-6972 (without area code) (www.kopico.go.kr) 2. Personal Information Infringement Report Center: 118 (without area code) (privacy.kisa.or.kr) 3. Supreme Prosecutors' Office: 1301 (without area code) (www.spo.go.kr) 4. National Police Agency: 182 (without area code) (ecrm.cyber.go.kr) 2. We support users' rights to control their personal information and will do our best to assist with consultations and remedies related to privacy issues. If you need help, please contact the department listed above. 3. A person whose rights or interests were affected by an action or failure to act by a public institution in response to a request under Article 35 (Access to Personal Information), Article 36 (Correction or Deletion of Personal Information), or Article 37 (Suspension of Processing of Personal Information) of the Personal Information Protection Act may seek administrative review under the Administrative Appeals Act. 1. Central Administrative Appeals Commission: 110 (without area code) (www.simpan.go.kr)