BACO Solution Co., Ltd. (hereinafter referred to as the "Company") complies with the Personal Information Protection Act of the Republic of Korea and other applicable laws and regulations in order to protect the freedom and rights of data subjects. The Company processes personal information lawfully and implements appropriate measures to ensure the safe and secure management of such information.

Pursuant to Article 30 of the Personal Information Protection Act, the Company hereby establishes and discloses this Privacy Policy to inform data subjects of the procedures and standards for the processing of personal information and to ensure that any related complaints are handled promptly and efficiently.

In the event of any amendment to this Privacy Policy, the Company shall provide notice through its website or by individual notice, as required under applicable laws.

Article 1. Purpose of Processing Personal Information

The Company processes personal information solely for the purposes specified below. Personal information shall not be processed for any purpose other than those expressly stated herein. Where it becomes necessary to change the purpose of processing, the Company shall take all measures required under applicable laws, including obtaining additional consent from the data subject, where required.

1. Provision of Services for the Protection of Data Subject Rights
   The Company processes personal information to respond to inquiries from data subjects regarding personal information, to communicate the results of requested matters, and to ensure smooth and effective communication between the data subject and the Company.
2. Use for Statistical and Service Improvement Purposes
   The Company may process personal information to analyze service usage statistics for the purpose of improving service quality and operational efficiency.

Article 2. Items of Personal Information Collected, Retention, and Use Period

1. The Company processes and retains personal information only within the period agreed upon by the data subject at the time of collection or as required or permitted by applicable laws.
2. The Company shall retain personal information only for as long as necessary to fulfill the purposes for which it was collected. Once the purpose of processing has been achieved, the Company shall destroy such personal information without undue delay, unless a longer retention period is required or permitted under applicable laws.
3. The details of personal information collected and retained are as follows:

Category	Item Classification	Items Collected	Legal Basis	Retention and Use Period
Provision of services for the protection of data subject rights	Mandatory	Name; type of inquirer; company location; telephone number; mobile phone number; email address; inquiry content; cookies	Consent of the data subject	Three (3) years

Article 3. Provision of Personal Information to Third Parties

The Company shall not, in principle, provide personal information to third parties. Notwithstanding the foregoing, personal information may be provided in the following cases:

1. Where the data subject has provided prior consent; or
2. Where disclosure is required pursuant to applicable laws or is requested by competent authorities in accordance with procedures prescribed by applicable laws.

Article 4. Processing of Personal Information of Children Under the Age of 14

1. Where the Company collects personal information from a child under the age of 14, the Company shall obtain verifiable consent from the legal guardian and shall collect only the minimum personal information necessary for the provision of the relevant service.
   • Mandatory items: Name of legal guardian; relationship; contact information
2. The Company verifies whether valid consent has been obtained from the legal guardian through one or more of the following methods:
   • Posting the consent details on an internet website and notifying the legal guardian via text message that the consent has been confirmed;
   • Posting the consent details on an internet website and verifying the identity of the legal guardian through mobile phone authentication or equivalent methods;
   • Any other method equivalent to the foregoing that informs the legal guardian of the consent details and confirms the expression of consent.

Article 5. Outsourcing of Personal Information Processing

1. For the efficient processing of personal information-related tasks, the Company may outsource certain processing activities to third-party service providers.
2. In such cases, the Company shall enter into written agreements with such service providers and shall supervise and manage them to ensure that personal information is processed safely and in accordance with applicable laws and the Company's internal policies.
   • Outsourced task: Website operation and management
   - Service provider: HKD Coms Co., Ltd.
   - Description of outsourced work: Website and system management
   - Retention and use period: Until termination of the outsourcing agreement

Article 6. Procedures and Methods for Destruction of Personal Information

1. The Company shall destroy personal information without undue delay when it becomes unnecessary due to the expiration of the retention period or the achievement of the processing purpose.
2. Where personal information must be retained pursuant to other applicable laws despite the expiration of the retention period or the achievement of the processing purpose, such personal information shall be stored separately in an independent database or in a different storage location.
3. The procedures and methods for destruction of personal information are as follows:
   • Destruction procedure: The Company shall identify personal information subject to destruction and shall destroy such information upon approval of the Company's Chief Privacy Officer.
   • Destruction method: Personal information stored in electronic file form shall be destroyed in a manner that renders such information irrecoverable. Personal information recorded in paper form shall be destroyed by shredding or incineration.

Article 7. Rights and Obligations of Data Subjects and Legal Guardians

1. Data subjects shall have the right to request access to, correction of, deletion of, or restriction on the processing of their personal information, as permitted under applicable laws.
2. Where the data subject is a child under the age of 14, such rights shall be exercised by the legal guardian. Where the data subject is a minor aged 14 or older, such rights may be exercised either by the data subject directly or through the legal guardian.
3. Requests to exercise rights may be submitted to the Company in writing, by email, or by facsimile in accordance with applicable laws, and the Company shall respond without undue delay.
4. Requests may be submitted through a legal guardian or an authorized representative. In such cases, a duly executed power of attorney shall be submitted in accordance with applicable laws.
5. The exercise of rights may be restricted where permitted under applicable laws.
6. The Company shall verify whether the individual exercising such rights is the data subject or a duly authorized representative.

Article 8. Measures to Ensure the Security of Personal Information

The Company implements appropriate administrative, technical, and physical safeguards to protect personal information from unauthorized access, disclosure, alteration, or destruction, including but not limited to the following:

1. Administrative measures: Establishment and implementation of internal management plans; regular employee training;
2. Technical measures: Management of access rights; operation of access control systems; encryption of personal information; installation and operation of security programs;
3. Physical measures: Access control to data processing facilities and document storage areas.

Article 9. Automatic Collection Devices and Related Matters

The Company may use cookies or similar technologies to store and retrieve information related to website usage. Data subjects may configure their web browser settings to allow all cookies, prompt confirmation for each cookie, or refuse all cookies. Please note that refusal to use cookies may limit the availability of certain services.

Article 10. Chief Privacy Officer

1. The Company designates a Chief Privacy Officer to oversee personal information processing and to handle inquiries, complaints, and remedies related to personal information protection.
   

   • Name: Jay Lee

   • Title: Manager

   • Telephone: +82-31-613-8089

   • Email: jhlee@baco-solution.com

2. Data subjects may contact the Chief Privacy Officer regarding any matters related to personal information protection, and the Company shall respond without undue delay.

Article 11. Remedies for Infringement of Rights

Data subjects may seek consultation or dispute resolution regarding personal information infringement from the following institutions:

• Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)
• Personal Information Infringement Report Center (KISA): 118 (privacy.kisa.or.kr)
• Supreme Prosecutors' Office: 1301 (www.spo.go.kr)
• National Police Agency: 182 (cyberbureau.police.go.kr)

A data subject whose rights or interests have been infringed due to a disposition or omission by the head of a public institution in response to a request made pursuant to applicable laws may file an administrative appeal in accordance with the Administrative Appeals Act.

Article 12. Amendment of this Privacy Policy

This Privacy Policy shall take effect as of November 1, 2025.