The Company processes personal information for the following purposes.
This processing is based on Article 15, Paragraph 1, Item 1 (Consent of the Data Subject, etc.) of the Personal Information Protection Act.

1. Ethical Management Whistleblowing: Collection of reporter information for online whistleblowing, fact-checking, and notification of investigation results.
2. Participation in CSR Campaigns and Internal/External Events: Collection of participant information for CSR campaigns and internal/external events conducted by the Company.

The Company collects personal information within the minimum scope necessary to provide its services, as follows:

1. Ethical Management Whistleblowing
   • Required Items: Name, Email, Phone Number, Title, Report Type, Detailed Description, Password
   • Optional Items: Attachments (In case of anonymous reporting: Author Name, Email, Phone Number)
   • Collection Method: Direct input via the website
2. Participation in CSR Campaigns/Events
   • Required Items: Name, Gender, Date of Birth, Email, Phone Number, Detailed Description, VMS ID
   • Optional Items: Attachments
   • Collection Method: Naver Forms, Google Forms, SurveyMonkey, Email

• Installation, Operation, and Refusal of Automatic Personal Information Collection Devices
  1. The Company uses "cookies" to store and periodically retrieve usage information to provide personalized services and convenience to users.
  2. A cookie is a small amount of information sent by the server (http), used for website operation, to the data subject’s browser and is stored on the data subject's PC or mobile device.
  3. Data subjects may choose to allow or block cookies through their web browser options. However, refusing to store cookies may result in difficulties using customized services.
• Chrome
  • Top right of the browser > Settings > Privacy and security > Clear browsing data
• Microsoft Edge
  • Top right of the browser > Settings > Privacy, search, and services > Clear browsing data > Choose what to clear > Clear now
• Safari
  • Settings > Safari > Clear History and Website Data
• Firefox
  • Top right of the browser > Settings > Privacy & Security > Cookies and Site Data > Clear Data > Clear

Once the purposes for collecting and using personal information are achieved, the Company destroys the relevant information without delay, as follows:

1. Whistleblowing: Information is destroyed without delay after the purpose of use is achieved. However, the following information will be retained for the specified period for the reasons stated below:
   • Required Items: Author Name, Email, Phone Number, Title, Report Type, Detailed Description, Password
   • Optional Items: Attachments (In case of anonymous reporting: Author Name, Email, Phone Number)
   • Collection Method: Direct input by the visitor via the website
2. Participation in CSR Campaigns/Events: Information is destroyed without delay after the purpose of use is achieved. However, the following information will be retained for the specified period for the reasons stated below:
   • Retained Items: Employee ID, Name, Gender, Date of Birth, Email, Phone Number, Detailed Description, VMS ID
   • Grounds for Retention: Participant verification, participant history management, providing participant information, prize drawing for participants, etc.
   • Retention Period: 1 year

To ensure smooth service provision, the Company entrusts personal information processing tasks to external parties. The Company entrusts tasks related to the processing (handling) of personal information as follows and takes necessary measures to ensure that personal information is managed securely during the entrustment contract in accordance with relevant laws and regulations. Furthermore, the information subject to entrusted processing is limited to the minimum information necessary for smooth service provision. The entities and purposes of the personal information processing (handling) entrustment are as follows:

개인정보의 처리 목적 및 항목 - 서비스 유형, 본 조 ⑦~⑫항 정보 수집 여부, 제품이용 개인정보 저장 위치로 구분되어 있습니다.

Entrusted Entity (Trustee)	Details of Entrusted Tasks	Retention and Use Period
PlanI Co., Ltd.	Website maintenance and service operation	Until the termination of the contract

In principle, the Company does not provide users' personal information to external parties. However, exceptions are made in the following cases:

1. When the consent of the data subject has been obtained.
2. When there are special provisions in the law or when it is inevitable to comply with legal obligations.
3. When it is inevitable for a public institution to perform tasks within its jurisdiction as prescribed by laws and regulations.

Currently, the Company does not provide personal information to third parties. In the event that third-party provision becomes necessary in the future, the Company will notify the data subject in advance of the recipient, the purpose of provision, the items to be provided, and the period of retention and use, and will obtain their consent.

The Company destroys personal information without delay when it becomes unnecessary, such as upon the expiration of the retention period or the achievement of the processing purpose.

1. Destruction Procedure
   • The Company selects the personal information for which a reason for destruction has occurred and destroys the information after obtaining approval from the Privacy Officer (Chief Privacy Officer).
2. Destruction Method
   • Personal information recorded or stored in the form of electronic files is destroyed in a way that the records cannot be reproduced.
   • Personal information recorded or stored on paper documents is destroyed by shredding with a shredder or by incineration to ensure it is irrecoverable.

Data subjects may exercise their rights related to personal information protection against the Company at any time, as follows:

1. Request for Access to Personal Information
   Data subjects may request access to their personal information files held by the Company in accordance with Article 35 (Access to Personal Information) of the Personal Information Protection Act. However, access may be restricted in accordance with Article 35, Paragraph 4 of the Act if:
   • Access is prohibited or restricted by law.
   • Access is likely to cause harm to the life or body of another person, or unfairly infringe upon the property and other interests of another person.
2. Request for Rectification or Erasure of Personal Information
   Data subjects may request the rectification or erasure of their personal information files held by the Company in accordance with Article 36 (Rectification or Erasure of Personal Information) of the Personal Information Protection Act. However, erasure cannot be requested if the personal information is explicitly specified as a subject of collection in other laws and regulations.
3. Request for Suspension of Personal Information Processing
   Data subjects may request the suspension of processing of their personal information files held by EcoPro in accordance with Article 37 (Suspension of Processing of Personal Information, etc.) of the Personal Information Protection Act. Furthermore, the Company may deny a request for suspension of processing in accordance with Article 37, Paragraph 2 of the Act if:
   • There are special provisions in the law or it is inevitable to comply with legal obligations.
   • Suspension is likely to cause harm to the life or body of another person, or unfairly infringe upon the property and other interests of another person.
   • It is difficult to perform a contract, such as failing to provide services agreed upon with the data subject, if the personal information is not processed, and the data subject has not clearly expressed their intent to terminate the contract.
4. Protection of Personal Information of Children Under 14
   • In principle, EcoPro does not collect personal information from children under the age of 14. However, in cases where the collection of such information is inevitable, it will be processed lawfully in accordance with relevant laws and regulations, including obtaining the consent of a legal representative.

Ecopro takes the following technical, administrative, and physical measures necessary to secure safety in accordance with Article 29 of the 「Personal Information Protection Act」 to prevent personal information from being lost, stolen, leaked, falsified or damaged in handling personal information of visitors. However, EcoPro does not take any responsibility for problems caused by leakage of personal information due to the negligence of individual visitors or problems on the Internet.

1. Establishment and implementation of internal management plan
   Ecopro's internal management plan is established and implemented in compliance with the internal management guidelines of the Ministry of Public Administration and Security.
2. Minimization and training of personal information processing personnel
   We designate and minimize the person in charge of handling personal information, and safely manage personal information through regular training for the person in charge.
3. Restriction of access to personal information
   We take necessary measures to control access to personal information by granting, changing, or canceling access rights to the database system that handles personal information, and we control unauthorized access from outside by using an intrusion prevention system.
4. Storage of access records and prevention of forgery/falsification
   Records of access to the personal information processing system (web log, summary information, etc.) are stored and managed for at least 6 months or more for 1 year, and security functions are used to prevent forgery, alteration, theft or loss of access records.
5. Encryption of personal information
   Important personal information of visitors is encrypted and stored and managed. In addition, we use separate security functions such as encrypting important data when storing and transmitting.
6. Technical measures against hacking, etc.
   Ecopro installs a security program to prevent leakage and damage of personal information caused by hacking or computer viruses, periodically updates/inspects the system, installs the system in an area where access from outside is controlled, and technically/physically monitors and blocks it. It also detects attempts to illegally change information as well as network traffic monitoring.
7. Physical measures for safe storage of personal information
   We set up a separate physical storage location for the personal information system that stores personal information, and establish and operate access control procedures. In addition, we take physical measures such as installing a locking device for the safe management of documents with personal information.
8. Operation of an organization dedicated to personal information protection
   Through an in-house personal information protection organization, we check the implementation of personal information protection measures and compliance with the person in charge, and take corrective action immediately when a problem is found.

To protect the personal information of data subjects and to handle complaints and remedy damages related to personal information, the Company has designated the following Privacy Officers and department in charge. You may submit requests to exercise your rights, such as access, rectification, erasure, or suspension of processing, through the contact information below.

1. Privacy Officers
   1. EcoPro Privacy Officer
      • Name: Su-ho Lee
      • Title: Chief Information Security Officer (CISO) / Chief Privacy Officer (CPO)
      • Email: security@ecopro.co.kr
        ※ You will be connected to the personal information protection department.
   2. EcoPro BM Privacy Officer
      • Name: Woo-young Son
      • Title: Head of HR
      • Email: security@ecopro.co.kr
        ※ You will be connected to the personal information protection department.
   3. EcoPro HN Privacy Officer
      • Name: Jong-seop Kim
      • Title: CEO
      • Email: security@ecopro.co.kr
        ※ You will be connected to the personal information protection department.
   4. EcoPro Materials Privacy Officer
      • Name: Pil-jung Jeon
      • Title: Head of HR
      • Email: security@ecopro.co.kr
        ※ You will be connected to the personal information protection department.
   5. EcoPro EM Privacy Officer
      • Name: Jong-hwan Park
      • Title: CEO
      • Email: security@ecopro.co.kr
        ※ You will be connected to the personal information protection department.
   6. EcoPro Innovation Privacy Officer
      • Name: Sun-mi Choi
      • Title: Head of Management Strategy
      • Email: security@ecopro.co.kr
        ※ You will be connected to the personal information protection department.
   7. EcoPro CnG Privacy Officer
      • Name: Seok-hoe Park
      • Title: CEO
      • Email: security@ecopro.co.kr
        ※ You will be connected to the personal information protection department.
   8. EcoPro AP Privacy Officer
      • Name: Jong-cheol Lee
      • Title: COO
      • Email: security@ecopro.co.kr
        ※ You will be connected to the personal information protection department.
   9. EcoPro Partners Privacy Officer
      • Name: Oh-seok Kwon
      • Title: Head of Management Support Team
      • Email: security@ecopro.co.kr
        ※ You will be connected to the personal information protection department.
   10. EcoPro Logistics Privacy Officer
       • Name: Seong-in Kang
       • Title: CEO
       • Email: security@ecopro.co.kr
         ※ You will be connected to the personal information protection department.

If your rights and interests regarding personal information are infringed or if you need consultation, please contact the following organizations.

• Korea Internet & Security Agency Personal Information Infringement Reporting Center (http://privacy.kisa.or.kr / 118 without an area code)
• Supreme Prosecutor's Office Cyber Investigator (http://www.spo.go.kr / 1301 without area code)
• National Police Agency Cyber Security Bureau (http://cyberbureau.police.go.kr / 182 without area code)
• Personal Information Dispute Mediation Committee (http://www.kopico.go.kr / 1833-6972)

This Personal Information Processing Policy was amended on April 30, 2026. In the event of any additions, deletions, or modifications to the content due to the enactment or amendment of relevant laws, changes in government policies, changes in internal company policies, or changes in security technology, the Company will notify users of the reasons for and details of such changes through the website's "Announcements" at least 7 days prior to the amendment.
However, if significant changes occur, such as the provision of personal information to third parties, changes in the purpose of collection and use, or changes in the retention period, the Company will provide notice through the 'News & Notice' section of the website.