1. Collection and Use of Personal Information: Purpose, Items, and Methods

a. The Company collects the following personal information as mandatory for membership registration, e-commerce services, and offline service provision.

Category	Items	Purpose	Period
Membership Registration	Name (Korean/English), ID, Password, Date of Birth, Email, Contact Information (Mobile Phone), DI, Gender	Identity Verification and Membership Service Provision	Until Membership Withdrawal
	Shilla Rewards Number
Accommodation Reservation	Name (Korean/English), Email, Region (Based on Passport), Reservation Information (Stay Period, Room Type, Number of Guests, Hotel Name), Customer Preferences, Passport Number (Foreign/Domestic), Gender, Contact Information (Mobile/Home Phone), Payment Information (Card Type, Card Number, Expiration Date)	Identity Verification or Complaint Processing	5 Years After Stay
Online Accommodation Reservation	Name (Korean/English), Region (Based on Passport), Email, Contact Information (Mobile/Home Phone), Purchase and Reservation History, Stay Period, Payment Information (Card Type, Card Number, Expiration Date), Gender	Hotel Reservation and Customer Service	1 Year After Reservation Date
Customer Inquiry (Feedback)	Name (Korean/English), Email, Mobile Phone	Inquiry Response and Service Provision	3 Years from Date of Collection and Use Consent
Customer Inquiry (Questions)	Name (Korean/English), Email, Mobile Phone		2 Years from Date of Collection and Use Consent
	Kakao: Social Media Personal Identifier ID, Name, Email, Phone Number
	Naver: Social Media Personal Identifier ID, Name, Email, Phone Number
	Apple: Social Media Personal Identifier ID, Email
Social Media Login Integration	Google: Social Media Personal Identifier ID, Name, Email Address	Social Media Simplified Login Service Provision	Until Social Media Integration Cancellation or Membership Withdrawal

b. The Company collects the following personal information as optional for membership registration, e-commerce services, and offline service provision.

Category	Items	Purpose	Period
Membership Registration (Marketing Consent)	Name (Korean/English), Date of Birth, Gender, Email Address, Mobile Phone Number, Home Phone, Home Address ID, Shilla Rewards Number	Introduction of Shilla HM Co., Ltd. Products and Services, Introduction of Products and Services from Shilla HM Co., Ltd. and Other Affiliated Hotels, Gift and Promotional Event Notifications, Satisfaction Surveys, Market Research	Until Membership Withdrawal or Marketing Consent Withdrawal, Whichever Comes First
Restaurant Reservation	Allergy Information	Restaurant Menu Provision and Service	1Year
Customer Inquiry (Feedback)	Home Phone	Inquiry Response and Service Provision	3 Years from the Date of Collection and Use Consent
Customer Inquiry (Inquiries)			2 Years from the Date of Collection and Use Consent
Newsletter Subscription	Email Address	Newsletter Distribution	Until Newsletter Subscription Cancellation

c. For online members, the Company may collect IP information, cookie information, service usage records, and payment information (including credit card numbers, account numbers, gift certificate numbers, and telecommunications payment authorization numbers) during service use, solely to provide online member services and confirm financial transactions.

d. The Company collects personal information through the following methods: website membership registration, written forms, fax, telephone, consultation boards, event entries, and the collection of generated information.

2. Disclosure and Sharing of Collected Personal Information to Third Parties

a. The Company, under any circumstances, will not use or disclose customers' personal information beyond the scope stated in the collection and use purposes, except with customer consent or as required by relevant laws and regulations. It, however, may use and provide customers' personal information in the following cases:

• ① In cases of sale, merger, or acquisition where the service provider's rights and obligations are completely succeeded or transferred, the Company will provide detailed notification in advance regarding the legitimate reasons and procedures. It will provide customers with the option to withdraw their consent for the use of their personal information.
• ② When providing or sharing personal information in other cases, the Company will obtain consent by individually notifying customers in advance through written communication or email regarding the affiliate partners, items, and reasons for providing/sharing personal information, and the period for information protection and management. If customers do not consent, the Company will not provide or share information with affiliates. Furthermore, when affiliate relationships change or terminate, the Company will notify customers or obtain their consent in accordance with the same procedures.
• ③ The Company provides the following information to transaction parties within the necessary scope to ensure smooth service provision, with the customer's consent.

[Domestic]

Recipient	Recipient's Purpose of Personal Information Use		Personal Information Items Provided	Personal Information Retention and Use Period
Hotel Shilla	Accommodation Reservation	Integrated Reservation Service and Related Convenience Provision	Name (Korean/English), Date of Birth, Email, Contact Information (Mobile/Home Phone), Stay Period (Arrival/Departure Date and Time), Payment Method Information, Passport Number, Customer Preferences	5 Years After Stay
	Online Accommodation Reservation	Hotel Reservation and Customer Service	Name (Korean/English), Region (Based on Passport), Email, Contact Information (Mobile/Home Phone), Purchase and Reservation History, Stay Period, Payment Information (Card Type, Card Number, Stay Period, Expiration Date)	1 Year After Reservation Date
	Shilla Rewards Service Provision		Name (Korean/English), Gender, Date of Birth, Email, Mobile Phone Number, Purchase and Reservation History, Stay Period (Arrival/Departure Date and Time), ID, Shilla Rewards Number	Until Membership Withdrawal

[International]

Personal Information Recipient (Country of Transfer, Contact Information)	SHILLA MONOGRAM QUANGNAM DANANG[QUEVIET - QUANGNAM COMPANY LIMITED(Vietnam, privacy@danang.shillamonogram.com)
Recipient's Purpose of Personal Information Use	Shilla Rewards Service Provision
Personal Information Items Transferred	Customer Name, Date of Birth, Gender, Email, Mobile Phone Number, Purchase and Reservation History, Stay Period, ID/Shilla Rewards Number
Transfer Date and Method	Personal information provided through a secure network when required for business purposes
Retention and Use Period	Until membership withdrawal or consent withdrawal
Method, Procedure, and Effect of Personal Information Transfer Refusal	You may refuse the international transfer of personal information by refusing consent for the international transfer. However, if you refuse consent for international transfer, you will not be able to receive Shilla Rewards services, including point accumulation and benefits, when using SHILLA MONOGRAM QUANG NAM-DANANG (Da Nang, Vietnam).

b. When providing or sharing customer information through partnerships, the Company will notify customers in advance of the recipients, the items to be provided or shared, the purpose of provision, the retention period, their right to refuse consent, and any disadvantages of refusing consent, and will obtain consent for such activities.

c. Personal information may be provided without customer consent in the following cases according to relevant laws and regulations:

• - When there are special provisions in other laws
• - When it is apparently necessary for the urgent interests of life, body, or property of the data subject or third parties
• - When there are special provisions in other laws or when it is unavoidable to comply with legal obligations
• - When it is apparently necessary for the urgent interests of life, body, or property of the data subject or third parties
• - When necessary to achieve the legitimate interests of Shilla HM Co., Ltd., and such interests clearly take precedence over the rights of the data subject. However, this applies only when related to Shilla HM Co., Ltd.'s legitimate interests and does not exceed a reasonable scope
• - When urgently necessary for public safety and welfare, including public health

3. Outsourcing of Personal Information Processing

a. The Company outsources personal information processing operations to external specialized companies for service implementation as follows.

b. When entering into outsourcing contracts, Shilla HM Co., Ltd. specifies in contractual documents matters concerning the prohibition of personal information processing beyond the purpose of outsourced operations, technical and administrative protection measures, restrictions on sub-outsourcing, management and supervision of processors, and liability for damages by Article 26 (Restrictions on Personal Information Processing through Outsourcing) of the Personal Information Protection Act, and supervises whether processors handle personal information safely.

c. Following Article 26, Paragraph 6 of the Personal Information Protection Act, when processors sub-outsource our personal information processing operations, they must obtain consent from Shilla HM Co., Ltd.

d. When outsourcing content or processors change, we will promptly disclose such changes through this Privacy Policy.

e. Among outsourced personal information processing operations, those processed internationally are as follows. Shilla HM outsources the following operations for accommodation reservations and customer service, protects user information through information protection policies, and performs these operations under Shilla HM's strict control.

4. Collection of Personal Information through Cookies

a. Cookie Operation

The Company uses cookies for user convenience. Information collected through cookies includes member IDs and IP addresses used for access. Information collected through cookies is used to maintain login status and provide customized, individualized advertising services.

b. Installation/Operation and Refusal of Cookies

Customers have the option to control cookie installation and can set browser options to allow all cookies, require confirmation each time a cookie is stored, or refuse cookie storage. (In Chrome, users can delete all cookies stored on their PC simply by going to Settings > Privacy and Security > Clear browsing data. Alternatively, checking the "Clear browsing data on exit" option will automatically delete cookies each time the browser is closed.) However, refusing cookie storage may result in some limitations on services that require a login.

c. The Company uses Google Analytics, a service provided by Google, to analyze your website usage. Information generated through Google Analytics is subject to Google's Privacy Policy and is transmitted to and stored on Google servers in the United States. Google processes information on behalf of the Company to evaluate your website usage, compile reports on website activity, and provide other services related to internet usage. Processed information undergoes randomization to prevent the identification of specific individuals. While you can refuse the use of cookies for the purposes mentioned above through browser settings, this may prevent full use of all website features. You can additionally opt out of the collection and processing of your usage information (including IP addresses) by downloading and installing a browser add-on for your current web browser. For more detailed information about the use of your information, please refer to Google (www.google.com/analytics/learn/privacy.html).

5. Personal Information Retention Period and Destruction

a. The Company retains personal information until the purpose of collection or provision is achieved. When the purpose is achieved or the consent period expires, personal information will be destroyed without delay. Specific destruction timelines are as follows:

• - Membership registration information: When membership is withdrawn or the member is expelled
• - Delivery information: When goods or services are delivered or provided
• - Satisfaction survey: At membership withdrawal or marketing consent withdrawal, whichever comes first
• - Information collected for events: 1 month after the event prize delivery
• - Identity verification information: When identity is verified
• - Despite the principle of immediate destruction upon achieving the collection purpose, when retention is necessary for a specific period due to transaction-related dispute resolution according to relevant laws and internal regulations, information will be retained as follows:
• - Records on contracts or subscription withdrawals: 5 years
• - Records on payment and supply of goods: 5 years
• - Records on consumer complaints or dispute resolution: 3 years

b. Destruction Methods

• - Personal information printed on paper: Shredding through a shredder or outsourcing to specialized destruction companies
• - Personal information stored in electronic file format: Deletion using technical methods that prevent record recovery

6. Users' Rights and Obligations and Methods of Exercise

a. Customers may at any time access, correct, delete, suspend processing of, or withdraw consent for their registered personal information. To access, correct, delete, suspend processing, or withdraw consent for personal information, customers may click "Member Information" to directly access or correct information, or contact us at the main number (02-2230-0700) or the Personal Information Protection Officer by mail, phone, or email. We will take action without delay after identity verification procedures.

b. When customers request correction of errors in personal information, we will not use or provide such personal information until the correction is completed. Additionally, if incorrect personal information has already been provided to third parties, we will promptly notify the third parties of the correction results to ensure corrections are made.

7. Measures to Ensure Personal Information Security

The Company implements the following technical, administrative, and physical measures to ensure security and prevent loss, theft, leakage, alteration, or damage of customers' personal information during processing:

- Minimization and Training of Personal Information Processing Staff

We minimize the designation of personal information handlers and conduct regular training.

- Regular Internal Audits

We conduct regular internal audits to ensure the security of personal information processing.

- Establishment and Implementation of Internal Management Plans

We establish and implement internal management plans for the secure processing of personal information.

- Encryption of Personal Information

Users' personal information and passwords are encrypted for storage and management, accessible only to the individual. Files and transmitted data are encrypted, and essential data is protected through separate security measures. We install security programs and conduct regular updates and inspections to prevent the leakage of personal information and damage from hacking or computer viruses. Systems are installed in areas with controlled external access and are monitored and blocked technically and physically.

- Access Restrictions to Personal Information

We implement necessary measures for access control to personal information by granting, changing, and revoking access rights to database systems that process personal information, and control unauthorized external access using intrusion prevention systems.

- Retention and Prevention of Falsification of Access Records

We retain and manage access records to personal information processing systems for a minimum of 2 years and utilize security measures to prevent the falsification, theft, or loss of access records.

- Use of Locking Devices for Document Security

Documents and auxiliary storage media containing personal information are stored in secure locations with locking devices. We establish and operate access control procedures for physical storage locations containing personal information to control unauthorized personnel access.

8. Opinion Collection and Complaint Handling

a. The Company values our customers' opinions and recognizes their right to receive sincere responses to their inquiries at all times. We have established a customer service phone line for smooth communication with our customers.
【Customer Service Center】 Phone: 02-2230-0700 / FAX: 02-2230-0398

b. Phone consultations are available from 9:00 AM to 6:00 PM. For inquiries submitted via email, fax, or mail, we will provide sincere responses within 24 hours of receipt. However, inquiries received after business hours or on weekends and public holidays will be processed on the next business day, unless otherwise specified.

c. For other reports or consultations regarding personal information infringement, please contact the following organizations:

• - Personal Information Infringement Report Center(https://privacy.kisa.or.kr / 118 without area code)
• - Supreme Prosecutors' Office Cyber Investigation Department(https://www.spo.go.kr / 1301 without area code)
• - Korean National Police Agency Cyber Investigation Bureau(https://ecrm.police.go.kr / 182 without area code)
• - Personal Information Dispute Mediation Committee(https://www.kopico.go.kr / 1833-6972 without area code)

9. Personal Information Protection Officer

The Company has designated the following department and Personal Information Protection Officer to protect customers' personal information and handle opinions and complaints regarding personal information:

[Personal Information Protection Officer]
- Name: Yonggyun Kim
- Department: Support Team
- Position: Team Leader
- Phone: 02-2230-0305
- Email: it01.shillastay@shillastay.com

10. Protection of Personal Information for Children Under 14

To comply with the Youth Protection Act, the Company does not collect personal information from children under 14 years of age for membership eligible for accommodation. When collecting information about minors under 14 for other hotel business purposes, we obtain consent from their legal representatives.

11. Transmission of Advertising Information

a. The Company does not transmit commercial advertising information against customers' explicit opt-out intentions.

b. When transmitting advertising information via email for online marketing purposes such as product information guidance, the Company takes measures to ensure customers can easily identify such content in the email subject line and body as follows:

• - Email subject line: The term "(Advertisement)" may not be displayed in the subject line, and the main content of the email body will be indicated.
• - Email body: The sender's name, email address, phone number, and address where users can express their opt-out intention will be specified. Methods for users to easily express their opt-out intention will be clearly indicated.

c. When transmitting commercial advertising information through methods other than email, such as fax or mobile text messages, to customers who have consented to receive advertising, the Company takes necessary measures, including displaying the sender's name.

12. Linked Sites

a. The Company may provide links to other companies' websites or materials. In such cases, Shilla HM has no control over external sites and materials and cannot be responsible for or guarantee the usefulness of services or materials provided therefrom.

b. When clicking links on the Company's site to navigate to other sites' pages, the privacy policies of those sites are unrelated to Shilla HM. Please review the policies of the newly visited sites.

13. Posted Content

a. The Company values customers' posted content and makes every effort to protect it from alteration, damage, or deletion. However, this does not apply in the following cases:

• - Spam posts (e.g., chain letters, specific site advertisements)
• - Posts that defame others by spreading false information and damage others' reputations
• - Unauthorized disclosure of others' personal information, content infringing third parties' copyrights or other rights, and posts unrelated to the bulletin board topic
• - To promote desirable bulletin board culture, the Company may delete specific portions or modify them with symbols when others' personal information is disclosed without consent.
• - When content can be moved to a bulletin board with a different topic, we indicate the movement path in the post to prevent misunderstanding.
• - In other cases, posts may be deleted after explicit or individual warnings.

b. Fundamentally, all rights and responsibilities related to posted content belong to the individual author. Additionally, information voluntarily disclosed through posts is difficult to protect; please carefully consider before disclosing any sensitive information.