POINTTWOFIVE SECOND is a Total Scent Brand that tells My Story through scent.

Purpose of Use	Data Items Collected	Retention Period
To verify your intention to sign up and identify/authenticate you as a member; to confirm that you are at least 16 years old and comply with age restrictions; to create and manage your Global Mall account and login; to provide and manage Services such as orders, payments, and My Page; to prevent fraudulent use and misuse; to respond to disputes and comply with legal obligations	(At sign-up) Name, ID (username), password, email address, mobile phone number, country/region of residence (Where necessary for age or identity verification) Date of birth, verification token (e.g., CI) (Automatically collected during use) IP address, browser/device information, access time, service usage logs, etc.	Until your account is deleted or until the purposes above are fulfilled, after which the data will be promptly deleted However, where applicable laws require retention (e.g., e-commerce and tax laws), the data will be stored only for the statutory period and then deleted - Records of contracts, payments, and supply of goods: 5 years - Records of consumer complaints and dispute resolution: 3 years - Access logs: 3 months, etc.

Privacy Policy

GENUINENESS Inc. (the “Company”) places the utmost importance on protecting users’ personal data and complies with applicable laws, including without limitation the Personal Information Protection Act of Korea (“PIPA”), the EU General Data Protection Regulation (“GDPR”), and the California Consumer Privacy Act (“CCPA”). This Privacy Policy (this “Policy”) explains how the Company collects, uses, and protects users’ personal data and the measures taken to ensure its security.
This Policy applies to processing in the course of using the Services, and each processing activity is carried out on an appropriate legal basis (e.g., consent, performance of contract, legal obligation).

Article 1. Purposes of Processing, Data Categories, and Retention Periods

1. Processing Without Consent

Pursuant to PIPA Article 15(1)(4), the Company processes the following personal data as required by law.

Type	Category	Purpose	Data Items	Retention
Product purchase (Required)	Order	Delivery of purchased goods	[Delivery info] Recipient name, contact, address, date of birth, age-verification records (including verification time, method, and result)	5 years (E-Commerce Act Art. 6)
Service inquiries (Required)	Inquiry handling	Responding to and resolving inquiries	Phone inquiries: name, email, mobile, ID Email inquiries: name, email, mobile Card re-order: card info Re-delivery/returns: address	3 years (E-Commerce Act Art. 6)
Automatically collected during use (Required)	Logs & analytics	Service provision and quality improvement; marketing/statistics; incident & dispute response	Service usage records (time, store used, purchase history, points accrual/use), payment history, suspension logs, access logs (IP, cookies, etc.), event participation logs, device info (type, OS version, model — device unique identifiers not collected)	Until account deletion or consent withdrawal

2. Processing Based on Consent

With the user’s consent, the Company processes the following:

Item	Data Collected	Purpose	Retention
Membership (Required)	Name, date of birth, ID, mobile, gender, email, CI, age-verification records (including verification time, method, and result)	Member identification, duplicate-sign-up prevention, legal compliance	Until account deletion or consent withdrawal
Product purchase (Required)	Payment info (card issuer, card number, etc.)	Contract performance, billing, payment/refund processing	5 years (E-Commerce Act Art. 6)
Marketing/Events (Optional)	ID, email, contact, gender, age group	Personalized services; event and new product notices	Until account deletion or consent withdrawal

3. Additional Use/Provision

Under PIPA Articles 15(3) and 17(4), the Company may use or provide personal data without additional consent to the extent reasonably related to the original purpose of collection.

4. Minors (Under 16) – Processing Principle

The Company does not allow service use by users under sixteen (16) and does not knowingly collect or use personal data from users under 16 . The Company does not operate a parental-consent workflow for sign-up/use. Reasonable age-verification measures (e.g., mobile ID age check, self-attestation checkbox, entering year of birth) may be applied and also apply to guest checkout .

5. Post-Action for Erroneous Collection

If personal data of a user under 16 is found to have been collected due to error, misrepresentation, or misuse of another’s information, the Company will promptly suspend processing and delete such data , and may restrict or cancel related accounts/orders . Where data has already been provided to third parties, the Company will request deletion/suspension from the recipients.

6. Records/Evidence

The Company may keep minimal records (e.g., time, method, and result of checks) of age-verification and subsequent actions for dispute-handling, and will retain such records for the legally required period before deletion.

7. Higher Local Thresholds

Where the user’s country of residence imposes a higher minimum service age , that higher threshold may be applied first.

Article 2. Destruction Procedures and Methods

1. Procedure

The Company promptly destroys personal data once the collection/use purpose is fulfilled or the retention period expires. Where retention is required by law, the data is securely stored for the statutory period and then destroyed. If data of a user under 16 is found to have been collected, it will be destroyed without delay except for items subject to statutory retention. Statutory-retention items will be immediately restricted from access/use and destroyed upon expiry.

2. Statutory Retention Items

Item	Legal Basis	Retention
Contracts & withdrawal records	E-Commerce Act	5 years
Payment & supply records	E-Commerce Act	5 years
Consumer complaints & dispute records	E-Commerce Act	3 years
Advertising records	E-Commerce Act	6 months
Transaction books & supporting docs	Framework Act on National Taxes	5 years
Electronic financial transaction records	Electronic Financial Transactions Act	5 years
Service logs	Protection of Communications Secrets Act	3 months
Customer due diligence & suspicious transactions	Specific Financial Information Act	5 years after withdrawal

3. Methods

• Electronic files: Permanently delete using irrecoverable methods
• Paper documents: Shred or incinerate

Article 3. Outsourcing of Processing

Processor	Scope of Work
Salesforce LLC	E-commerce hosting; email/SMS delivery
Dkbmc Inc.	Mall system provision & maintenance
Dgcargo Inc.	Warehousing, packing, fulfillment
DHL Korea	Product delivery
PayPal Korea	Payment processing
Adriel Inc.	User analytics; dashboard operations
Samjung Data Service	email/SMS delivery

The Company obtains prior consent for outsourcing and will announce changes to outsourcing via this Policy.
For service stability and convenience, the Company has migrated the legacy Cafe24-based mall system to a Salesforce-based system. Users’ personal data has been securely transferred and managed within Korea for the same purposes as previously. The migration does not change the categories of data collected, purposes of use, retention periods, or outsourcing scope. Under contract with Salesforce, the Company complies with required technical/organizational safeguards under PIPA, GDPR, CCPA, and other applicable laws.

Article 4. Provision to Third Parties

As a rule, the Company provides personal data to third parties only with the data subject’s consent pursuant to PIPA Article 17(1)(1). By exception, data may be provided for global membership services as follows:

Recipient	Purpose	Data Items	Retention
GENUINENESS JAPAN INC.	Membership verification in Japan; points accrual/use; customer support	Member ID, name, contact, points history, minimal data	Until account deletion or consent withdrawal

The Company does not provide personal data of users under 16 to any third party. If erroneous collection is identified, the Company will immediately stop provision and request deletion for any data already provided.

Article 5. Cross-Border Transfers

Recipient	Country	Purpose	Data Items	Retention
Salesforce LLC	Korea	CRM; data analytics	Member, order, payment, marketing data	Until contract end or consent withdrawal
GENUINENESS JAPAN INC.	Japan	Local services & support	Member, order/payment, points history, service-use history	Until contract end or consent withdrawal
Google LLC (Google Analytics)	U.S.	Usage statistics/analytics	IP address, cookies, usage logs	Until contract end or consent withdrawal

Data may be stored/processed in third countries that have received an adequacy decision—namely Korea and Japan, as well as the United States for entities certified under the EU–U.S. Data Privacy Framework and such transfers are made with safeguards required by law only with the data subject’s consent pursuant to PIPA Article 28(1)(1). Users may refuse cross-border transfers by changing settings or emailing 025s@025s.co.kr. However, refusal of international data transfer may limit service availability.

Article 6. User Rights

Users may at any time exercise the rights to access, rectify, delete, restrict processing, and withdraw consent regarding their personal data. Data subjects can access and modify their personal information through the “Personal Information Modification” (or “Edit Profile”) section on the website, or withdraw consent and terminate membership through the “Member Withdrawal” process. Data subjects may also contact the Personal Information Protection Officer in writing, by phone, or by email at (025s@025s.co.kr). Additional rights of residents in the EU and California residents are described in Article 10. Such rights may also be exercised by a legal representative or an authorized agent in accordance with applicable procedures.
If erroneous collection of personal data relating to a user under 16 is suspected or confirmed, the user or legal representative may report the error and request deletion/restriction; the Company will act without delay and notify the result.

Article 7. Cookies & Google Analytics

1. Cookies are used for personalization and analytics.
2. Data collected: visit frequency, time of use, search terms, purchase history, interests, event participation, etc.
3. Users may refuse cookie storage via browser settings.
• Microsoft Edge (PC)
1. Select [Settings] in the top right menu.
2. Choose [Privacy, Search, and Services].
3. In the Tracking Prevention section, select ‘Strict’ under ‘Prevent tracking’.
4. Under the Privacy section, select ‘Send Do Not Track requests’.
• Google Chrome (PC)
1. Select [Settings] in the top right menu.
2. Choose [Privacy and Security].
3. Navigate to [Cookies and other site data] and choose whether to allow cookies.
• Google Chrome (Mobile)
1. Select [Settings] in the top right menu of the browser.
2. Under Advanced Settings, choose [Site Settings].
3. Navigate to [Cookies] and choose whether to allow cookies.
• Safari (MacOS)
1. In the top left menu, select [Safari] and then choose [Preferences].
2. Go to the [Privacy] tab and select whether to allow cookies.
Safari (iOS)
3. Go to [Settings].
4. In the app list, select [Safari].
5. Under [Privacy and Security], choose whether to allow cookies.
4. Google Analytics may transmit cookies and IP information to servers in the United States.
5. Users may opt out via a browser add-on.
6. Retention: up to 14 months (per Google policy).

Article 8. Safeguards

1. Administrative: internal management plan; staff training
2. Technical: access-right management; encryption; security programs
3. Physical: access control for servers and archives
4. International: prompt notification to the affected individuals and 72-hour breach notification to relevant EU supervisory under GDPR

Article 9. Data Protection Officer

• Department: Operations Management Team
• Contact: 025s@025s.co.kr

Article 10. Regional Provisions

1. EU (GDPR): The Company complies with the General Data Protection Regulation (GDPR), and personal information is processed under the following legal grounds as per GDPR:
1. Consent of the data subject
2. Fulfillment of a contract
3. Compliance with legal obligations
4. Protection of vital interests of the data subject
5. Performance of tasks carried out in the public interest or in the exercise of official authority vested in the company
6. Legitimate interests pursued by the company, provided such interests do not override the fundamental rights and freedoms of the data subject. When processing based on legitimate interests, the company performs a balancing test to ensure that the interests of the company do not override the data subject’s rights.
Rights of Data Subjects:
Data subjects have the following rights under GDPR:
• Right to Access: Request information regarding the processing of personal data and verify its legality.
• Right to Rectification: Request correction of inaccurate personal data.
• Right to Erasure (Right to be Forgotten): Request deletion of personal data when consent is withdrawn, the purpose of processing is achieved, or when there is no legal ground for processing.
• Right to Data Portability: Request an electronic copy of personal data and transfer it to a third party.
• Right to Restrict Processing: Request restriction of processing in cases where there is a dispute over the accuracy of the data, the legality of processing, or the necessity of the processing for legal claims. (If restricted, the data will only be stored.)
• Right to Object: Object to the processing of personal data, including direct marketing (by disabling marketing/advertising cookies in the website’s cookie consent banner or via email at 025s@025s.co.kr), or against automated decision-making, including profiling.
Data subjects can exercise their rights by accessing the “Personal Information Change” (or “Update Member Information”) section of the website to review/edit their data, or through “Account Termination” for consent withdrawal/termination. Requests can also be made via email at 025s@025s.co.kr. The Company must respond to the requests and provide information on actions taken within one month of receiving such requests. This period may be extended by an additional two months where necessary. All requests will be processed after verifying the identity of the requester, and complaints may be lodged with the supervisory authority.
Data Breach: In the event of a data breach, the Company will notify the relevant EU supervisory authority and affected users within 72 hours.
2. California (CCPA/CPRA): The Company complies with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) and collects the following categories of personal information. The details of personal information collected/disclosed in the last 12 months are available upon request:
Personal Information Category: Identifiers (Name, email address, phone number, IP address) — Third Parties Shared With: GENUINENESS JAPAN INC., Salesforce LLC, Dkbmc Inc., Dgcargo Inc., DHL Korea, PayPal Korea, Adriel Inc., Samjung Data Service, Google Analytics — Business Purpose: Data storage, service analysis, delivery — Source: Direct collection
Commercial Information (Purchase history, payment information) — Third Parties Shared With: PayPal Korea — Business Purpose: Payment processing, billing — Source: Direct collection
Internet Activity (Web/app browsing history, cookies, access logs, analytics data) — Third Parties Shared With: Adriel Inc., Google Analytics — Business Purpose: Service analysis and improvement — Source: Direct collection
Geolocation (Delivery address) — Third Parties Shared With: Dgcargo Inc., DHL Korea — Business Purpose: Delivery services — Source: Direct collection
Rights of California Residents:
• Right to Know: You have the right to request a free disclosure of personal information collected/disclosed/sold within the last 12 months (up to twice per year).
• Right to Correct: You have the right to request correction of inaccurate personal information.
• Right to Delete: You have the right to request deletion of personal information (except where legally exempt).
• Right to Opt-Out of Sharing: You have the right to immediately opt out of the sharing of personal information for behavioral advertising by disabling analytical/advertising cookies in the website’s cookie consent popup or by emailing at 025s@025s.co.kr.
• Right to Non-Discrimination: You have the right to exercise rights without being discriminated against (e.g., denial of goods or services).
Exercising Rights:
Data subjects can exercise their rights through the website’s “Personal Information Change” (or “Update Member Information”) function to view/edit, or through “Account Termination” for consent withdrawal/termination. Requests can also be made via email at 025s@025s.co.kr. Upon receiving a request, the Company will process the request after identity verification. Complaints can be lodged with the relevant supervisory authority.
Sales/Sharing of Personal Information:
The Company does not sell personal information for monetary gain. However, personal information may be shared with advertising partners for targeted advertising with the data subject’s consent. California residents can opt-out of the sale/sharing of their personal information for targeted advertising purposes, which may result in limited personalized advertising.
Children under 16:
Parental consent is required for processing the personal information of children under 16, and parents can withdraw consent at any time.
California Civil Code Section 1798.83 (Shine the Light Law):
• California residents may request the following information regarding personal information disclosed to third parties for direct marketing purposes in the immediately preceding year:
o The categories of personal information the Company disclosed to third parties.
o The names and addresses of third parties to whom personal information was disclosed for direct marketing purposes.
3. Other regions: Data may be processed in Korea, the U.S., Japan, etc., and support is provided in accordance with local laws.

Article 11. Changes to this Policy

The Company will notify users in advance of any changes to this Policy.
• Effective Date: December 18, 2025
• Last Revised: December 18, 2025