Privacy Policy

① tooolo (the 'Company') establishes and discloses this Privacy Policy to protect users' personal information and promptly and smoothly handle related grievances in accordance with the Personal Information Protection Act, the Act on Promotion of Information and Communications Network Utilization and Information Protection, and other applicable laws. ② This Privacy Policy applies to the tooolo platform and all related services provided by the Company (tooolo website, start tooolo, etc.), and changes will be announced through service notices. ③ This policy is effective from February 15, 2026.

① The Company collects the following personal information to provide services: [Required Collection Items] - Social Login: Email address, name, profile image (information provided by social platform) - Service Use: Bookmark URLs, titles, memos, tags, folder structure created by users [Automatically Collected Items] - Service Usage Records: Access logs, cookies, IP information, access time - Device Information: Browser type and version, operating system, screen size ② Methods of Personal Information Collection: - Automatic collection through social login (Google, Kakao, etc.) - Direct input by users during service use - Automatic collection through information generation tools

The Company uses collected personal information for the following purposes: ① Member Management - Identity verification and personal identification for membership services - Confirmation of registration intent - Delivery of notices and confirmation of user intent - Prevention of unauthorized use by problematic members ② Service Provision - Providing bookmark storage, management, and search services - Providing personalized start pages and dashboards - Multi-device data synchronization - Providing customized services ③ Service Improvement and Development - Development and specialization of new services - Service usage statistics and analysis - Analysis of access frequency and service usage patterns ④ Customer Support - Handling customer inquiries and complaints - Delivering announcements - Notifying service disruptions ⑤ Marketing and Advertising - Providing personalized advertisements through analysis of user bookmark data and service usage patterns - Service recommendations based on user interests - Measuring and analyzing advertising effectiveness - Users can opt out of personalized advertising at any time; general advertisements will continue to be displayed even after opting out

① The Company retains and uses users' personal information until the purpose of collection and use is achieved. ② Upon membership withdrawal, personal information is destroyed without delay. However, the following information is retained for the specified period according to applicable laws: [Information Retention under Applicable Laws] - Records of contracts or withdrawal: 5 years (E-Commerce Act) - Records of payment and supply of goods: 5 years (E-Commerce Act) - Records of consumer complaints or dispute resolution: 3 years (E-Commerce Act) - Records of labeling and advertising: 6 months (E-Commerce Act) - Website visit records: 3 months (Protection of Communications Secrets Act) ③ Personal information of members who have not used the service for more than 1 year is stored separately in accordance with the Personal Information Protection Act, and notice is sent via email 30 days before destruction. ④ Bookmark data created by users is deleted immediately upon withdrawal, but may remain in backup systems for up to 30 days before permanent deletion.

① Destruction Procedure - Information entered by users is transferred to a separate DB (or separate document box for paper) after achieving its purpose, stored for a certain period according to internal policies and applicable laws, then destroyed. - Personal information transferred to a separate DB is not used for other purposes except as required by law. ② Destruction Method - Electronic files: Deleted using technical methods that make records irreproducible (complete deletion, overwriting, physical destruction, etc.) - Printed personal information: Shredded or incinerated ③ Bookmarks and data deleted by users within the service are immediately and permanently deleted from servers and completely removed from backup systems within 30 days.

① In principle, the Company does not provide users' personal information to third parties in principle. ② However, exceptions are made in the following cases: - When users have given prior consent - When required by law or upon request from investigative agencies according to procedures and methods prescribed by law for investigative purposes - When necessary for statistical compilation, academic research, or market research in a form that cannot identify specific individuals ③ Even in cases under paragraph 2, the Company notifies users of the provision to third parties (except when notification is prohibited by law), and users may withdraw their consent at any time.

① The Company outsources personal information processing to the following external specialized companies for seamless service provision: [Outsourced Companies and Tasks] - Supabase (USA): Database hosting, user authentication, data storage and management - Cloudflare (USA): CDN services, website security and performance optimization - Google OAuth: Social login authentication service - Google LLC (USA): Serving personalized advertisements, measuring and analyzing advertising performance through Google Ads integration ② When concluding outsourcing contracts, the Company specifies in written documents such as contracts the prohibition of personal information processing beyond the outsourced task purpose, technical and administrative protection measures, restrictions on re-outsourcing, management and supervision of contractors, and liability for damages in accordance with Article 26 of the Personal Information Protection Act, and supervises whether contractors handle personal information safely. ③ If the content of outsourced tasks or contractors change, we will promptly disclose this through this Privacy Policy.

① Users may exercise the following personal information protection rights at any time: 1. Request to access personal information 2. Request correction if there are errors in personal information 3. Request deletion of personal information 4. Request suspension of personal information processing ② Rights under paragraph 1 may be exercised directly through the 'Settings' menu within the service, or by contacting the Privacy Officer in writing, by phone, or email, and the Company will response without delay. ③ Membership withdrawal (service agreement termination) can be performed directly through the 'Account Management' > 'Delete Account' menu within the service, and all personal information is deleted immediately upon withdrawal. ④ If a user requests correction or deletion of errors in personal information, the Company will not use or provide the personal information until the correction or deletion is completed. ⑤ Rights under paragraph 1 may be exercised through a legal representative or authorized agent. In this case, a power of attorney according to the format specified in Annex No. 11 of the Enforcement Rules of the Personal Information Protection Act must be submitted.

① The Company uses 'cookies' to store and retrieve usage information to provide individualized customized services to users. ② Cookies are small amounts of information sent by the server operating the website to the user's browser and stored on the user's computer hard disk. ③ Purpose of cookie use: - Maintaining login sessions and automatic login - Providing customized information according to user interests - Providing optimized services by understanding usage patterns and number of users - Security settings and prevention of unauthorized use - Providing personalized advertisements and measuring advertising effectiveness ④ Cookie installation, operation, and rejection: - Users have the right to choose cookie installation - Through the Tools > Internet Options > Privacy menu options at the top of the web browser, users can allow all cookies, confirm each time cookies are saved, or reject storage of all cookies - However, if cookie storage is rejected, some services requiring login may be difficult to use ⑤ Cookie setting methods (examples): - Chrome: Settings > Privacy and Security > Cookies and other site data - Safari: Preferences > Privacy > Cookies and website data - Firefox: Options > Privacy and Security > Cookies and site data ⑥ Opting out of personalized advertising: - Users have the right to opt out of personalized advertising - Turn off 'Ad personalization' on the Google Ads Settings page (https://adssettings.google.com) to stop personal information-based targeted advertising - Even if you opt out of personalized ads, general ads for service operation may still be displayed - To completely remove ads, you may use paid subscription services (if provided)

In accordance with Article 29 of the Personal Information Protection Act, the Company takes the following technical, administrative, and physical measures necessary to ensure safety: ① Administrative Measures - Establishment and implementation of internal management plans - Minimization and education of employees handling personal information - Regular self-inspections and internal audits ② Technical Measures - Encryption of personal information: Passwords are encrypted for storage and management - Technical countermeasures against hacking: Installation and periodic update/inspection of antivirus programs, installation of systems in areas with controlled external access - Preservation and falsification prevention of access records: Access records retained for at least 6 months - Access restriction to personal information: Access control and authority restriction through granting, changing, and revoking access rights to database systems processing personal information - SSL (Secure Socket Layer) certificate application: Encrypted communication during data transmission - Personal information access restriction: IP address-based access restriction, two-factor authentication, etc. ③ Physical Measures - Access control to computer rooms and data storage rooms - Verification and management of physical security levels of data centers when using cloud services

① The Company designates a Privacy Officer as follows to take overall responsibility for personal information processing and to handle complaints and remedy damages related to personal information processing: [Privacy Officer] - Name: Youngho Noh - Position: CEO - Email: tooolo.app@gmail.com - Phone: 010-2689-6405 ② Data subjects may contact the Privacy Officer regarding all personal information protection-related inquiries, complaint handling, and damage remedies arising from using the Company's services. The Company will respond and process inquiries from data subjects without delay. ③ For other reports or consultations regarding personal information infringement, please contact the following organizations: - Personal Information Infringement Report Center (privacy.kisa.or.kr / 118 without area code) - Personal Information Dispute Mediation Committee (www.kopico.go.kr / 1833-6972) - Supreme Prosecutors' Office Cybercrime Investigation Unit (www.spo.go.kr / 1301 without area code) - National Police Agency Cyber Safety Bureau (cyberbureau.police.go.kr / 182 without area code)

① Members residing in the European Economic Area (EEA) and the UK have the following rights under the GDPR: 1. Right to be informed and access to personal data 2. Right to rectification and erasure ('Right to be Forgotten') 3. Right to restrict processing and object to processing 4. Right to data portability 5. Right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal ② The Company processes personal data based on your consent, the performance of a contract, legal obligations, and our legitimate interests (e.g., service improvement, security). ③ For users in California (CCPA/CPRA), you have the right to know what personal information is collected, request deletion, and opt-out of the 'sale' or 'sharing' of your personal information. tooolo does not 'sell' your personal information in the traditional sense, but we may share data for personalized advertising. You can exercise your opt-out rights through the 'Ad Settings' or by contacting us. ④ If you believe that our processing of your personal data infringes data protection laws, you have the right to lodge a complaint with a supervisory authority in your country of residence.

① In accordance with Google's EU User Consent Policy, for users in the EEA and UK, we obtain consent before serving personalized advertisements and using cookies/local storage for such purposes. ② Users can manage their consent preferences at any time through our Consent Management mechanism (Cookie Banner) or browser settings. ③ If you decline consent for personalized advertisements, we will only serve non-personalized advertisements, which do not use personal data for targeted delivery but may use metadata for basic frequency capping and reporting.

① This Privacy Policy is effective from February 15, 2026. ② In case of additions, deletions, or modifications to this Privacy Policy, notice will be provided through 'Announcements' within the service at least 7 days before the changes take effect. However, for important changes to user rights such as collection and use of personal information and provision to third parties, notice will be provided at least 30 days in advance, and individual notification via email will be provided when necessary. ③ This is the initial Privacy Policy. - Announcement date: February 15, 2026 - Effective date: February 15, 2026