Genesis Lab Co., Ltd. (hereinafter, the “Company”) values the personal information of data subjects, and establishes and discloses this Privacy Policy to comply with relevant laws and to process personal information lawfully and safely.

This Privacy Policy applies to the processing of personal information collected through the website operated by the Company.

Article 1 Purpose of the Privacy Policy

The purpose of this Privacy Policy is to set forth matters concerning the categories of personal information collected by the Company through its website, collection methods, purposes of use, retention periods, whether it is provided to third parties, whether processing is entrusted to others, the rights of data subjects and how to exercise them, and security measures to ensure safety.

Article 2 Personal Information Collected

The Company may collect the personal information below through Demo Request, Contact Us, and other similar inquiry forms on the website.

1. Information directly entered by the user

• Company name

• Name

• Email address

• Inquiry/request details

2. Information that may be automatically generated during service use

The Company may automatically generate and collect the following information for website operation and security, access statistics, error analysis, and similar purposes.

• Date and time of access

• IP address

• Browser type and version

• Operating system information

• Visited pages, access paths

• Cookies, session information

• Device identification-related information (within the applicable scope)

However, the Company does not currently operate membership registration or payment functions on the website, and does not intentionally collect excessive personal information beyond what is necessary for inquiry handling.

Article 3 Methods of Collecting Personal Information

The Company may collect personal information in the following ways.

1. When a user directly fills in information on the input form on the website and submits it

2. When a user inquires to the Company via email or web form

3. Collection of information automatically generated during access to and use of the website

4. Automatic collection through cookies, log analysis tools, and security systems

Article 4 Purposes of Processing Personal Information

The Company processes the collected personal information only within the following purpose scope.

1. Inquiry response and communication

   • Confirmation of and response to general inquiries through Contact Us

   • Contact regarding business partnerships, sales, collaboration, and proposals

   • Review of and response to requests made by users

2. Demo request handling

   • Receipt and review of Demo Requests

   • Confirmation of demo availability

   • Scheduling and pre-communication

3. Service improvement and operational stability

   • Analysis of website access status

   • System failure checks and security response

   • Improvement of usability and operational quality

4. Compliance with legal obligations and dispute response

   • Fulfillment of obligations under relevant laws and regulations

   • Response to infringement of rights, security incidents, disputes, and complaints

The Company does not use personal information beyond the scope of the purpose of collection, and if the purpose changes, it takes the necessary measures in accordance with relevant laws and regulations.

Article 5 Retention and Use Period of Personal Information

1. The Company retains and uses personal information only for the period necessary to achieve the purpose of collection.

2. In principle, the user’s personal information is destroyed without delay after inquiry response and related communication are completed.

3. However, it may be retained for the corresponding period in the following cases.

   1. When relevant laws and regulations require retention for a certain period

   2. When there is a possibility of disputes, a need to respond to complaints, or a need for legal defense

   3. When there is a legitimate need such as preventing duplicate inquiries, managing relationship history, or maintaining sales review records

4. The Company may retain submitted information for a certain period for internal operational purposes such as managing inquiry history and follow-up communication, and that period shall not exceed the reasonably necessary scope after the purpose is achieved.

5. Examples of retention required by law may include the following.

   • Records concerning consumer complaints or dispute handling

   • Access logs

   • Other records subject to retention obligations under relevant laws and regulations. However, whether they actually apply may vary depending on the Company’s service structure and the scope of applicable laws and regulations.

Article 6 Provision of Personal Information to Third Parties

1. In principle, the Company does not provide data subjects’ personal information to external parties.

2. However, it may exceptionally be provided in the following cases.

   1. When the data subject has given prior consent

   2. When there are special provisions in laws and regulations or a lawful request from an authorized institution such as an investigative agency, court, or government agency

   3. When it is deemed necessary to protect the imminent interests of a person’s life, body, or property

   4. When it is provided in a form that cannot identify a specific individual for the purpose of statistical preparation, academic research, or market research

3. If the Company provides personal information to a third party, it notifies or obtains the necessary consent in accordance with relevant laws and regulations regarding the recipient, purpose of provision, items provided, and retention and use period.

Article 7 Entrustment of Personal Information Processing

1. The Company may entrust some of its personal information processing tasks to external vendors for smooth website operation, inquiry receipt, email transmission, cloud infrastructure operation, security management, and similar purposes.

2. When entering into an entrustment agreement, the Company stipulates and manages/supervises the necessary matters so that the trustee processes personal information safely in accordance with relevant laws and regulations.

3. When the Company entrusts personal information processing tasks, the trustee and the details of the entrusted tasks are disclosed through the website or reflected in this policy.

For example, the Company may use the following categories of trustees.

• Website hosting and server operation vendors

• Cloud service providers

• Email transmission/reception or inquiry management solution providers

• Web analytics, log analysis, and security monitoring service providers

Article 8 Possible Overseas Transfer of Personal Information

1. In the course of using some infrastructure or solutions such as cloud services, email, analytics tools, security tools, and inquiry management tools, the Company may store or process personal information on servers located outside the Republic of Korea.

2. When an overseas transfer of personal information occurs, the Company reviews the matters required by relevant laws and regulations and establishes appropriate protective measures.

3. If an actual overseas transfer occurs, the Company may notify or obtain the necessary consent regarding the recipient, country of transfer, date/time and method of transfer, items transferred, purpose of use, and retention and use period in accordance with relevant laws and regulations.

Article 9 Use of Cookies and Similar Technologies

1. The Company may use cookies or similar technologies to improve website convenience, analyze access statistics, and enhance security and operational efficiency.

2. Cookies are small pieces of information that websites send to a user’s browser.

3. Users may refuse or delete cookie storage through browser settings.

4. However, if cookie storage is refused, some functions of the website may not work properly.

Article 10 Procedures and Methods for Destroying Personal Information

1. When the retention period for personal information has expired or the processing purpose has been achieved, the Company destroys the relevant personal information without delay.

2. However, if separate retention is required under relevant laws and regulations, the relevant information is safely stored in a separate database or a separated storage location and then destroyed when the statutory retention period expires.

3. The destruction procedures and methods are as follows.

   1. Information in the form of electronic files: deleted using technical methods that make recovery or reproduction impossible

   2. Information in the form of paper documents: destroyed by shredding, incineration, or other methods that make restoration impossible

Article 11 Rights of Data Subjects and How to Exercise Them

1. Data subjects may exercise the following rights with respect to their personal information at any time.

   1. Request to access the status of personal information processing

   2. Request to correct or delete personal information

   3. Request to suspend processing of personal information

   4. Request to withdraw consent (where processing is based on consent)

2. Data subjects may exercise their rights in writing, by email, or through other methods provided by the Company.

3. When a data subject’s request is received, the Company acts without delay in accordance with relevant laws and regulations.

4. However, requests may be partially or fully restricted in the following cases.

   1. When there is a legal obligation to retain the information

   2. When there is a risk of infringing the rights or interests of another person

   3. When the information is necessary for dispute response or fulfillment of legal obligations

   4. When there are other grounds permitted under relevant laws and regulations

5. The Company may verify the requester’s identity or whether the requester has legitimate authority as a representative before processing the exercise of rights.

Article 12 Security Measures to Ensure the Safety of Personal Information

To safely process personal information, the Company may implement the following managerial, technical, and physical measures within a reasonable scope.

1. Minimization of access rights to personal information

2. Establishment and operation of internal management plans

3. Management and training of personnel handling personal information

4. Operation of system access controls and authentication procedures

5. Installation and operation of security programs

6. Encryption of transmission channels (within the applicable scope)

7. Retention of access logs and measures to prevent forgery or alteration

8. Protective measures for servers and data storage facilities

9. Security measures to prevent unauthorized access, leakage, damage, or alteration

However, due to the nature of the internet environment, complete security cannot be absolutely guaranteed, and the Company makes efforts to ensure safety at the level required by relevant laws and regulations and at a reasonable industry-standard level.

Article 13 Personal Information of Children Under 14

In principle, the Company’s website is intended for business customers, institutions, and adults, and is not operated with the intent to collect personal information from children under the age of 14. If the Company becomes aware that it has collected personal information from a child under 14 without the consent of a legal guardian, it will delete the information without delay or take the necessary measures in accordance with relevant laws and regulations.

Article 14 Responsibility for Linked External Sites

The Company’s website may contain links to external websites or services. Because the Company has no control over external sites, it is not responsible for the processing of personal information on those sites. If users visit linked external sites, they should separately review the privacy policy of those sites.

Article 15 Personal Information Protection Officer and Contact Information

The Company may appoint a Personal Information Protection Officer or a responsible department to oversee personal information processing and handle data subjects’ inquiries, complaints, and remedies for damage.

Contact Information for Personal Information Matters

Company name: Genesis Lab Co., Ltd.

Email: privacy@genesislab.ai

Address: 5th Floor, Page Myeongdong, 1-3 Myeong-dong 1-ga, Jung-gu, Seoul

Personal Information Protection Officer: Lee Young-bok

Title: CEO

Data subjects may contact the above information for any personal information protection inquiries, complaints, or requests to exercise rights arising during use of the Company’s services, and the Company will endeavor to respond and process them without delay.

Article 16 Remedies for Infringement of Rights and Interests

If a data subject needs to report or consult about personal information infringement, they may contact the following institutions.

• Personal Information Infringement Report Center

• Personal Information Dispute Mediation Committee

• Supreme Prosecutors' Office

• National Police Agency Cybercrime Report System

Specific contact details and website addresses are subject to the official guidance of the relevant institutions.

Article 17 Changes to the Privacy Policy

1. The Company may revise this Privacy Policy in accordance with relevant laws and regulations, government guidelines, service changes, internal policy changes, and other factors.

2. When this policy is changed, the Company posts the changes on the website and specifies the effective date.

3. If there are material changes, the Company may carry out a separate notice procedure in the manner required by relevant laws and regulations.

Effective Date: February 11, 2026
Last Revised Date: February 11, 2026