WE-AR MR Studio Privacy Policy We, WEAR Co., Ltd (hereinafter referred to as "the Company" or "MR Studio"), prioritize the protection of your personal information. The protection of your personal information is a core value that determines the framework and direction of the services and products we provide, and we make every effort to ensure that you can use all the services we provide.

In this Privacy Policy, we will inform you of why and how we use the personal information provided by you, and which measures are taken to protect your personal information.

This Privacy Policy applies to MR Studio and all the websites, apps, events, and other services operated by MR Studio and WEAR Co., Ltd., which are all referred to as "Service(s)" for ease of understanding. However, for some Services, a separate privacy policy may be required, and in such cases, the privacy policy of the relevant Service, not this Privacy Policy, will apply.

We are committed to protecting the personal information and rights of data subjects in accordance with relevant laws and regulations, such as the Personal Information Protection Act and the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. To promptly and smoothly handle related complaints, we establish and disclose this Privacy Policy as follows:

○ This Privacy Policy is effective as of August 1, 2023.

Article 1 Purpose of Processing Personal Information

The Company processes personal information for the following purposes. The personal information processed will not be used for any purpose other than the following purposes, and if the purpose of use is changed, the Company will implement necessary measures in accordance with the Personal Information Protection Act, such as obtaining separate consent:

Membership registration and management

Personal information is processed for the purpose of confirming a member's intention to join, identifying and authenticating the person for the provision of membership services, maintaining and managing membership, preventing unauthorized use of Services, providing various notices and notifications, and handling grievances.

Provision of goods or services

Personal information is processed for the purpose of providing services and contents.

Utilization for marketing and advertising

Personal information is processed for the purpose of providing information about events and advertisements and providing opportunities to participate in events.

Grievance handling

Personal information is processed for the purpose of identifying the identity of a complainant, verifying the complaint, contacting and notifying the complainant for fact-finding, and notifying the outcome of the complaint process.

Article 2 Period of Processing and Retention of Personal Information

① The Company shall process and retain personal information within the period of retention and use of personal information agreed upon when collecting personal information from the data subject or as required by applicable laws and regulations.

② The period of processing and retention of personal information for each purpose is as follows:

Service Membership Registration and Management: Until withdrawal from the membership

However, in cases where the following reasons apply, personal information will be processed and retained until the end of the reason:

If an investigation or inquiry is being conducted due to a violation of relevant laws and regulations, until the end of such investigation or inquiry. If the legal relationship resulting from the use of the Service continues to exist, until the end of such legal relationship.

Provision of goods or services: Until the final provision of goods or services.

However, in cases where the following reasons apply, personal information will be processed and retained until the end of the applicable period:

Records related to indication/advertisement pursuant to the Act on the Consumer Protection in Electronic Commerce and records related to transactions such as contents and implementation of a contract. Records on indication/advertisement: 6 months Records on contract or supply of goods or services: 5 years Records on consumer complaints or dispute resolution: 3 years For other records or materials as required by applicable laws and regulations, until the end of the applicable period prescribed by such laws and regulations.

Article 3 Items of Personal Information Processed

① The Company processes the following personal information items

We collect personal information that you voluntarily provide to us when you express an interest in obtaining information about us or our products and Services, when you participate in activities on the Service, or otherwise you contact us.

The Company does not process sensitive information.

The Company automatically collect device information (such as your mobile device ID, model and manufacturer), operating system, version information and system configuration, device and application identification numbers, browser type and version, hardware model internet service provider and/or mobile carrier, and Internet Protocol (IP) address (or proxy server). If you are using our application(s), we may also collect information about the phone network associated with your mobile device, your mobile device’s operating system or platform, the type of mobile device you use, your mobile device’s unique device ID, and information about the features of our application(s) you accessed.

The Company automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internet analytics and reporting purpose.

The information we collect include :

Log and Usage Data. Log and usage data is service-related, diagnostic, usage, and performance information our servers automatically collect when you access or use our Services and which we record in log files.

Device Data. We collect device data such as information about your computer, phone, tablet, or other device you use to access the Servers.

LoCation Data. We collect location data such as information about your device’s location, which can be either precise or imprecise.

During events/promotions, additional personal information may be collected from users of such services, and if additional personal information is collected, we will inform you of the 'items of personal information to be collected, the purpose of collecting and using personal information, and the retention period of personal information' at the time of collection and obtain your consent. For Service use inquiries, email address and login account are collected mandatorily, and mobile phone number is collected optionally to receive and resolve the inquiries. In the case of receiving a report of infringement of rights, the name, date of birth, mobile phone number, email address, and identification data (the last 7 digits of the resident registration number and the address are redacted) are required to receive and resolve the infringement case, and in the case of receiving the report from a representative submitting a power of attorney, the name and date of birth of the representative are also required. During the service registration process, a unique device ID may be issued and stored for each device or browser, and user activity data, device information (operating system, hardware and software version, available storage space, browser type, device identifier, etc.), access IP information, access logs, ADID or IDFA, date and time of visit, service use history, sanction and suspension history, information uploaded by the user, and cookies may be collected in the course of service use or business operations.

Article 4 Disclosure of Personal Information

① The Company will only use your personal information within the scope notified about the purpose of processing and the collection of your personal information.

② The Company does not sell your personal information to advertisers and will never share information that can identify you (name, email address, or other contact information) unless you specifically give us permission to do so.

③ The Company also does not provide personal information to third parties without your prior consent, except in the following cases:

Only when you expressed your consent in order to use the services of a third party affiliated with MR Studio, your personal information (profile picture, name, email address) may be provided for the purpose of service operation and development or customer consultation; The contents of the personal information to be provided under Article 4, Paragraph 3, Subparagraph 1 may be added or changed in the course of service provisions, and if the personal information required to use the affiliated service is changed, we will obtain your additional consent when you use the service; In addition, if permitted by the Personal Information Protection Act, personal information may be provided accordingly.

Article 5 Personal Information Destruction Procedure and Method

① The Company will promptly destroy the personal information that is no longer needed, such as when the retention period has expired or the purpose of collecting the personal information is achieved.

② If the retention period that you agreed to has expired or the purpose of processing has been achieved but the personal information should be retained in accordance with relevant laws and regulations, the Company transfers such personal information to a separate database (DB) or a different storage location.

③ The procedures and methods of destroying personal information are as follows:

Destruction Procedure

The Company selects the personal information for which the cause for destruction has occurred and destroys the personal information with the approval of the personal information protection manager of the Company.

Destruction Method

The Company destroys personal information in the form of electronic files with technical methods so that restoration is not possible, and destroys personal information printed, recorded, and saved in paper documents by shredding or incinerating them.

Article 6 Measures for the Destruction of Personal Information of Non-Users

The Company turns the accounts of users who did not use Services for 1 year into dormant accounts and stores their personal information separately. Such personal information will be destroyed without delay after being stored for one year.

The Company notifies members whose account is about to become dormant of a plan to store their personal information separately, the scheduled date of transition to dormancy, and the personal information items that will be stored separately, through a method that can be notified to the member, such as email, 30 days before the transition to dormancy.

If you do not want your account to be turned to dormancy, you should log in to the Service before the transition. In addition, if you log in even after the transition, you can restore the dormant account with your consent and use the service normally.

Article 7 Rights and Obligations of Data Subjects and Their Legal Representatives, and Methods of Exercising the Rights

You may exercise the rights against the Company at any time to demand access to and correction and deletion of your personal information and suspension of processing thereof.

The exercise of the rights under Article 10, Paragraph 1 shall be made in writing, by email, or other means to the Company in accordance with Article 41(1) of the Enforcement Decree of the Personal Information Protection Act, and the Company shall promptly take necessary measures.

The exercise of the rights under Article 10, Paragraph 1 may also be made by the member's legal representative or agent who has been delegated. In this case, a power of attorney in accordance with the form of Appendix 11 to the "Guidelines for the Processing of Personal Information" (No. 2020-7) must be submitted.

The right to demand access to your personal information and suspension of processing thereof may be restricted under Article 35(4) and Article 37(2) of the Personal Information Protection Act.

The right to demand correction and deletion of your personal information cannot be exercised if laws and regulations specifiy the personal information to be collected.

The Company shall verify whether the person who demands access to and correction and deletion of his/her personal information, and suspension of processing thereof in accordance with a member's rights is the member or a his/her authorized representative.

Article 8 Measures to Ensure the Protection of Personal Information

The Company takes the following measures to ensure the protection of personal information:

Administrative measures: Establishment and implementation of internal management plans, operation of dedicated organizations, and regular employee training

Technical measures: Management of access rights to personal information processing systems, installation of access control systems, encryption of personal information, installation and update of security programs

Physical measures: Access control to computer rooms, data storage rooms, etc.

Article 9 Installation and Operation of Devices That Automatically Collect Personal Information and Refusal of Such Devices

① The Company uses "cookies" that help store and retrieve member’s visit information in order to provide personalized services to its members.

② A cookie is a small amount of information sent from a server (http) that operates a website to a member's browser and may be stored on a member's device. Purpose of using cookies: To provide members with optimized information by understanding the Services that members visited, the patterns of using and visiting websites, popular search terms, and secure login status, etc. Installation, operation, and refusal of cookies: Members can refuse to store cookies through the option settings in the tool> internet options> privacy menu located at the top of their web browser. If a member refuses to store cookies, there may be difficulties in using personalized Services.

Article 10 Criteria for Additional Use and Provision

① The Company may additionally use and provide personal information without your consent in consideration of the matters set forth in Article 14(2) of the Enforcement Decree of the Personal Information Protection Act in accordance with Articles 15(3) and 17(4) of the Personal Information Protection Act.

② Accordingly, in order for the Company to additionally use and provide personal information without your consent, the following matters have been considered: Whether it is reasonably related to the original purpose for which the personal information was collected; Whether additional use or provision of personal information is foreseeable in light of the circumstances under which the personal information was collected and processing practices; Whether additional use and provision of personal information unfairly infringes on your interests; Whether the measures required to ensure security such as pseudonymization or encryption have been taken.

Article 11. Matters Concerning Personal Information Protection Manager

① The Company has designated a Personal Information Protection Manager as follows to take responsibility for the overall management of personal information and handle complaints and remedies related to the processing of personal information: ▶Personal Information Protection Manager • Name: Chanhee Kim • Position: CEO • Department: Data Privacy and Security Division • Contact: official@we.ar.kr

② You can contact the Personal Information Protection Manager or relevant department for all inquiries, complaints, and remedies related to personal information protection that may arise while using the Company's Services. The Company will promptly respond and handle members' inquiries.

Article 12 Department in Charge of Receiving and Processing Requests for Access to Personal Information

You may request to permit access to your personal information under Article 35 of the Personal Information Protection Act by contacting the following department. The Company will make every effort to process the request promptly.

▶ Department in charge of processing requests for access to personal information

Department Name: Data Privacy and Security Division Contact: official@we.ar.kr

Article 13 Remedies for Infringement of Data Subject's Rights and Interests

① You may seek dispute resolution or counseling on personal information infringement from the Korea Internet & Security Agency's Personal Information Infringement Report Center, the Korea Communications Commission's Personal Information Dispute Mediation Committee, or other organizations. If you need to report or consult about other personal information infringements, please contact the following organizations:

Personal Information Infringement Report Center (http://privacy.kisa.or.kr / 118 without an area code) Personal Information Dispute Mediation Committee (http://www.kopico.go.kr / 1833-6972 without an area code) Supreme Prosecutors' Office (http://www.spo.go.kr / 1301 without an area code) National Police Agency (http://ecrm.cyber.go.kr / 182 without an area code)

② We acknowledge your right to decide on your own personal information and make every effort to provide counseling and remedies for personal information infringement. If you need to report or consult about personal information infringement, please contact the following department: ▶ Customer Counseling and Reporting Department for Personal Information Protection

Department Name: Data Privacy and Security Division Contact: official@we.ar.kr

Article 14 Installation and Operation of Video Processing Equipment

We have installed and are operating video processing equipment as follows:

Ground and purpose of the installation: Safety of facilities and fire prevention. Number of installations, locations, and scope of recording: 7 units installed in major facilities such as buildings and parking lots; scope of recording includes the entire space of the entrances to major facilities. The person and department in charge with access to video information: Kim Chan-hee Recording time, retention period, storage location, and processing method of video information: Recording time: 24 hours Retention period: 14 days from the time of recording Storage location and processing method: Stored and processed in the building's video processing equipment controlling room. Method and location of accessing video information: Request to the building's manager responsible for the management. Actions taken in response to data subjects’ request for access: A request for access to personal video information or a request for confirmation of existence of personal video information shall be made in writing using the prescribed form. The access is permitted only in cases where the data subject is clearly identifiable in the video or when it is necessary to protect the data subject's life, body, or property. Technical, administrative, and physical measures to protect video information: Establishment of an internal management plan, access control and access restriction, application of secure storage and transmission technology for video information, establishment of measures on the storage of processing records and prevention of forgery, provision of storage facilities, and installation of locks, etc.

Article 15 Matters Concerning Changes to the Privacy Policy

This Privacy Policy will be effective from August 1, 2023.