Privacy Policy

Dunamu Inc. (the "Company") highly values the privacy of its users and is fully committed to safeguarding the personal data provided by users in connection with the use of the GIWA Layer 2 Testnet service (the "Service"). The Company complies with the Personal Information Protection Act and other relevant laws and regulations to ensure the lawful and secure processing of personal information.

This Privacy Policy is continuously made publicly available on the main page of the site so that users can easily review the Company's data handling practices at any time.

This Privacy Policy may be revised in accordance with applicable laws or internal policies. All changes will be version-controlled and made available for easy review.

List of Articles (Table of Contents)

1. Purpose of Personal Data Processing

2. Items of Personal Data Collected

3. Retention and Use Period of Personal Data

4. Destruction of Personal Data

5. Provision of Personal Data to Third Parties

6. Criteria for Additional Use or Provision of Personal Data

7. Entrustment of Personal Data Processing

8. Overseas Transfer of Personal Data

9. Security Measures for Personal Data

10. Cookies and Tracking Technologies

11. Handling of Behavioral Information

12. User Rights and How to Exercise Them

13. Data Protection Officer and Responsible Department

14. Department for Access Requests

15. Remedies for Rights Infringement

16. Responsibility for Linked Sites

17. Changes to the Privacy Policy

Article 1 (Purpose of Personal Data Processing)

The Company processes users’ personal data for the following purposes and does not use it for any other purpose. If the purpose of use changes, the Company will take necessary measures, such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act.

1. Provision of goods or services

   • To provide goods or services (including the Service), prevent misuse, and ensure secure operations.

2. Customer support

   • To respond to service-related inquiries.

Article 2 (Items of Personal Data Collected)

① Pursuant to Article 15(1)(4) of the Personal Information Protection Act, the Company collects and uses the minimum necessary personal data to fulfill contracts with users or to take steps at the user's request prior to entering into a contract:

② In accordance with Article 15 (Collection and Use of Personal Information) of the Personal Information Protection Act, the Company may collect and use personal data without consent in the following cases:

1. Where the user has given consent

2. Where specifically required by law or unavoidably necessary to comply with legal obligations

3. Where necessary to perform a contract or to take steps at the user’s request prior to contract execution

4. Where it is clearly deemed necessary to protect the urgent life, body, or property interests of the user or a third party

5. Where necessary to achieve the Company’s legitimate interests, provided such interests are substantially related, do not override the user’s rights, and remain within a reasonable scope

6. Where urgently required for public health, safety, or public order

Article 3 (Retention and Use Period of Personal Data)

① The Company retains and processes personal data within the period stipulated by applicable laws or within the retention period consented to by the user at the time of data collection.

② For the performance of statutory obligations, the Company may retain and process personal data until the relevant grounds no longer apply in the following cases:

1. Where required by applicable laws and regulations — until the legally mandated retention period expires.

   Category

   Legal Basis

   Retention Period

   Contract and withdrawal records

   Article 6 of the Act on Consumer Protection in Electronic Commerce, etc.

   5 years

   Payment and supply records

   Same as above

   5 years

   Consumer complaints and dispute records

   Same as above

   3 years

2. Where investigations or inquiries are in progress due to violations of law — until the conclusion of such investigations or inquiries.

3. Where financial claims or obligations remain due to service use — until such claims or obligations are fully settled.

4. Where legal proceedings, such as litigation between the user and the Company, are ongoing — until such proceedings are conclusively finalized.

Article 4 (Destruction of Personal Data)

① The Company promptly destroys personal data when the retention period has expired or the processing purpose has been achieved.

② If personal data must continue to be retained under applicable laws even after the agreed retention period has expired or the purpose has been achieved, the Company will transfer such data to a separate database (DB) or store it in a different location. Details of such retention are set forth in Article 3 (Retention and Use Period of Personal Data).

③ Personal data selected for destruction is identified once a destruction ground arises (e.g., expiration of the retention period or fulfillment of the processing purpose) and is deleted either through an automated system or upon approval by the data protection officer or other authorized personnel.

④ Methods of destruction are as follows:

1. Personal data stored in electronic file format is permanently deleted so that the records cannot be restored, using secure methods.

2. Personal data recorded and stored on paper is shredded or incinerated.

Article 5 (Provision of Personal Data to Third Parties)

① The Company processes users’ personal data only within the purposes set forth in Article 1, and provides such data to third parties solely in cases permitted under the Personal Information Protection Act, including where the user has given consent, where specifically required by law, or where unavoidably necessary to comply with legal obligations, in accordance with Articles 17 and 18 of the Act.

② The Company does not provide personal data to any third parties without the user’s consent or other legal grounds.

Article 6 (Criteria for Additional Use or Provision of Personal Data)

① In the course of providing the Service, the Company may use or provide personal data without the user’s consent in accordance with Articles 15(3) and 17(4) of the Personal Information Protection Act.

② When the Company uses or provides personal data without the user’s consent pursuant to Paragraph 1, it shall take into account the following criteria:

1. Whether the additional use or provision is related to the original purpose of collection

2. Whether the additional use or provision could reasonably be anticipated in light of the circumstances of collection or customary practices of processing

3. Whether the additional use or provision unjustly infringes upon the interests of the user

4. Whether necessary safeguards, such as pseudonymization or encryption, have been applied to ensure security

Article 7 (Entrustment of Personal Data Processing)

① The Company entrusts part of its operations necessary for providing the Service to external service providers. When an entrusted service provider processes personal data in the course of performing its duties, the Company supervises and manages the provider to ensure that personal data is securely processed in accordance with Article 26 of the Personal Information Protection Act.

② The Company entrusts the following personal data processing tasks:

Article 8 (Overseas Transfer of Personal Data)

The Company does not transfer personal data abroad (cross-border transfer).

Article 9 (Security Measures for Personal Data)

In accordance with Article 29 of the Personal Information Protection Act, the Company implements the following administrative, technical, and physical measures to ensure the security of personal data:

1. Administrative Measures

   • Establishment and implementation of internal management plans: The Company establishes and enforces internal management plans to ensure the secure management of personal data.

   • Minimization and training of personnel handling personal data: The Company strictly limits the number of personnel authorized to handle personal data to the minimum necessary for performing their duties, and provides education and training to raise awareness of the importance of data protection.

   • Operation of a dedicated data protection team: The Company operates a dedicated data protection team that continuously inspects and verifies the implementation of security measures for its personal data processing systems.

2. Technical Measures

   • Access control for personal data processing systems: Access rights to personal data systems are granted, modified, and revoked as necessary. An intrusion prevention system is in place to block unauthorized external access.

   • Encryption of personal data: The Company encrypts personal data subject to mandatory encryption under the Act (e.g., resident registration numbers, bank account numbers) using secure algorithms and manages it safely.

   • Technical countermeasures against hacking, etc.: The Company makes every effort to prevent the leakage or damage of personal data caused by hacking, computer viruses, or other threats. Data is backed up to prevent damage, up-to-date antivirus software is used to prevent breaches or corruption, and encrypted communications are employed to ensure secure transmission of personal data over networks.

3. Physical Measures

   • The Company installs personal data processing systems in areas with controlled external access and operates access control procedures to prevent unauthorized physical access, leakage, or damage of personal data.

Article 10 (Cookies and Tracking Technologies)

① The Company uses cookies to provide convenient services and enhance user experience by storing and retrieving usage information as needed.

② A cookie is a small piece of information that a website sends to the user’s web browser and stores on their device.

1. Purpose of Using Cookies

   Cookies save user preferences and settings to provide a faster and more personalized web environment. They are also used to improve the Service for user convenience, enabling users to access and use the Service more easily.

2. Installation, Operation, and Rejection of Cookies

   Users have the right to choose whether to allow cookies. At any time, users may refuse or delete stored cookies.

3. How to Disable Cookies

   Users can refuse or delete cookies through their browser settings as follows:

   • Microsoft Edge: Settings > Cookies and site permissions > Manage and delete cookies and site data

   • Chrome: Settings > Privacy and security > Clear browsing data / Third-party cookies > Cookie settings

   • Safari: Settings > Advanced tab > In the Privacy section, enable “Block all cookies”

Article 11 (Handling of Behavioral Information)

① Behavioral information refers to online user activity data—such as website visit history, purchase history, and search records—that can be used to identify and analyze a user’s interests, preferences, and behavioral tendencies.

② The Company does not process behavioral information.

Article 12 (User Rights and How to Exercise Them)

① Users may exercise their rights at any time upon request with respect to their personal data, including the right to access, correct, delete, suspend processing, or withdraw consent for processing. However, such rights may be restricted as provided under relevant laws, including Articles 35(4), 36(1) proviso, 37(2) proviso, and 37(3) proviso of the Personal Information Protection Act.

② In accordance with Article 41(1) of the Enforcement Decree of the Personal Information Protection Act, users may exercise their rights by submitting a request in writing, via email, or by fax, and the Company will respond without undue delay.

③ If a user disagrees with the Company’s decision regarding their request (e.g., access, correction, deletion, suspension, or withdrawal of consent), the user may raise an objection within 10 days using the method described in Paragraph 2.

④ The rights described in Paragraph 1 may also be exercised by the user’s legal representative or an authorized proxy. In such cases, a power of attorney must be submitted using the form prescribed in Annex Form No. 11 of the “Notification on the Method of Processing Personal Data.”

⑤ Users may not request deletion of personal data if such data is explicitly required to be retained under other applicable laws.

⑥ The Company will verify that the requester is either the data subject or a legitimate representative before granting access, correction, deletion, suspension, or withdrawal of consent.

⑦ Users may exercise their rights through the department designated in Article 14 (Department in Charge of Personal Data Access Requests). The Company will make every effort to process such requests promptly and appropriately.

Article 13 (Data Protection Officer and Responsible Department)

① The Company has designated the following department and personnel to be responsible for the protection of personal data and for handling related user inquiries or complaints.

▶ Personal Data Protection Officer

• Name : Jaeyong Jung

• Position : Personal Data Protection Officer

• Email : [email protected]

• Department : Personal Data Protection Team

▶ Personal Data Protection Manager

• Name : Taesung Park

• Position : Personal Data Protection Manager

• Email : [email protected]

• Department : Personal Data Protection Team

② Users may contact the Personal Data Protection Officer or the designated department for any inquiries or complaints related to personal data protection arising from the use of the Company’s services. The Company will provide appropriate responses and support.

Article 14 (Department for Access Requests)

▶ Department for Receiving and Handling Personal Data Access Requests

• Department: GIWA Service Operations Team

• Email: [email protected]

Article 15 (Remedies for Rights Infringement)

If you require assistance with dispute resolution, consultation, or remedies regarding the infringement of your personal data, you may contact the following agencies:

▶ Personal Information Infringement Report Center (Operated by Korea Internet & Security Agency – KISA)

• Website:https://privacy.kisa.or.kr

• Phone: 118 (no area code required)

▶ Personal Information Dispute Mediation Committee

• Website:https://www.kopico.go.kr

• Phone: 1833-6972 (no area code required)

▶ Supreme Prosectors’ Office

• Website:https://www.spo.go.kr

• Phone: 1301 (no area code required)

▶ Cyber Bureau, National Police Agency

• Website:https://ecrm.cyber.go.kr

• Phone: 182 (no area code required)

Article 16 (Responsibility for Linked Sites)

The Company may provide links to external websites for the convenience of users. However, the Company does not have control over such external sites and therefore is not responsible for or does not guarantee the usefulness, accuracy, or legality of the services or content provided by them. Additionally, the privacy policies of those linked external sites are unrelated to the Company, so users are advised to review the respective policies of those sites.

Article 17 (Changes to the Privacy Policy)

When the Company makes changes to this Privacy Policy, the effective date and details of the changes will be continuously disclosed. The Company will also provide a comparison between the previous and revised versions to ensure that users can easily review the updates.

Effective Date: This Privacy Policy (Version 1.0) shall take effect as of September 9, 2025.

※ This English version of the Privacy Policy is a translation based on the original Korean version of the Privacy Policy. If there is any conflict between the original Korean version and this English version, the original Korean version of the Privacy Policy shall prevail.