# Privacy Policy JKAI LLC (hereinafter referred to as the “Company”) complies with applicable data protection laws and internationally recognized principles to safeguard users’ rights and freedoms. The Company processes personal data lawfully and transparently, and takes appropriate technical and organizational measures to ensure security. This Policy describes the procedures and standards for processing personal data and provides guidance on how related inquiries will be handled promptly and effectively. ## 1. Purpose of Processing, Data Items, Retention and Use Period The Company collects and processes only the minimum personal data necessary to provide the Service, and does not use it for purposes other than those disclosed. If the purpose or data items change, prior consent will be obtained. ### 1. Membership Registration (Social Login) * Purpose of Collection/Processing * Member identification and management, customer support * Prevention of fraudulent or unauthorized use * Provision of advertising information and participation opportunities (with consent) * Provision and cancellation of ancillary services * Compliance with legal obligations * Data Items** * [Required] Social login identifiers (provider/user unique ID), authentication/session tokens, email * Retention Period * Destroyed immediately upon member withdrawal or fulfillment of purpose * Authentication/session tokens destroyed upon expiration or logout * Where law requires retention, the statutory period shall apply ### 2. Step Count * Purpose of Collection/Processing * Mission participation and reward provision * Data Items * [Optional] Step count data * Retention Period * Destroyed immediately upon withdrawal or fulfillment of purpose ### 3. Reward Fulfillment (Digital Vouchers/Codes) * Purpose of Collection/Processing * Delivery of event/mission rewards and eligibility verification (if necessary) * Data Items * Name, contact information (email/phone), minimum data necessary for delivery/confirmation (e.g., delivery logs, receipt status) * Retention Period * Retained until completion of reward fulfillment and response period for errors/claims, then destroyed or anonymized If additional data collection is required by law, the Company will provide prior notice of the purpose, data items, and retention period, and obtain consent where necessary. ## 2. Provision of Personal Data to Third Parties The Company does not sell personal data. Personal data may be provided to third parties only in the following cases, and only to the minimum extent necessary. Prior notice and consent procedures required by law will be followed. * With prior consent of the user * As required by law or lawful requests from government/judicial authorities * Where essential for service performance or operation (e.g., reward fulfillment, advertising/marketing networks or SDKs, cloud, security/fraud prevention) * Where necessary to protect the rights or safety of the Company, users, or third parties Categories of recipients: * Reward fulfillment partners (digital voucher/code issuance/delivery) * Advertising/marketing networks or SDKs (e.g., mobile ad networks) * Analytics/attribution partners (web/app analytics and performance measurement) * Monitoring/log analysis partners (infrastructure and application monitoring) * Cloud and security service providers Cross-border transfers: In the course of provision, personal data may be transferred to, stored in, or remotely accessed from outside the user’s country of residence (e.g., the United States, Singapore). The Company applies appropriate safeguards in accordance with applicable law (e.g., Standard Contractual Clauses), as well as encryption and access control. Where required, prior notice and consent will be obtained. Minimum provision and notice of change: Data provided is limited to the minimum necessary for the stated purpose. If categories or purposes change materially, prior notice will be given and new consent obtained if necessary. ## 3. Outsourcing of Processing The Company may entrust certain tasks to specialized external service providers. Contracts specify compliance with data protection instructions, confidentiality, access minimization, prohibition of re-outsourcing without approval, security measures, breach notification and liability, and destruction/return upon completion. For cross-border outsourcing, appropriate safeguards required by law are applied. | Category | Entrusted Tasks | Retention/Use Period | |---|---|---| | Reward Fulfillment | Digital voucher/code issuance, delivery, receipt confirmation | Until termination of outsourcing contract or fulfillment of purpose | | Cloud/Hosting | Storage, processing, and backup of Service data | Same as above | | Monitoring/Log Analysis | Monitoring of failures, performance, and security; log analysis | Same as above | | Analytics/Attribution | App/web usage analysis, campaign performance measurement | Same as above | ## 4. Retention and Destruction of Personal Data 1. Principle The Company destroys personal data without delay once retention periods expire, processing purposes are achieved, consent is withdrawn, or accounts remain inactive for a long period. If retention is legally required, data will be destroyed immediately after the required period. 2. Procedure Personal data subject to destruction is deleted following internal approval procedures. If temporary retention is required, the data is isolated in a separate storage area until the purpose or reason is resolved, then destroyed. 3. Method Electronic data is permanently deleted in an unrecoverable manner. Paper records are shredded or incinerated. Backup data is deleted by periodic overwriting or separate deletion procedures. ## 5. Rights of Data Subjects and How to Exercise Them 1. Rights Within the scope permitted by law, data subjects may exercise the following rights: * Request access to and copies of personal data * Request rectification or deletion * Request restriction of processing and object to processing * Request data portability (where applicable) * Withdraw consent and opt out of marketing * Object to automated decision-making (where applicable) 2. How to Exercise Requests may be submitted via in-app/web settings, customer support menu, or email. Email: contact@jkai.app Reasonable additional information may be requested to verify identity. Authorized representatives must submit documentation verifying representation. 3. Processing of Requests Requests will be processed without delay. If full or partial restrictions apply (e.g., to protect other users’ rights or due to retention obligations), the reason will be provided. 4. Account Deletion Withdrawal may be requested in [Settings] > [Account] > [My Information] > [Delete Account]. Upon withdrawal, personal data will be destroyed without delay, except for data required by law to be retained. 5. Marketing/Advertising Settings Consent for personalized ads or marketing may be changed at any time in app settings. If consent is refused or withdrawn, only non-personalized (contextual) ads may be shown. Device settings also allow resetting advertising IDs or limiting tracking. ## 6. Safeguards for Personal Data The Company takes the following measures to ensure security of personal data: 1. Administrative Measures * Establishment and implementation of internal management plans * Logging of processing activities * Access minimization, periodic review, and segregation of duties * Security and privacy training for staff and processors * Supervision of processors and restrictions on re-outsourcing 2. Technical Measures * Encryption and key management for data transmission and storage * Access control (authentication/authorization) and multi-factor authentication for administrator accounts * Security monitoring, log retention, and anomaly detection * Regular vulnerability scans, updates, and backup/recovery systems 3. Physical Measures * Access control and visitor logs for server rooms and storage areas * Secure storage and disposal of physical media (documents, backups, etc.) 4. Incident Response * Incident detection, assessment, blocking, and recovery procedures * Notification without undue delay and recurrence prevention, where required by law ## 7. Behavioral Data Collection, Use, Provision, and Opt-Out 1. Purpose Improvement of service quality, statistics/analytics, fraud prevention; provision and measurement of personalized or non-personalized ads (in compliance with local requirements). 2. Data Items and Methods * App usage logs (access, clicks, screen transitions, feature use) * Device/app information (ad identifier, app/OS version, device model, language settings), approximate location (country/region) * Automatic collection through in-app SDKs and cookie-like technologies 3. Retention and Subsequent Processing Data is deleted or anonymized once purposes are achieved. Ad identifiers are handled in accordance with platform policies and user settings. 4. Exclusion of Sensitive Behavioral Data The Company does not collect sensitive behavioral data that may excessively infringe users’ rights (e.g., beliefs, health, sexual life, political opinions). 5. Control of Personalized Advertising Users may change or withdraw consent for personalized ads within app settings. Device settings allow resetting of ad identifiers or restricting tracking. 6. Contact Inquiries or opt-out requests regarding behavioral data: contact@jkai.app ## 8. Processing and Disclosure of Sensitive Data 1. Principle The Company does not collect or disclose sensitive personal data (e.g., health, biometric, religious, or political views) unnecessary for Service provision. 2. Exceptions Where legally required or unavoidable for essential service purposes, the minimum necessary scope is processed. Prior notice and consent will be obtained if required. Strict access restrictions and encryption are applied. Data is destroyed without delay once the retention period expires. 3. User Guidance Users should avoid including sensitive data in content, inquiries, or profiles. Where disclosure settings are available, users may control the scope of disclosure. ## 9. Data Protection Officer and Contact Information 1. Designation The Company appoints a Data Protection Officer (DPO) responsible for overseeing data processing, inquiries, complaints, and remedies. 2. DPO Contact * Name: Kai Lee * Position: Data Protection Officer * Address: 197 Jeongjail-ro, Bundang-gu, Seongnam-si, Gyeonggi-do, Republic of Korea * Email: contact@jkai.app 3. Contact Channels Personal data inquiries, complaints, and rights requests may be submitted via in-app/web support menus or email. The Company will handle requests without undue delay. ## 10. Dispute Resolution and Remedies 1. Internal Handling Users may submit inquiries, complaints, or requests for remedies to the Company, which will promptly investigate and provide results. 2. External Remedies If dissatisfied with the Company’s response or seeking further assistance, users may file complaints with supervisory authorities or dispute resolution bodies in their jurisdiction. Relevant institutions and procedures may vary by country/region. ## 11. Protection of Children’s Personal Data 1. Membership Restriction The Service is not intended for children under 13 or below the minimum age required by local law. 2. Parental Consent Where parental consent is required by law, minors must complete consent procedures, and the Company may take reasonable steps to verify consent. 3. Action in Case of Improper Collection If personal data of children is collected without parental consent, the Company will promptly delete such data and take necessary measures. Inquiries: contact@jkai.app ## 12. Changes to this Privacy Policy and Governing Law 1. Amendments The Company may revise this Policy due to changes in the Service, applicable law, or operational practices. Significant changes will be announced in advance by reasonable means (e.g., app/web notices). 2. Effective Date Revised policies shall take effect on the notified effective date. 3. Implementation Date This Policy takes effect as of: 2025-09-24 4. Governing Law and Language This Policy shall be governed by and construed in accordance with the laws of Singapore, unless otherwise required by mandatory laws of the user’s country of residence. This Policy is provided in English. Translations may be made available for convenience; in the event of any inconsistency, the English version shall prevail.