The Company processes personal information for the following purposes. The processed personal information will not be used for any other purposes unless the purpose of use changes, in which case prior consent will be obtained.

A.IR Meeting Requests and Service Provision The Company collects personal information within the minimum scope for IR meeting requests. The specific purposes of processing are as follows:
- Securing communication channels for responding to or handling IR meeting requests

The Company collects and processes the minimum necessary personal information as follows. If the information needs to be preserved in accordance with the relevant laws and regulations, the information may be retained for the legally required period.

The Company does not provide to a third party the personal information of the Data subjects. The personal information is provided to a third party only in such cases as when the Data subjects consent to such provision, or the personal information needs to be provided to a third party under Article 17 or Article 18 of the Personal Information Protection Act. If personal information is to be provided to a third party, it will be disclosed in accordance with the Personal Information Processing Policy.

For the effective processing of personal information, the company consigns the personal information processing to an external service provider as follows. If the content of the consigned work or the service provider changes, we will promptly disclose it in accordance with the Personal Information Processing through this policy without delay.

The Company promptly destroys personal information when the purpose of its collection and use has been achieved or if the retention period has expired. If the retention of personal information is required by relevant laws, the information will be stored in a separate database (DB) or transferred to a different storage location.

Destruction Procedure and Methods
1) For electronic files: Deleted using a technical method that prevents recovery.
2) For paper documents and other records: Shredded or incinerated.

The Company takes the following measures to ensure the security of personal information against loss, theft, leakage, alteration, or damage.

A.Development and Implementation of an Internal Management Plan
The Company implements an internal management plan based on standards for securing the safety of personal information.

B.Minimization and Training of Personal Information Processing Personnel
The Company limits access to personal information to designated personnel, assigns separate passwords that are regularly updated, and provides ongoing training to reinforce compliance with the Company’s privacy policies.

C.Access Restrictions to Personal Information
Access control measures are in place to restrict access, modify, and delete personal information within the Company’s database systems. Personnel accessing the personal information processing system via external networks must use a Virtual Private Network (VPN).

D.Record Maintenance and Tamper-Proofing of Access Logs Access logs to the personal information processing system (e.g., web logs) are retained and managed for at least one year, and security measures are implemented to prevent tampering, theft, or loss of access logs.

E.Encryption of Personal Information
Personal information is stored and managed in encrypted form. Additionally, sensitive data is encrypted for secure storage and transmission.

F.Measures against Hacking and Viruses
1) The Company takes all necessary measures to prevent the leakage or damage of personal information due to hacking or computer viruses.
2) Data is regularly backed up, antivirus software is maintained, and encryption is used for secure data transmission.
3) Unauthorized access from outside sources is blocked through a firewall, and all possible technical measures are employed to ensure security.

G.Control of Physical Access to Data Storage Facilities
The Company’s privacy protection team monitors the implementation of privacy policies. If issues are detected, corrective measures are taken promptly. However, the Company is not responsible for any issues arising from data subjects’ negligence or issues with the internet that lead to the disclosure of IDs, passwords, social security numbers, etc.

The Company currently does not operate any tools that automatically collect personal information, such as cookies. However, if necessary for future service provision, the Company may install and operate automatic collection tools. In such cases, data subjects will be given the option to accept or refuse the installation of cookies, or to reject the storage of all cookies.

Cookies are used to support a faster and more convenient use of websites and to provide customized services.

A.What is a Cookie?
Cookies are small text files sent by the server operating the website to the data subjects' browser, which are then stored on the hard disk of the data subjects' computer. When the data subjects revisit the website, the website server reads the contents of the cookies stored on the data subjects' hard disk to maintain their preferences and provide customized services. Cookies do not automatically or actively collect information that identifies individuals, and data subjects may refuse or delete stored cookies at any time.

B.Installation, Administration and Refusal of Cookies
Data subjects have an option of installing cookies, and can configure settings (allowing, blocking, deletion etc. of cookies) through a web browser option.
· Allowing and blocking cookies at web browser.
1. Chrome: Web browser settings > Personal information protection and security > Deleting internet use record.
2. Edge: Web browser settings > Cookies and site authorization > Managing and deleting cookies and site data.

· Permitting and blocking cookies at mobile browser
1. Chrome: Mobile browser settings > Personal information protection and security > Deleting internet use record.
2. Safari: Mobile device settings > Safari > Advanced > Blocking all cookies.
3. Samsung internet: Mobile browser settings > Internet use record > Deleting internet use record.

The Company designates the following Personal Information Protection Officer and personnel to protect customers' personal information and handle complaints related to personal information.

If you have any complaints related to the protection of personal information arising from the use of our services, you can report them to the Personal Information Management Officer or the relevant department. We will promptly provide sufficient answers to your reported issues.

Data subjects may request access to their personal information under Article 35 of the Personal Information Protection Act by contacting the following department. The Company will make every effort to promptly process data subjects' requests for access.

[Personal Information Access Request Handling Department]
- Department: Brand Design Team
- Email: haecheul.shim@hd.com

Data subjects may seek relief for personal data breaches by requesting dispute resolution or consultation from relevant authorities. Please contact the following organizations if you need to report or seek consultation regarding a personal information violation.
- Personal Information Dispute Mediation Committee : (No area code needed) 1833-6972 (www.kopico.go.kr)
- Personal Information Infringement Report Center of the KISA : (No area code needed) 118 (privacy.kisa.or.kr)
- Supreme Prosecutors' Office : (No area code needed) 1301 (www.spo.go.kr)
- National Police Agency : (No area code needed) 182 (ecrm.police.go.kr)

This policy will enter into force on June 18, 2025.

The previous privacy policy can be found at the top right.