Nolja-TOPIK+ Privacy Policy

Effective Date: June 15, 2026

Nolja-TOPIK+(hereinafter referred to as the "Company") establishes and discloses this Privacy Policy in accordance with Article 30 of the 「Personal Information Protection Act」 to protect the personal information of data subjects (users) and to handle related grievances promptly and smoothly.

Article 1 (Purpose of Processing Personal Information)

The Company processes personal information for the following purposes. The processed personal information will not be used for any purpose other than the following, and prior consent will be obtained if the purpose of use is changed.

1. Membership Registration and Management
   • Identity verification for membership service use, personal identification, prevention of unauthorized use
   • Confirmation of intent to join, confirmation of legal representative consent when processing personal information of children under 14
   • Delivery of notices, confirmation of intent to withdraw membership
2. Service Provision
   • Provision of Korean learning content (vocabulary, grammar, sentences, conversation, past TOPIK exam questions)
   • Management of learning history, progress, and statistics, provision of learning goals and achievement rates
   • Provision of learning motivation features such as badges, levels, and rankings
   • Provision of community services (bulletin boards, Q&A, learner showcases)
   • Personalized learning recommendations and provision of customized content
3. Handling of Member Grievances and Civil Complaints
   • Verification of the complainant's identity, verification of complaints, contact/notification for fact-finding, notification of processing results
4. Marketing and Advertising Usage
   • Development of new services and provision of customized services
   • Provision of event/advertising information and opportunities to participate (upon separate consent)
   • Analysis of service usage statistics and identification of access frequency

Article 2 (Items of Personal Information Collected and Collection Methods)

1. Items of personal information collected

a. Required items

• Membership identification information Email address, password

• Profile information Name, nickname

b. Optional items

• Extended profile information Profile image, nationality, gender, avatar selection

• Learning-related information Learning goals (daily vocabulary/grammar/TOPIK/sentence/time goals), expected goal completion date, schedule notes

c. Information automatically collected during service use

• Access logs IP address, date and time of access, service usage records, User Agent (device/browser information)

• Learning activity information Learning history, progress rate, problem-solving results, accuracy rate, study time, earned badges

• Device information FCM push token (upon consent to receive push notifications)

• Cookies Cookies for automatic login and service optimization

2. Methods of personal information collection

• Membership registration and service usage via website and mobile application
• Consultation and inquiries via customer service (email)
• Participation in marketing activities such as event entries and surveys
• Automatically generated and collected during service usage

Article 3 (Processing and Retention Period of Personal Information)

1. The company processes and retains personal information within the period of retention and use of personal information as stipulated by laws and regulations or within the period agreed upon when collecting personal information from the data subject.
2. The processing and retention period for each piece of personal information is as follows.

   • Membership registration and management Until membership withdrawal

   • Learning history and statistics Until membership withdrawal

   • Login history (IP, User Agent) 3 months

   • Records of fraudulent use 1 year

3. However, if retention is required under relevant laws and regulations, it will be stored for the corresponding period.

   • Protection of Communications Secrets Act Login records (connection tracking data) — 3 months

Article 4 (Provision of Personal Information to Third Parties)

1. The company processes the personal information of the data subject only within the scope specified in Article 1 (Purpose of Processing Personal Information) and provides personal information to third parties only in cases that fall under Articles 17 and 18 of the Personal Information Protection Act, such as the consent of the data subject or special provisions of the law.
2. Currently, the company does not provide personal information of data subjects to third parties. If such provision becomes necessary in the future, we will obtain the prior consent of the data subject.

Article 5 (Entrustment of Personal Information Processing)

1. The company entrusts personal information processing tasks as follows for the smooth provision of services.

   • AWS (Amazon WebService)

     • Entrusted task: Image data storage

     • Processed items: Image data storage

   • Google Firebase (Authentication)

     • Entrusted task: User authentication (Google, Apple)

   • Google Firebase (FCM)

     • Entrusted task: Sending push notifications

     • Processed items: FCM token

   • Google Cloud Translation / Gemini / Gemma4

     • Entrusted task: Learning content translation service

     • Processing item: Translation request text (excluding personally identifiable information)

2. When signing a consignment contract, the Company specifies in documents such as the contract matters concerning the prohibition of processing personal information outside the purpose of performing the consignment task, technical and managerial protection measures, restrictions on re-consignment, management and supervision of the trustee, and liability for damages in accordance with Article 26 of the Personal Information Protection Act, and supervises whether the trustee processes personal information safely.
3. If the content of the consignment task or the trustee changes, we will disclose it through this Privacy Policy without delay.

Article 6 (Overseas Transfer of Personal Information)

The Company may transfer personal information overseas for the provision of services.

• Google LLC (USA)

  • Transfer method: Transmission via network when using the service

  • Transferred items: Service usage information, FCM token

  • Transfer purpose: Push notifications

  • Retention period: Until the end of the consignment contract

Article 7 (Rights and Obligations of Data Subjects and Legal Representatives and Method of Exercise)

1. Data subjects may exercise the following rights related to personal information protection against the Company at any time.
   • Request for access to personal information
   • Request for correction in case of errors, etc.
   • Request for deletion
   • Request for suspension of processing
2. The above rights can be exercised through the 'Settings > Profile Management' or 'Account Deletion' functions within the service, or by contacting the customer service email, and the Company will take action without delay.
3. In the case of children under the age of 14, the legal representative has the right to view or modify the child's personal information and the right to withdraw consent for collection and use.
4. The data subject shall not infringe upon the personal information and privacy of the data subject themselves or others processed by the Company in violation of relevant laws such as the Personal Information Protection Act.

Article 8 (Procedure and Method of Destruction of Personal Information)

1. The Company destroys personal information without delay when it becomes unnecessary, such as upon expiration of the personal information retention period or achievement of the processing purpose.
2. Destruction procedure: The information entered by the user is moved to a separate DB after the purpose is achieved, and is stored for a certain period according to internal policies and other relevant laws, or destroyed immediately. Personal information moved to a separate DB is not used for other purposes unless required by law.
3. Destruction method
   • Electronic files: Destroyed using methods such as Low Level Format so that records cannot be reproduced
   • Paper documents: Shredded or incinerated

Article 9 (Measures to Ensure Safety of Personal Information)

The Company takes the following measures to ensure the safety of personal information.

1. Managerial measures
   • Establishment and implementation of internal management plans
   • Minimization and regular training of employees handling personal information
2. Technical measures
   • Management of access rights to personal information processing systems, etc.
   • Installation of access control systems
   • Encryption of unique identification information, etc. (one-way password encryption)
   • Use of JWT-based authentication tokens (Access 60 minutes / Refresh 7 days)
   • HTTPS communication encryption
   • Installation and update of security programs
3. Physical measures
   • Access control to data storage rooms, etc.

Article 10 (Matters concerning the installation, operation, and refusal of automatic personal information collection devices)

1. The company uses 'cookies' to store and retrieve usage information to provide customized services to individual users.
2. Purpose of cookie use
   • Records of services and pages visited by the user
   • Providing optimized services by identifying user learning history, secure login status, etc.
3. Installation, operation, and refusal of cookies
   • Users have the right to choose whether to install cookies and may refuse to save cookies through their web browser/mobile app settings.
   • Refusing to save cookies may cause difficulties in using customized services.

Article 11 (FCM Push Notifications)

1. The company provides push notifications using Firebase Cloud Messaging (FCM).
2. The receipt of push notifications is subject to the user's consent and is classified into the following types.
   • Notice Push: Service announcements, important notices
   • Marketing Push: Events, promotional information
3. Users may withdraw their consent to receive push notifications at any time via Settings > Notification Settings.

Article 12 (Chief Privacy Officer)

The company designates a Chief Privacy Officer as follows to oversee the tasks related to personal information processing and to handle complaints and provide remedy for damages of data subjects regarding personal information processing.

• Chief Privacy Officer David.Park

• Position CPO

• Contact [email protected]

Article 13 (Methods for Remedy for Infringement of Rights)

Data subjects may apply to the following organizations for dispute resolution or consultation to receive remedy for personal information infringement.

• Personal Information Dispute Mediation Committee 1833-6972 www.kopico.go.kr

• Personal Information Infringement Report Center 118 privacy.kisa.or.kr

• Supreme Prosecutors' Office 1301 www.spo.go.kr

• Korean National Police Agency 182 ecrm.police.go.kr

Article 14 (Changes to the Privacy Policy)

1. This Privacy Policy is June 15, 2026applies from.
2. If this Privacy Policy is changed, the company will notify users through notices within the service at least 7 days before the changes take effect. However, if there are significant changes to user rights, we will notify you at least 30 days in advance.

Addendum

This Privacy Policy June 15, 2026takes effect from.