Article 1. Items of Personal Information to be Collected

1. The Company collects only the minimum personal information necessary to provide and operate the Services. Where required by law, such as under Article 18 of the Personal Information Protection Act (South Korea), the Company obtains separate consent for specific processing purposes.

2. The personal information collected varies by service and user type, as outlined below.

Site Administrator Account Management

Developer Member Management

Article 2. Methods of Collection

The Company collects personal information through the following methods:

- Through direct user input during use of the BioStar Air Portal, self-enrollment via email or web, third-party system integration via API, or through the Suprema Pass app.

- Through administrative registration by Site Administrators via the BioStar Air Portal.

Article 3. Purpose of Use of Personal Information

The Company collects and uses personal information for the purposes described below. Personal information will not be used for any purposes beyond those stated, unless required or permitted by applicable law. If the purpose of use changes, the Company will take the legally required steps, such as obtaining the Customer’s prior consent.

1. Site Administrator Account Management

Purposes of Use:

- Administrator’s identity verification and account management

- Issuance and installation of credentials

- Management of site settings, devices, and users

Legal Basis:

- Consent of the data subject

- Article 15 of the Personal Information Protection Act (Korea)

2. Developer Member Management

Purposes of Use:

- Developer member management

Legal Basis:

- Consent of the data subject

- Article 15 of the Personal Information Protection Act (Korea)

Article 4. Retention and Use Period of Personal Information

1. General Retention Principle

(a) The Company will promptly delete a User’s personal information once the purpose for which the information was collected has been achieved, unless retention is required by applicable law.

(b) If a User consents at the time of collection to a longer retention period for specific purposes, the Company will retain the information for the agreed period.

2. Retention Periods by Service Division

The retention period for personal information depends on the type of service and the nature of the data collected.

a. Site Administrator Account Management

Items Collected:

- BioStar Air Partner Portal: Email address, password

- BioStar Air Portal: Email address, nickname, password

Retention Period: Retained until the User withdraws their membership or terminates the Service.

b. Developer Member Management

Items Collected:

- BioStar Air Developer Portal: Corporate Name, Email, Password

Retention Period: Retained until the User withdraws their membership or terminates the Service.

3. Retention for Transaction-Related and Legal Purposes

Notwithstanding the above, the Company may retain certain personal data for a specified period for the purposes of transaction management, verification of legal or duty relationships, or compliance with statutory obligations. The retention periods are as follows:

(a) Personal information related to service use: Retained for 3 months, in accordance with the Information Subject Consent and the Protection of Communications Secrets Act (South Korea).

(b) Records of indications and advertisements: Retained for 6 months, in line with the Consumer Protection Act for e-commerce (South Korea).

(c) Records relating to contract formation or withdrawal: Retained for 5 years, as required by the Consumer Protection Act for e-commerce (South Korea).

(d) Records of payment transactions and goods supply: Retained for 5 years, pursuant to the Consumer Protection Act for e-commerce (South Korea).

(e) Records of consumer complaints or dispute resolution: Retained for 3 years, in accordance with the Consumer Protection Act for e-commerce (South Korea).

Article 5. Provision of Personal Data to Third Parties

1. The Company does not provide a user’s personal information to any third party without the user’s consent, unless required or permitted by applicable laws or regulations.

2. However, the Company may provide personal information without the user's consent in the following circumstances:

(a) When necessary to process payments or settle service-related charges;

(b) When personal information is provided in a form that cannot identify a specific individual, for purposes such as statistical analysis, academic research, or market research, and is disclosed to authorized research institutions or survey organizations;

(c) When the provision of personal information is required by law, including but not limited to:

- Personal Information Protection Act (South Korea)

- Act on Promotion of Information and Communications Network Utilization and Information Protection (South Korea)

- Protection of Communications Secrets Act (South Korea)

- Framework Act on National Taxes (South Korea)

- Act on Real Name Financial Transactions and Confidentiality (South Korea)

- Act on Use and Protection of Credit Information (South Korea)

- Framework Act on Telecommunications (South Korea)

- Telecommunications Business Act (South Korea)

- Local Tax Act (South Korea)

- Consumer Protection Act (South Korea)

- Criminal Procedure Act (South Korea)

- Other applicable laws and regulations

Article 6. Consignment of Personal Information Processing and Overseas Transfer

1. The Company entrusts certain personal information processing activities to external service providers to ensure secure and stable service delivery. Entrusted providers implement technical and administrative safeguards in accordance with contractual requirements. These providers offer infrastructure services only and do not directly access user data.

Entrusted Processing of Personal Information

- For Customers located outside of the EU and UK, the Company primarily stores and processes personal information on Amazon AWS servers located in the Republic of Korea.

- For disaster recovery and high availability purposes, data may be temporarily routed to Amazon AWS servers in Japan. These servers serve as a failover region only and are not used for regular processing.

Cross-Border Transfer of Personal Information (EU/UK Customers Only)

Note: You have the right to refuse the overseas transfer of your personal information by contacting the Company’s Data Protection Officer or designated support team. However, refusal may limit your ability to use certain services provided by Suprema.

1. The Company supervises its service providers to ensure they do not process personal information for unauthorized purposes, that they comply with required technical and administrative safeguards, and that they adhere to applicable personal information laws and regulations.

2. If there are changes to the scope of entrusted processing or to the entrusted providers, the Company will update this Privacy Policy without delay and provide appropriate notice.

Article 7. Rights and Obligations of Data Subjects and Methods of Exercise

1. Data subjects may exercise their rights at any time against the Company, including the right to request access to, correction of, deletion of, or suspension of the processing of their personal information.

2. Data subjects may exercise these rights by submitting a request in writing, via email, or via fax. The Company will process such requests without undue delay.

3. These rights may also be exercised through a legal representative or a delegated proxy. In such cases, a signed power of attorney must be submitted.

4. If the data subject is under the age of 14, their legal guardian must exercise these rights on their behalf. If the data subject is 14 or older but still a minor, they may exercise their rights independently or through their legal guardian.

5. The right to request access to or suspension of personal information processing may be restricted under Articles 35(4) and 37(2) of the Personal Information Protection Act (South Korea).

6. Requests to correct or delete personal information may be refused if the data is required to be retained under applicable law.

7. Upon receiving a request for access, correction, deletion, or suspension of processing, the Company will verify the identity of the requester to ensure they are the data subject or an authorized representative.

How to View, Change, or Withdraw Member Information and Consent

Article 8. Installation, Use, and Rejection of Automatic Personal Information Collection Technologies

1. The Company uses cookie-like technologies, including session storage and local storage, to provide secure and personalized services. These are small text files stored on a user’s device when accessing the Company’s services and allow the service to recognize repeat visits and maintain session state.

2. The Company uses these technologies for the following purposes:

3. By continuing to use the Services, the user consents to the use of these technologies in accordance with this Privacy Policy.

4. Users may restrict or block these technologies through their browser settings. However, doing so may limit access to certain features or functionality of the service.

How to Manage or Disable Cookies in Common Browsers

1) Internet Explorer 11 (Windows 10)

• Open Internet Explorer → Tools → Internet Options

• Go to the "Privacy" tab → Click "Advanced" under Settings

• Choose whether to accept, block, or prompt for cookies

2) Microsoft Edge

• Open Edge → Click ‘...’ → Settings

• Navigate to “Privacy, Search, and Services”

• Set tracking prevention level and enable “Do Not Track” if desired

3) Google Chrome

• Open Chrome → Click ‘⋮’ (menu) → Settings

• Go to “Privacy and Security” → “Cookies and other site data”

• Choose preferred cookie behavior, including blocking third-party cookies

4) Safari (macOS)

• Open Safari → Preferences → Privacy

• Manage website data and choose to remove one or all site records

Note: Disabling cookies may restrict access to certain personalized features.

Article 9. Procedures and Methods for Destruction of Personal Information

In principle, the Company deletes personal information without delay once the purpose of collection and processing has been fulfilled. The procedures and methods for destruction are as follows:

1) Destruction Procedures

• Personal information provided by users is either: (a) Immediately deleted upon fulfillment of its purpose, or (b) Transferred to a separate database (or stored physically, if in paper form) and retained only as required under internal policies or applicable laws.

• Personal information retained in this manner will not be used for any other purpose unless required by law.

2) Destruction Methods

• Electronic data: Secure deletion through technical methods that render data unrecoverable (e.g., secure erase or overwriting techniques).

• Printed materials: Physical destruction using shredding or incineration.

Destruction of Personal Location Information

If a user requests deletion of their personal location information or withdraws from the service, the Company will take immediate action to permanently delete the data using methods that make recovery or reproduction technically impossible. Once deleted, the information cannot be accessed or used in any form.

Article 10. Measures to Ensure the Safety of Personal Information

The Company implements the following technical, administrative, and physical safeguards to protect personal information from loss, theft, leakage, forgery, or unauthorized access.

1) Administrative Measures

• Establishment and enforcement of internal information security policies and personal information handling guidelines

• Regular training and awareness for employees handling personal data

• Internal access audits and compliance monitoring

2) Technical Measures

• Role-based access control and access logging for systems processing personal information

• Deployment of intrusion prevention and anti-malware systems

• Encryption of personal data during storage and transmission

• Use of secure authentication protocols and regular system vulnerability testing

3) Physical Measures

• Controlled access to server rooms, data centers, and facilities where personal data is stored

• Surveillance and entry logging of critical infrastructure

• Disaster recovery planning and offsite backup protocols

Note: Suprema has obtained ISO/IEC 27001 (Information Security Management) and ISO/IEC 27701 (Privacy Information Management) certifications through an accredited third-party auditor. These certifications demonstrate the Company’s commitment to internationally recognized data protection and privacy management standards.

Article 11. Collection and Use of Behavioral Information

1. The Company may collect limited behavioral information—such as access history and device interaction logs—for the purpose of service improvement, diagnostics, and usage analysis within the BioStar Air services.

2. This information is used exclusively to improve service performance and user experience and is not used for profiling, third-party advertising, or personalized ad targeting.

3. Suprema does not collect or use behavioral data from children known to be under 14 years of age.

4. Users can opt out of certain forms of behavioral data collection by adjusting app permissions or privacy settings on their mobile device. Instructions for blocking advertisement identifiers are as follows:

Smartphone Settings for Ad Identifier Control

• Android: Settings → Privacy → Ads → Reset or Delete Advertising ID

• iOS: Settings → Privacy & Security → Tracking → Toggle off “Allow Apps to Request to Track”

Note: Disabling certain settings may affect personalized service features but will not impact core functionality.

1. For questions or concerns related to behavioral data or data usage, users may contact the Company through the channels provided in Article 14.

Privacy Department

[Contact Information]

Article 12. Personal Information Protection Manager and Contact Information

1. The Company has designated a Chief Privacy Officer (CPO) to be responsible for the protection of personal information and to oversee all related inquiries, complaints, and data subject requests. The CPO also serves as the Data Protection Officer (DPO).

1. If you have any questions or concerns regarding the handling of your personal information while using the Company’s services, please contact the CPO or the responsible department. The Company will respond without undue delay.

2. For additional assistance or to report a personal information violation, you may contact the following official agencies in South Korea:

Article 13. Collection and Use of Behavioral Information

The BioStar Air service may include links to external websites or services operated by third parties. This Privacy Policy applies solely to the BioStar Air services provided by Suprema Inc. If you access a third-party website or service through a link, please review the privacy policy of that site. Suprema is not responsible for the privacy practices or content of third-party services.

Article 14. Changes to the Privacy Policy and Notification

1. This Privacy Policy is applicable from 2025.05.22.

Notice to Customer and Site Administrator

The Site Administrator may collect the personal information specified below by configuring certain service features. Suprema will process the data registered by the Site Administrator in accordance with the Data Processing Agreement. Accordingly, the Site Administrator’s use of the Service is subject to the policies of the entity to which they belong or on whose behalf they are providing the service.

1. Items Collected by Customer

- User Access Management (Employees, Members, Visitors)

Note 1: Depending on system configuration, facial and fingerprint biometric templates may be collected and stored in the Company’s cloud for authentication purposes. These biometric templates are encrypted and stored securely, and are used exclusively for authentication within the access control system. They are not used for profiling, surveillance, or any other purpose unrelated to access control.

Note 2: Video feeds are streamed directly from the Customer’s existing video management system for monitoring purposes. Suprema does not collect, store, or retain any video footage; it merely provides an interface to display the video content at the Customer’s instruction. All video data remains under the sole control and responsibility of the Customer.

2. Methods of Collection

- Through administrative registration by Site Administrators via the BioStar Air Portal.

- When issuing credentials—such as mobile credentials or biometric templates (facial or fingerprint) via BioStar Air Portal, Suprema Pass app, or compatible biometric readers.

- Through system-generated logs such as attendance records and access events, which are recorded based on user interactions with devices and transmitted to the Company’s servers for storage and monitoring.

3. Purpose and Legal Basis for the Customer’s Use of Personal Information

The Customer’s use of personal information is governed by the Customer’s own policies and is based on the legal basis determined by the Customer.