meBook

The Service meBOOK provided by Megastudy Education Co., Ltd. (hereinafter referred to as the “Company”) complies with the Personal Information Protection Act and other applicable laws and regulations to protect the freedom and rights of its Members. The Company lawfully processes personal information and manages it safely.

In accordance with Article 30 of the Personal Information Protection Act, the Company hereby establishes and discloses this Privacy Policy to inform Members of the procedures and standards for handling personal information, and to ensure that any complaints related thereto are promptly addressed.

The main contents of this Privacy Policy are as follows:

1. Purpose of Processing Personal Information and Items Collected
2. Retention and Use Period of Personal Information
3. Provision of Personal Information to Third Parties
4. Outsourcing of Personal Information Processing
5. Procedures and Methods for Destruction of Personal Information
6. Rights of Users and Their Legal Guardians, and How to Exercise Them
7. Measures to Ensure the Security of Personal Information
8. Matters Concerning the Installation, Operation, and Refusal of Automated Collection Devices for Personal Information
9. Personal Information Protection Officer
10. Remedies for Infringement of Rights
11. Amendment of the Privacy Policy

1.Purpose of Processing and Categories of Personal Information Collected

(a) When the Company collects personal information, it processes such information with the consent of the data subject pursuant to Article 15(1)(1) of the Personal Information Protection Act, or, where there is a separate legal basis, without obtaining consent.

Purpose of Processing	Legal Basis for Collection	Items Collected
[Membership Registration and Management] - Identification of Users and Provision of Membership Services - Confirmation of Intent to Register and Limitation on the Number of Registrations - Prevention of Unlawful and Fraudulent Use - Retention of Records for the Prevention and Resolution of Disputes - Compilation of Statistical Data - Delivery of Notices	Personal Information Protection Act Article 15(1)(4) (Performance of a Contract)	[General Membership Registration] ID (Email Address), Password [Apple Membership Registration] Email Address, Name [Google Membership Registration] Email Address, Name [Kakao Membership Registration] Email Address, Nickname [Megastudy Integrated Membership Registration] ID, Name, Email Address [Use of meBOOK Store Service] Name, Date of Birth, Gender, Mobile Phone Number
[Upon Content Purchase] - Payment and Refund	Personal Information Protection Act Article 15(1)(4) (Performance of a Contract)	[Content Purchase] Content Purchase Information, Payment Records (Bank/Card Company Code, Approval Number, Order Number) [Issuance of Cash Receipt] Cash Receipt Issuance Information (Mobile Phone Number) [Cash Refund] Account Holder Name, Bank Name, Account Number
[Customer Inquiry] - Retention of Records for the Prevention and Resolution of Disputes - Handling of Complaints, Civil Petitions, and Customer Inquiries - Consultations Related to Payment, Refund, and Delivery	Personal Information Protection Act Article 15(1)(4) (Performance of a Contract)	Name, ID, Details of Inquiry, and Information Necessary for Consultation
[Event participation and Prize fulfillment] - Event participation and Prize fulfillment	Personal Information Protection Act Article 15(1)(4) (Performance of a Contract) Personal Information Protection Act Article 15(1)(2) (Special Provisions under the Law) Income Tax Act Articles 145 and 164 (Withholding Obligations)	Name, ID, Mobile Phone Number, Email Address ※ Items collected may vary depending on the event. [Withholding of Taxes and Public Charges] Name, Resident Registration Number
[Marketing and advertising] - Promotion of Educational Products of Subsidiaries and Affiliates - Provision of Advertising Information, Including Events	Personal Information Protection Act Article 15(1)(1) (Consent of the Data Subject)	Name, ID, Email Address, Mobile Phone Number
[Partnership Inquiries] - Consultation Regarding Partnership or Store Entry Inquiries	Personal Information Protection Act Article 15(1)(4) (Performance of a Contract) Personal Information Protection Act Article 15(1)(1) (Consent of the Data Subject)	[Personal Information Protection Act Article 15(1)(4)] Company Name, Name, Email Address, Contents [Personal Information Protection Act Article 15(1)(1)] Website Address, Job Title, Mobile Phone Number, Attachments

(b) When collecting personal information via mobile phone or landline, the contents of the call will be recorded, and the Member will be notified of such recording.
However, if the Member refuses to provide personal information, certain consultations may be restricted.

(c) In the course of using the Service and conducting business, the following information may be generated and collected.

Purpose of processing	Personal Information items	Retention period
Prevention of Unauthorized or Fraudulent Use, Prevention of Unauthorized Access, Provision of Customized Services	Date and Time of Visit, IP Information, device Information, Service Usage Records, Records of Misuse, Other App Usage Information, Forced App Termination Data, Content Creation and Usage Records	Upon Member’s Withdrawal or for the Statutory Retention Period Required by Applicable Laws

2.Retention and Use Period of Personal Information

The Company shall destroy personal information without undue delay when it becomes unnecessary, such as upon the expiration of the retention period or the achievement of the purpose of processing, unless retention is required under applicable laws.

(a) In accordance with applicable laws, the Company shall retain personal information for a certain period before destroying it, as follows:

Records on labeling/advertising: 6 months (Enforcement Decree of the Act on the Consumer Protection in Electronic Commerce, Article 6)
Records on contracts or withdrawal of offers, etc.: 5 years (Enforcement Decree of the Act on the Consumer Protection in Electronic Commerce, Article 6)
Records on payment for goods and supply of goods, etc.: 5 years (Enforcement Decree of the Act on the Consumer Protection in Electronic Commerce, Article 6)
Records on consumer complaints or dispute resolution: 3 years (Enforcement Decree of the Act on the Consumer Protection in Electronic Commerce, Article 6)
Information for the payment of taxes and public charges on behalf of the recipient: 5 years (Income Tax Act, Article 160-2)
Data confirming telecommunications details: 3 months (Protection of Communications Secrets Act, Article 15-2)

(b) The Company shall destroy personal information without undue delay upon the expiration of the retention period or when the purpose of processing has been achieved, as follows:

Membership registration and management: Until the Member withdraws membership
Performance of contracts and provision of services: Upon completion of service provision or completion of payment for fees and delivery of goods
Marketing and advertising: Until the Member withdraws membership or withdraws consent
Event participation: Retained for up to one (1) year, which may vary depending on the event; the retention period specified at the time of the event shall prevail
Partnership and store entry inquiries: 1 year (or, in the case of a partnership or store entry agreement, 1 year from the date of termination of the agreement)

3.Provision of Personal Information to Third Parties

When the Company provides personal information, it shall notify the Member in advance and obtain consent, and shall use the information only within the scope of the stated purpose of use. However, in the following cases, personal information may be used or provided to third parties without the Member’s consent.

Where it is unavoidable in order to comply with special provisions of the law or to fulfill statutory obligations under applicable laws and regulations
Where it is necessary to perform a contract entered into with the Member, or to take measures at the request of the Member prior to entering into a contract
Where it is clearly necessary to protect the urgent life, body, or property interests of the Member or a third party
Where permitted under applicable laws and regulations, and where such processing is substantially related to the Company’s purposes and does not unreasonably infringe upon the rights of the Member
Where it is urgently necessary for public hygiene or safety and the public welfare
Where within a scope reasonably related to the original purpose of collection, it is reviewed whether the Member’s interests are unduly infringed; where, in light of the circumstances of collection or processing practices, the additional use or provision of personal information is reasonably foreseeable; and where safety measures such as pseudonymization or encryption are applied

4.Outsourcing of Personal Information Processing

The Company outsources the processing of personal information as follows in order to ensure the smooth handling of personal information-related tasks.

Entrusted Party	Entrusted Task
KT Alpha Co., Ltd. (Sub-processors: KT IS Co., Ltd., KT Corporation, KT DS Co., Ltd., M&Wise Co., Ltd.).	Sending event prizes (gifticons)
LG Uplus Corp. (Sub-processors: Media Log Co., Ltd., Nemos Lab Co., Ltd.)	Sending KakaoTalk notification messages and SMS messages
NHN KCP Corp.	Providing PAYCO, Naver Pay, and Kakao Pay easy payment methods
NHN Korea Cyber Payment Co., Ltd.	Providing payment methods such as credit card, bank transfer, virtual account deposit, and ARS card payment

5.Procedures and Methods for the Destruction of Personal Information

(a) The Company shall, without undue delay, destroy personal information when it becomes unnecessary, such as upon the expiration of the retention period or the achievement of the purpose of processing.

(b) Even if the retention period for personal information consented to by the Member has expired or the purpose of processing has been achieved, where the personal information must be continuously retained in accordance with other applicable laws, such personal information shall be stored in a separate database (DB) or retained in a different storage location.

(c) The procedures and methods for destruction are as follows.

[Destruction Procedures]

When the purpose of processing a personal information file has been achieved, the relevant service has been discontinued, or the business has been terminated, and the personal information file is deemed unnecessary, the file shall be destroyed without undue delay from the date it is recognized as no longer necessary, unless retention is required under applicable laws.

[Destruction Methods]

Personal information stored in electronic file format shall be deleted using technical methods that render the records irrecoverable.
Personal information printed on paper shall be destroyed by shredding with a shredder or by incineration.

6. Rights of Users and Their Legal Guardians, and How to Exercise Them

(a)The meBOOK service does not process the personal information of children under the age of 14.

(b) Users may request the following regarding their personal information in accordance with applicable laws:

Access to the personal information retained by the Company
Records of the Company’s use of the user's personal information or its provision to third parties
Records of the user's consent to the collection, use, and provision of personal information

(c) Users may request the suspension of the processing of their personal information in accordance with applicable laws.

(d) Users may withdraw their consent to the collection, use, and provision of personal information (i.e., membership withdrawal) in accordance with applicable laws. Users may withdraw consent (membership withdrawal) directly through the Company’s service via [Settings] – [Account] – [Delete Account], or by contacting the Personal Information Protection Officer in writing, by phone, or via email. Upon receiving such a request, the Company will promptly destroy the user's personal information or take other necessary measures.

However, even after consent is withdrawn (membership withdrawal), the minimum necessary information may be retained in accordance with applicable laws and regulations.

7.Measures to Ensure the Security of Personal Information

(a) In accordance with Article 29 of the Personal Information Protection Act, the Company takes the following physical, administrative, and technical measures necessary to ensure the security of personal information.

Protective Measure	Details
[Physical Protective Measures] Access control for unauthorized persons	The Company maintains a separate physical storage location for the personal information systems in which personal information is stored, and has established and operates access control procedures for such locations.
[Protective Measures] Establishment and implementation of internal management plans	The Company has established internal management guidelines and is implementing management plans accordingly.
[Protective Measures] Minimization and training of personnel handling personal information	The Company designates and minimizes the number of personnel authorized to handle personal information, and implements measures to manage such information appropriately.
[Technical Protective Measures] Restriction of access to personal information	The Company grants, modifies, and revokes access rights to the database systems that process personal information, takes necessary measures to control access to personal information, and uses intrusion prevention systems to block unauthorized external access.
[Technical Protective Measures] Retention of access logs and prevention of forgery or alteration	The Company retains and manages access records (web logs, summary information, etc.) to personal information processing systems for at least two (2) years, and uses security functions to prevent such records from being forged, altered, stolen, or lost.
[Technical Protective Measures] Encryption of personal information	Users’ personal information (passwords, account numbers) is encrypted for storage and management. In addition, important data is encrypted during both storage and transmission, and other separate security functions are applied.
[Technical Protective Measures] Technical measures to prevent hacking and similar threats	To prevent the leakage or damage of personal information caused by hacking or computer viruses, the Company installs security programs, regularly updates and inspects them, installs systems in access-controlled areas, and monitors and blocks access both technically and physically. In addition, the Company monitors network traffic and detects any attempts to unlawfully alter information.

8.Matters Concerning the Installation, Operation, and Refusal of Automated Collection Devices for Personal Information

The Company uses “cookies” to store and retrieve usage information from time to time in order to provide Members with individualized services and convenience.

A cookie is a small piece of information that the server (HTTP) used for operating a website sends to the browser of the data subject, which is then stored on the data subject’s PC or mobile device.

Members can configure their web browser settings to allow or block cookies. However, refusing to store cookies may cause difficulties in using certain services that require login.

▶ Allowing/Blocking Cookies in Web Browsers

Chrome : Web Browser Settings > Privacy and Security > Clear Browsing Data
Edge : Web Browser Settings > Cookies and Site Permissions > Manage and Delete Cookies and Site Data

▶ Allowing/Blocking Cookies in Mobile Browsers

Chrome: Mobile Browser Settings > Privacy and Security > Clear Browsing Data
Safari: Mobile Device Settings > Safari > Advanced > Block All Cookies
Samsung Internet: Mobile Browser Settings > Browsing History > Clear Browsing Data

9.Personal Information Protection Officer

The Company designates the following Personal Information Protection Officer to protect Members’ personal information and handle complaints related to personal information.

Personal Information Protection Officer :
Youngmoo Kim, CPO, Information Security Office
Personal Information Manager :
Youngsun Kim, Division Head, E-BOOK Business Division
Email : mebookteam@mebook.io

Members may report any personal information protection-related complaints arising from the use of the Company’s services to the Personal Information Protection Officer or the relevant department. The Company will respond promptly and adequately to all such reports from Members.

10.Remedies for Infringement of Rights

(a) In order to seek remedies for personal information infringement, Members may request dispute resolution or consultation from the Personal Information Dispute Mediation Committee or the Personal Information Infringement Report Center of the Korea Internet & Security Agency (KISA). For other reports or consultations regarding personal information infringement, please contact the organizations below:

Personal Information Dispute Mediation Committee :
(No area code) 1833-6972 | www.kopico.go.kr
Personal Information Infringement Report Center :
(No area code) 118 | privacy.kisa.or.kr
National Police Agency :
(No area code) 182 | ecrm.cyber.go.kr

(b) The Company strives to protect Members’ right to self-determination over their personal information and to provide consultation and remedies for damages caused by personal information infringement. If you need to file a report or seek consultation, please contact the department below.

Customer Consultation and Reporting for Personal Information Protection

Department : E-BOOK Business Division
Email : mebookteam@mebook.io

11.Amendment of the Privacy Policy

(a) If the Company revises this Privacy Policy, it will notify Members via the Company’s website announcements at least seven (7) days prior to the effective date.

(b) This Privacy Policy shall take effect from January 26, 2026.

Date of Notice of the Privacy Policy : January 16, 2026
Effective Date of the Privacy Policy : January 26, 2026