TranSight Privacy Policy

Effective as of January 12, 2026

Bonanza Factory Co., Ltd. (hereinafter referred to as the “Company”) lawfully processes and securely manages personal information in strict compliance with the 「Personal Information Protection Act」 and all other applicable laws and regulations, for the purpose of safeguarding the rights and freedoms of data subjects.

Pursuant to Article 30 of the 「Personal Information Protection Act」, the Company hereby establishes and publicly discloses this Privacy Policy in order to provide data subjects with clear information regarding the procedures, standards, and principles governing the processing of personal information, and to ensure the prompt, fair, and effective handling of any complaints or grievances related thereto.

The Company recognizes the importance of protecting users’ personal information and faithfully complies with all statutory obligations applicable to information and communications service providers, including but not limited to the 「Personal Information Protection Act」 and the 「Act on Promotion of Information and Communications Network Utilization and Information Protection」. Through this Privacy Policy, the Company provides notice to users regarding the purposes, methods, and scope of the collection and use of personal information, as well as the technical, administrative, and physical measures implemented to ensure the protection and security of such personal information.

○ This Privacy Policy sets forth the following matters:

  • Categories of Personal Information Collected and Processed
  • Purposes for the Collection and Use of Personal Information
  • Retention Periods and Criteria for the Use of Personal Information
  • Procedures and Methods for the Destruction of Personal Information
  • Entrustment and Outsourcing of Personal Information Processing
  • Rights of Data Subjects and Legal Representatives and Methods of Exercising Such Rights
  • Technical, Administrative, and Physical Measures to Ensure the Security of Personal Information
  • Contact Information
  • Remedies for Infringement of Rights and Methods of Dispute Resolution
  • Obligation to Provide Notice of Amendments to this Privacy Policy

1. Categories of Personal Information Collected and Processed

The Company collects and uses personal information only to the minimum extent necessary for the provision of its services and processes such personal information based on the data subject’s consent, in accordance with Article 15(1)1 of the 「Personal Information Protection Act」.

○ Personal information collected for the provision of the TranSight solution

  • Mandatory items: Name, CI, bank number, mobile phone number, date of birth, gender
  • Optional items: Information voluntarily provided by the user when using the “Demo Request” or “Report Request” features

2. Purposes for the Collection and Use of Personal Information

The Company processes the personal information it collects solely for the following purposes:

  • Provision of Services: Provision of the TranSight solution, Provision of TranSight reports

3. Retention Periods and Criteria for the Use of Personal Information

The Company retains and uses personal information for the period prescribed by applicable laws and regulations, or for the period consented to by the data subject at the time of collection, whichever is applicable.

Notwithstanding the foregoing, the following personal information is retained for the period specified below in accordance with the Company’s internal retention policies:

○ Personal information retained pursuant to internal retention policies

  • Target: Records of TranSight demo and report requests (including email addresses and request details)
  • Retention period: One (1) year from the date of collection

4. Procedures and Methods for the Destruction of Personal Information

The Company destroys personal information without undue delay once the purpose of processing has been achieved. The procedures and methods for the destruction of personal information are as follows:

○ Destruction Procedures

Upon completion of the purpose for which personal information was collected and processed, the Company destroys such personal information without undue delay. Notwithstanding the foregoing, where personal information must be retained in accordance with applicable laws and regulations despite the achievement of the processing purpose, such personal information shall be transferred to a separate database and retained for a specified period in accordance with the Company’s internal policies and relevant legal requirements (refer to the “Retention Periods and Criteria for the Use of Personal Information”).

○ Methods of Destruction

  • Personal information printed on paper: shredded or incinerated
  • Personal information stored in electronic file form: permanently deleted using technical methods that render the data irrecoverable

5. Entrustment and Outsourcing of Personal Information Processing

The Company does not entrust or outsource the processing of personal information to any third party in connection with the provision of TranSight demo or report services.

6. Rights of Data Subjects and Legal Representatives and Methods of Exercising Such Rights

  • Data subjects may, at any time, exercise their rights against the Company to request access to, correction or deletion of, or suspension of the processing of their personal information.
  • Such rights may be exercised by submitting a request to the Company in writing, by electronic mail, or by facsimile (FAX), in accordance with Article 41(1) of the Enforcement Decree of the 「Personal Information Protection Act」, and the Company shall take appropriate measures without undue delay.
  • Data subjects may exercise their rights through a legal representative or an authorized agent. In such cases, a power of attorney in the form prescribed in Appendix No. 11 of the “Public Notice on the Methods of Personal Information Processing (Notice No. 2023-12)” must be submitted.
  • Requests for access to personal information or for suspension of processing may be restricted pursuant to Article 35(4) and Article 37(2) of the 「Personal Information Protection Act」.
  • Requests for the correction or deletion of personal information may not be granted where the collection of such personal information is explicitly required under other applicable laws and regulations.

7. Technical, Administrative, and Physical Measures to Ensure the Security of Personal Information

The Company implements the following technical, administrative, and physical measures to ensure the security and integrity of personal information:

Regular Internal Audits

To ensure the stability and security of personal information handling, the Company conducts regular internal audits at least once per year.

Minimization and Training of Personnel

The Company designates only the minimum number of personnel necessary to handle personal information and provides appropriate management and supervision. Such personnel receive regular training.

Establishment of Internal Management Plans

The Company establishes and implements internal management plans to ensure the secure processing of personal information.

Technical Measures Against Hacking and Malware

Installation of security programs, regular updates/inspections, and monitoring of systems in restricted areas via technical/physical controls.

Encryption of Personal Information

Passwords are encrypted; sensitive data is protected via file/transmission encryption or file-locking mechanisms.

Retention and Protection of Access Logs

Access records are retained for at least 2 years; security measures prevent alteration, theft, loss, or destruction of logs.

Access Controls to Personal Information

Access rights management for database systems; use of intrusion prevention systems to restrict unauthorized external access.

Use of Locking Devices for Document Security

Documents and storage media containing personal information are stored in secure locations equipped with locking devices.

Physical Access Control

Separate designation of physical storage locations and operation of access control procedures to prevent unauthorized access.

8. Contact Information

The Company designates the following Personal Information Protection Officer and responsible department to oversee matters related to the processing of personal information, including the handling of data subject complaints, requests for relief, and requests for access to personal information:

▶ Personal Information Protection Officer

※ Inquiries are directed to the Personal Information Protection Department.

▶ Personal Information Protection Department

※ Data subjects may contact the Personal Information Protection Officer or the responsible department with any inquiries, complaints, requests for relief, or requests for access to personal information arising in connection with the use of the Company’s services or business operations. The Company shall respond to and process such inquiries without undue delay.

※ A data subject whose rights or interests have been infringed due to a disposition or omission by the head of a public institution in response to a request made pursuant to Articles 35 (Access to Personal Information), 36 (Correction or Deletion of Personal Information), or 37 (Suspension of Processing of Personal Information) of the 「Personal Information Protection Act」 may file an administrative appeal in accordance with the Administrative Appeals Act.

9. Remedies for Infringement of Rights and Methods of Dispute Resolution

In the event of an infringement of personal information rights, data subjects may seek remedies by applying for dispute resolution or counseling through the Personal Information Dispute Mediation Committee, the Personal Information Infringement Reporting Center of the Korea Internet & Security Agency (KISA), or other relevant authorities. For reports, consultations, or complaints regarding personal information infringement, data subjects may contact the following institutions:

Personal Information Dispute Mediation Committee1833-6972 | www.kopico.go.krPersonal Information Infringement Reporting Center (KISA)118 | privacy.kisa.or.krCyber Investigation Division, Supreme Prosecutors’ Office1301 | www.spo.go.krCyber Bureau, National Police Agency182 | cyberbureau.police.go.kr

10. Obligation to Provide Notice of Amendments to this Privacy Policy

In the event of any addition, deletion, or modification to this Privacy Policy, the Company shall provide notice thereof without delay through the “Privacy Policy” page on its website.