Last Updated: 2026.06.15 Effective Date: 2026.06.15 Version: 1.0 *** Privacy at a Glance Before reading the full policy, here are the most important points. 🔒 Swing videos, AI analysis, and skeleton data all stay on your device Swing videos are stored only on your PC, and AI analysis is performed directly on your device through on-device AI inference. Skeleton (landmark) data extracted from videos also remains only on the device and is not transmitted to our servers. Only 35 VTrack sensor data fields and game progress data are transmitted to our servers. 🤖 We do not use your data to train AI models We do not collect swing videos or skeleton data in the first place, and the data we do retain is not used for AI model training, external research, dataset sales, or similar purposes. If this policy changes, we will notify you in advance. 🎯 No advertising tracking The analytics tool currently used, Google Analytics, is used only for analytics and is not connected to advertising or remarketing. We do not use mobile advertising identifiers such as IDFA or GAID, or behavioral advertising SDKs. 🇰🇷 Where data is processed Primary data is stored on servers in Korea. Transfers of EU/EEA user data to the Republic of Korea are based on the European Commission adequacy decision (2022/254). Analytics and diagnostic tools separately use processors in the United States. See Article 3 for details. ⏱️ Account retention and deletion control While you continue using SwingEz, data is retained to provide the service, and you may request deletion directly at any time. We do not automatically terminate or delete accounts solely because of inactivity. Where there is a legitimate reason, such as an explicit user request, Terms violation, or statutory retention or deletion obligation, we process the account and data under this Policy and applicable law. 🏌️ All golfers are welcome SwingEz is a golf simulator for everyone who enjoys golf. Accounts are held and managed by adult users, and minor children may use the service together under the supervision of the account holder. > This summary is for convenience only. The main text below controls legally. *** Introduction This Privacy Policy (the "Policy") explains how Laon People Inc. ("we," "us," or "our") processes personal information in connection with the SwingEz service (the "Service"). SwingEz is a golf swing analysis service that receives 35 VTrack sensor data fields from the Vtrack golf launch monitor and analyzes swing videos captured by two connected cameras through on-device AI inference. Body-joint skeleton (landmark) data extracted from the video is processed and stored on the user device and is not transmitted to our servers. Our servers provide gamified progress systems and improvement statistics based on the 35 VTrack sensor data fields and game progress data. Core Principle: Data Minimization and User Control. We collect and process only the minimum information necessary for analysis. Swing videos, AI analysis, and resulting skeleton (landmark) data are all processed and stored on the user device and are not transmitted to our servers. Only 35 VTrack sensor data fields and game progress data are transmitted to our servers. Users may access, download, correct, or delete their data at any time. This Policy is intended to provide transparency to users under global data protection laws, including the GDPR, CCPA, and PIPA. To the extent possible, we provide consistent procedures and protection levels to all SwingEz users regardless of residence. The specific scope and exceptions for each right may vary depending on applicable law. Region-specific additional terms are provided in Part III for Korea and Part IV for California. We review and update this Policy at least every 12 months. If there is a material change, we will notify users before the effective date through an in-app notice or the registered email address. *** Part I: General Information Article 1 [Information We Collect] We collect and process the following information to provide the Service. (1) Information provided directly by users Required at sign-up: Email address Password (stored after encryption with an industry-standard one-way hashing algorithm; plaintext passwords are never stored in any form) Preferred name (nickname) Country of residence, to determine applicable law Optional profile information: Date of birth Gender Dexterity (right-handed / left-handed) Player category Handicap Optional fields are not required to use the Service and may be modified or deleted at any time in account settings. Customer support and feedback, where applicable: Contents of messages and attachments sent by the user to customer support Survey or feedback responses voluntarily provided by the user Obligation to update country of residence: If a user's country of residence changes, the user must promptly update that information in account settings. Applicable laws and rights may vary by country of residence. (2) Information automatically collected during use of the Service A. Authentication, session, and license-binding information Session tokens License keys Device unique identifier (a one-way hash generated by Unity Engine SystemInfo) License activation status history, including activation, release, and reactivation times B. 35 VTrack sensor data fields per swing Measurements received from the Vtrack Launch Monitor, such as ball speed, launch angle, spin rate, club head speed, club path, attack angle, face angle, smash factor, and carry distance. C. Game progress data Improvement indicators such as skill-tree progress, achievements, session history, and Swing Score. D. Device and software environment Hardware specifications: CPU, GPU, memory, screen resolution, and device model Operating system information: type, version, language, and time zone App and runtime environment information: SwingEz app version and internal identifiers E. Technical logs IP address, User-Agent, and crash logs. On-device processing, not transmitted to servers: swing videos and skeleton (landmark) data Swing videos captured by two connected cameras, and body-joint skeleton (landmark) data extracted from those videos through AI inference, are processed and stored only on the user device and are not transmitted to our servers. AI inference, meaning analysis that extracts skeleton data from video, is also performed directly on the user device. We do not collect or retain users' swing videos or skeleton data. (3) Information we do not collect As of the effective date of this Policy, we do not collect the following information in any SwingEz service environment. If any item below changes, we will update this Policy and provide advance notice. Original swing videos, which are stored only locally on the user device Skeleton (landmark) data, meaning body-joint pose data, which is processed and stored only on the user device and is not transmitted to or retained by our servers MAC address or machine name (PC name) Camera serial number or model during ordinary service operation. However, (i) Laon People's separate manufacturing, distribution, and after-sales management systems may process such information for hardware warranty and authenticity verification, and (ii) camera serial numbers may be included in report data only when the user submits a bug report for diagnostic purposes. See Article 1(4). Precise location information, such as GPS coordinates Mobile advertising identifiers, such as IDFA or GAID Behavioral advertising tracking SDKs, remarketing pixels, or third-party advertising network SDKs GDPR Article 9 special category data, including race, ethnicity, religion, political opinions, sexual orientation, biometric identifiers, genetic information, health information, or medical records Personal information purchased or received from data brokers (4) Information collected when using the bug report (troubleshooting) feature Only when a user directly submits an in-app bug report, the following information is transmitted to the server to diagnose and resolve the issue. Report contents: issue category, symptom description up to 500 characters, and up to three attached images User identification: login authentication token, used to match the report to the user's account Diagnostic information: app information such as app version, build information, and active screen at the time of report; PC system information such as OS, CPU, GPU, memory, and display; serial numbers of registered analysis cameras (DVP2); and app logs and Unity logs from the previous two days, up to 20 MB total Please check attached images before submission to ensure they do not contain sensitive information such as real names, contact details, or account numbers. These diagnostic materials are used only to analyze and resolve the reported issue, and not for marketing, advertising, or external sharing. They are automatically deleted within 90 days after report handling is completed, or sooner if the user requests deletion. By submitting a report, you are deemed to consent to the collection and use of this information. If you do not wish to consent, stop submitting the report or contact service@laonpeople.com. To prevent abuse, the number of submissions per device per day and the data volume per report are limited to 20 MB. *** Article 2 [On-Device Processing of Skeleton (Landmark) Data] Skeleton (landmark) data records body-joint locations as coordinates. Some laws require careful handling of data based on physical characteristics. To eliminate those concerns from the outset, we designed SwingEz so that skeleton data is not collected by our servers and is processed and stored only on the user device. ✓ No server collection or retention — Swing videos and skeleton data extracted from them are not transmitted to our servers, and we do not retain them. AI inference is also performed directly on the user device. See Article 1(2). ✓ User control on the device — Because videos and skeleton data are stored on the user device, users can delete and manage them directly from the device. The scope of data use, including the fact that data is not used for AI model training, is described in Article 4. This design is structured to comply with data-minimization and careful-processing principles under major data protection laws, including the GDPR, Korean PIPA, and California CPRA. *** Article 3 [Tracking Technologies and Analytics Tools] The SwingEz Service operates in the following three environments, and different technologies are used in each environment. Member management web: sign-up, login, account information viewing and editing, and activated device management SwingEz launcher: patches and updates Unity simulator: license activation, actual analysis, and data collection 3-1. Member management web Strictly necessary cookies Cookie Purpose Retention Period Consent Login session token Maintain login state Until session ends or up to 24 hours Not required CSRF security token Prevent forged requests Until session ends Not required Other cookies: We do not use analytics, advertising, or tracking cookies. We do not operate a marketing website, and the member management web is accessible only to authenticated users. Because only strictly necessary cookies, such as login and security tokens, are used, we do not provide a separate cookie consent banner. 3-2. SwingEz launcher: patches and updates Role: Client patches and version updates. Required communication: Communication with Laon People's own servers for patch checks and downloads. Analytics SDK: Item Details Tool Google Analytics 4 Processor Google LLC (United States) Information collected Launcher usage events, update-check timing, device/session information, OS version Purpose Analyze launcher usage patterns and improve update stability Advertising integration None; analytics only Retention period 14 months Legal basis EU/EEA and UK users: consent (ePrivacy/GDPR Article 6(1)(a)); other regions: legitimate interests (GDPR Article 6(1)(f)) plus PIPA Article 26 processing entrustment How to opt out EU/EEA and UK: no collection if consent is not selected at first launch; all regions: launcher [Settings → Privacy → Send Usage Statistics Data] toggle > For EU/EEA and UK users, the analytics SDK is not activated until opt-in consent is obtained, in compliance with the terminal storage/access provisions of the ePrivacy Directive. In other regions, it operates based on legitimate interests, but users may opt out at any time through the toggle above. 3-3. Unity simulator Required identifiers, essential to provide the Service and not disableable: Session token: maintain login state License key plus Unity Device Unique ID (one-way hash): license device binding Crash diagnostics SDK: Item Details Tool Unity Cloud Diagnostics Processor Unity Technologies, Inc. (United States) Information collected Anonymized stack traces, device information, OS/app/Unity version, crash time Purpose Improve app stability and diagnose bugs Retention period Subject to Unity policy, typically 90 days Legal basis Legitimate interests (GDPR Article 6(1)(f)) plus PIPA Article 26 processing entrustment How to opt out Rights request procedure in Article 10 of this Policy Unity policy https://unity.com/legal/privacy-policy Analytics SDK: The Unity simulator itself does not use Google Analytics or any other analytics tool. 3-4. Tracking technologies we do not use As of the effective date of this Policy, we do not use advertising or tracking technologies, including advertising identifiers such as IDFA or GAID, behavioral advertising SDKs, remarketing pixels, or cross-device tracking, in any SwingEz service environment. If we introduce such technologies in the future, we will update this Policy and provide prior notice. See Article 1(3) for the detailed list. *** Article 4 [Purposes of Processing Personal Information] We process personal information only for the following purposes. Purpose Data Used Legal Basis Account creation and management; authentication Account and profile information; license binding Performance of contract Personal improvement statistics and progress management 35 VTrack sensor data fields; game progress data Performance of contract Prevention of unauthorized license copying and detection of misuse Device identifiers; activation status history Legitimate interests plus performance of contract Compatibility, performance optimization, and troubleshooting Device and environment information Legitimate interests Statistics by system specification, anonymized and aggregated Device and environment information Legitimate interests App localization OS language; time zone Performance of contract Security and fraud prevention All categories Legitimate interests Usage pattern analytics Google Analytics data EU/EEA and UK: consent; others: legitimate interests plus processing entrustment App stability and crash diagnostics Unity Cloud Diagnostics data Legitimate interests plus processing entrustment Bug report diagnostics and issue resolution Report contents, app and PC system diagnostics, camera serial number, app logs Consent at report submission plus legitimate interests Marketing communications Email Opt-in consent Leaderboard display Preferred name (nickname); performance indicators Legitimate interests as a core Service feature > Swing videos and skeleton (landmark) data are not collected by our servers and therefore are not subject to the processing purposes above. Video and skeleton-based analysis is performed on the user device and displayed only to the user. We do not use data for other purposes. As of the effective date of this Policy, we do not use user data for purposes other than those stated above. In particular, we do not use it for advertising, behavioral profiling, AI model training, external research, dataset sales, or cross-context advertising. If this policy changes, we will update this Policy and notify you in advance. Leaderboards and public information SwingEz provides leaderboards displaying weekly and monthly performance rankings as a common golf-game feature to motivate user improvement. The only information made public is the user's selected Preferred name, Swing Score, and ranking period. Other personal information, such as email address, country of residence, date of birth, contact details, device information, skeleton data, and swing videos, is not disclosed to other users. Users who do not want to appear on leaderboards may switch to private mode through app settings or by requesting it at service@laonpeople.com. In that case, they will be excluded from ranking calculations. *** Article 5 [Retention, Use Period, and Destruction of Personal Information] We retain personal information for the following periods. Data Retention Period Account and profile information, required and optional Account retention period plus 30 days License-binding information, device identifier plus status history Account retention period plus 30 days 35 VTrack sensor data fields Account retention period plus 30 days Game progress data, including skill tree, achievements, session history, and Swing Score Account retention period plus 30 days Customer support inquiries 3 years after closure Bug report diagnostic materials, including report contents, diagnostic information, and logs Deleted within 90 days after report handling is completed Server logs, including IP, User-Agent, and crash logs Automatic 90-day rotation Consent and legal compliance records 5 years, where legally required Google Analytics data 14 months, retained on Google servers Unity Cloud Diagnostics data Subject to Unity policy, typically 90 days "Account retention period" means the period during which the user holds a SwingEz account. We do not automatically terminate accounts solely because of inactivity. Where there is a legitimate reason, such as an explicit termination request, Terms violation, or legal necessity, we process accounts and data under this Policy and applicable law. Where retention is necessary for legal disputes, investigations, audits, or other legal reasons, the retention period may be extended until the dispute or legal obligation ends. Swing videos and skeleton (landmark) data: We do not collect or store swing videos or skeleton data. Videos and skeleton data exist only on the user device, and only 35 VTrack sensor data fields and game progress data are transmitted to our servers. Destruction procedure: Destruction through automated batch jobs when the retention period expires or the processing purpose is achieved Permanent deletion after a 30-day grace period following account withdrawal If retention is required under other laws, separate storage in a separate database followed by destruction when the retention period expires Destruction method: Electronic files: hard delete from databases and disposal of backups within the next backup cycle Printed materials: shredding or incineration *** Article 6 [Security Measures for Personal Information] We implement the following measures under Article 29 of Korea's Personal Information Protection Act, Article 30 of its Enforcement Decree, GDPR Article 32, the CCPA, and other applicable laws. Technical measures Encryption of data in transit through industry-standard transport encryption protocols Encryption of data at rest through industry-standard symmetric-key encryption algorithms at the database level Passwords stored after encryption with industry-standard one-way hashing algorithms, with no plaintext storage Access-rights management and access control using role-based access control (RBAC) and the principle of least privilege Retention and review of access logs Administrative measures Appointment of a privacy officer and privacy personnel Execution of data processing agreements (DPAs) with personal information processors Operation of incident response procedures Physical measures Servers located in data centers with security measures Office access control Incident notification procedure If a security incident occurs, we respond according to the following procedure. Immediately upon awareness: assess and contain the incident Within 72 hours after awareness: notify supervisory authorities under GDPR Article 33; under Korean PIPA, notify data subjects and report to specialized agencies without delay and within statutory deadlines If there is a high risk to data subject rights: directly notify affected users Notice contents: nature of the incident, affected data categories, estimated number of affected individuals, and recommended actions Follow-up: corrective actions and recurrence-prevention report *** Article 7 [Entrustment of Personal Information Processing] We entrust personal information processing externally in the following areas to operate the Service. We enter into data processing agreements with all processors under GDPR Article 28 and PIPA Article 26, and supervise processors so they maintain at least the protection level described in this Policy. Entrusted Area Processor Processor Location Entrusted Work Usage pattern analytics Google LLC United States Analysis of launcher usage events through Google Analytics 4 Crash monitoring Unity Technologies, Inc. United States Analysis of Unity simulator crash and exception logs through Unity Cloud Diagnostics If processors change, we will update this Policy and provide prior notice. Channel partners are not processors: Authorized Distributors and Authorized Resellers that distribute SwingEz licenses are product distribution partners, not personal information processors. We do not provide end-user personal information to channel partners. Only non-personal information, such as license key serial numbers, is provided to channels. Third-party disclosure: We do not provide personal information to third parties except in the following cases. Where the user separately consents Where disclosure is required by law Under a lawful warrant or court order, in which case we will notify the user in advance where possible In connection with a corporate merger, acquisition, or asset transfer, with prior notice We do not currently sell personal information. If this policy changes in the future, we will provide prior notice and follow a separate consent process. *** Article 8 [International Data Transfers] Primary data: Korean servers Our servers are located in the Republic of Korea. Personal information of EU/EEA users is transferred from the EU/EEA to the Republic of Korea. EU adequacy decision: On December 17, 2021, the European Commission adopted an adequacy decision for the Republic of Korea (Commission Implementing Decision (EU) 2022/254). Our EU/EEA to Korea transfers are based on this adequacy decision and automatically satisfy the appropriate-safeguard requirement under GDPR Article 45. Additional standard contractual clauses (SCCs) or supplementary measures are not required. UK adequacy: The UK government also maintains adequacy recognition for Korea, so the same approach applies under the UK GDPR. Processing entrustment: transfers to the United States As described in Article 7, Google LLC and Unity Technologies, Inc. act as processors located in the United States. These transfers are lawfully performed through the following mechanisms. EU/EEA to United States: EU-US Data Privacy Framework self-certification, where the processor maintains DPF certification, plus GDPR Article 46 Standard Contractual Clauses as a supplementary mechanism United Kingdom to United States: UK Extension to the DPF Korea to United States: PIPA Article 28-8 processing entrustment plus disclosure in this Policy We provide these processors only limited data for analytics and diagnostics, and entrust processing on terms that do not permit data use for advertising, profiling, or cross-context purposes. Other regions: For transfers from regions such as Japan, Canada, and Australia that have adequacy decisions or equivalent protection-level recognition, we use the applicable mechanism. *** Part II: User Rights (Universal Rights) Article 9 [User Rights] Regardless of residence, all SwingEz users may exercise the following rights to the extent possible. We provide consistent rights request procedures aligned with global standards, but the specific scope, limitations, and exceptions for each right may vary under applicable law. Right to Access — the right to receive a copy of the data we hold about you Right to Rectification — the right to request correction of inaccurate data Right to Erasure / Right to be Forgotten — the right to request deletion of your data Right to Data Portability — the right to receive your data in a structured, machine-readable format such as JSON or CSV Right to Restrict Processing — the right to request temporary suspension of specific processing Right to Object — the right to object to processing based on legitimate interests or to direct marketing Right to Withdraw Consent — the right to withdraw consent-based processing, such as marketing. Processing before withdrawal is not affected, and the relevant processing stops immediately upon withdrawal. Right to Non-Discrimination — the right not to receive any disadvantage, such as service denial, price discrimination, or service-quality differences, because of exercising rights Right to Lodge a Complaint — the right to lodge a complaint with the data protection supervisory authority in your place of residence These rights may be additionally protected under mandatory laws in your residence, such as Korean PIPA, EU GDPR, US CCPA, Canadian PIPEDA, Australian Privacy Act, and Japanese APPI. We apply the highest protection level applicable. However, specific exercise of rights is subject to the scope and requirements under applicable law, including identity verification procedures and legitimate exceptions such as statutory retention obligations. *** Article 10 [How to Exercise Rights] Users may exercise the rights above through the following channels. In-app self-service: Settings → Privacy → Data Download / Data Deletion / Consent Management Email: service@laonpeople.com Phone: 1899-3058 Fax: 02-3418-3351 Mail: Attn: Laon People Privacy Team, 5th/6th Floor, Building C, Gwacheon Urban Hub, 60 Gwacheon-daero 7na-gil, Gwacheon-si, Gyeonggi-do 13840, Republic of Korea Reasonable identity verification procedures, such as email verification or account login confirmation, may be required. We do not charge a fee for rights requests except for manifestly unfounded or excessively repetitive requests. *** Article 11 [Response Deadlines] We generally respond to rights requests within 30 days. Some regions prescribe shorter or longer deadlines. Region Response Deadline Korea (PIPA) Within 10 days EU/EEA and UK (GDPR / UK GDPR) 1 month, plus 2 additional months for complex requests California, United States (CCPA) 45 days, plus 45 days with prior notice Canada (PIPEDA) 30 days Australia (Privacy Act) Within 30 days, a reasonable period New Zealand (Privacy Act 2020) Within 20 business days Other regions Generally 30 days For complex requests or where identity verification is required, the period may be reasonably extended with prior notice. *** Article 12 [Complaint Authorities] Depending on the country of residence, complaints may be filed with the following supervisory authorities. Region Supervisory Authority Contact Korea Personal Information Dispute Mediation Committee 1833-6972 / www.kopico.go.kr Korea Personal Information Infringement Report Center (KISA) 118 / privacy.kisa.or.kr California, United States California Privacy Protection Agency www.cppa.ca.gov Other US states Applicable state Attorney General Office - EU/EEA Data protection supervisory authority in the member state of residence edpb.europa.eu/about-edpb/about-edpb/members_en United Kingdom Information Commissioner's Office (ICO) ico.org.uk Canada (federal) Office of the Privacy Commissioner of Canada priv.gc.ca Canada (Quebec) Commission d'accès à l'information du Québec cai.gouv.qc.ca Canada (Alberta) OIPC Alberta oipc.ab.ca Canada (BC) OIPC British Columbia oipc.bc.ca Australia Office of the Australian Information Commissioner oaic.gov.au New Zealand Office of the Privacy Commissioner privacy.org.nz Japan Personal Information Protection Commission ppc.go.jp Other regions Data protection supervisory authority in the place of residence - *** Article 13 [Use by Children] SwingEz is a golf simulator that requires dedicated hardware such as a Vtrack launch monitor and cameras, and is generally purchased and installed by adults for use at home or in facilities. We do not market the Service to children or collect personal information directly from children. SwingEz accounts are held and managed by adult users. Minor children may use the Service for golf practice together under the supervision of the account holder, such as a parent or guardian. In that case, information processed under the account is handled under the authority and responsibility of the account holder. If we become aware that we collected a child's personal information without guardian involvement, we will delete that information without delay. Guardians may request related confirmation or deletion at service@laonpeople.com. *** Part III: Additional Terms for Korean Residents This Part applies to users residing in the Republic of Korea. It provides matters required under Article 30 of the Personal Information Protection Act and Article 31 of its Enforcement Decree. Article 14 [Purposes of Processing Personal Information] We process personal information for the following purposes. Member registration and management: user identification and authentication, membership maintenance and management, and prevention of misuse Service provision: analysis of 35 VTrack sensor data fields, provision of improvement statistics, operation of skill trees, and leaderboard display. Swing video and skeleton-data based analysis is performed on the user device and is not collected by our servers. Complaint handling: identity confirmation of complainants, complaint verification, contact and notices for factual investigation, and notification of results Security and fraud prevention: detection of abnormal access and prevention of license key misuse Legal compliance: retention and reporting obligations under applicable laws Article 15 [Items of Personal Information Processed and Retention/Use Period] See Articles 1 and 5 of this Policy. Summary table: Item Retention and Use Period Email, password (encrypted storage), Preferred name (nickname), country of residence Account retention period plus 30 days Date of birth, gender, Dexterity, Player category, Handicap (optional) Account retention period plus 30 days 35 VTrack sensor data fields Account retention period plus 30 days Game progress data, including skill tree, achievements, session history, and Swing Score Account retention period plus 30 days License-binding information, device identifier plus activation status history Account retention period plus 30 days Bug report diagnostic materials Within 90 days after report handling is completed Access logs and device information 90 days Consent records 5 years Swing videos and skeleton (landmark) data are stored only on the user device and are not collected or retained by our servers. Article 16 [Destruction Procedure and Method for Personal Information] Destruction procedure: Personal information is destroyed through automated batch jobs when the retention period expires or the processing purpose is achieved. Upon membership withdrawal, it is destroyed after a 30-day grace period. If retention is required by other laws, it is separately stored in a separate database and destroyed after the retention period expires. Destruction method: Electronic files: permanent deletion from databases, meaning hard delete rather than soft delete, and disposal of backups within the next backup cycle Printed materials: shredding or incineration Article 17 [Third-Party Provision of Personal Information] We do not provide personal information to third parties except as described in Article 7 of this Policy. Authorized Distributors and Authorized Resellers are product distribution partners and are not personal information processors. Article 18 [Entrustment of Personal Information Processing] For our processing entrustment status, see the table in Article 7 of this Policy. Article 19 [Overseas Transfer of Personal Information] Our primary servers are located in the Republic of Korea, but the following processors are located overseas. Transferred Item Recipient Country Timing and Method Purpose Retention and Use Period Launcher usage events; device/session information Google LLC United States At the time of Service use, transmitted over the internet Usage pattern analytics (Google Analytics 4) 14 months Anonymized stack traces; device information; OS/app/Unity version Unity Technologies, Inc. United States At the time of crash, transmitted over the internet App stability analytics (Unity Cloud Diagnostics) Typically 90 days These overseas transfers are performed based on PIPA Article 28-8(1)(4), meaning processing entrustment and storage disclosed in this Policy. This processing entrustment is necessary to operate the Service, but users may stop analytics data collection through the opt-out method in Article 3, namely the launcher settings toggle. Article 20 [Rights and Obligations of Data Subjects and Legal Representatives; Exercise Methods] Under the Personal Information Protection Act, data subjects (users) may exercise the rights described in Article 9 of this Policy. Rights may be exercised through the channels described in Article 10. SwingEz accounts are held and managed by adult users, and minor children use the Service under the supervision of the account holder. Rights over personal information processed under the account may be exercised by the account holder under Articles 9 and 10 of this Policy. See Article 13. Article 21 [Devices That Automatically Collect Personal Information] We use only the minimum cookies necessary for service authentication and session management. We do not use advertising identifiers such as ADID or IDFA, or behavior-based tracking SDKs. For details, see Article 3 [Tracking Technologies and Analytics Tools] of this Policy. Cookie opt-out method: users may opt out through web browser settings or mobile OS advertising identifier reset functions. However, if strictly necessary cookies are rejected, some Service functions such as login may be limited. Article 22 [Security Measures for Personal Information] See Article 6 of this Policy. We implement all technical, administrative, and physical measures required under Article 29 of the Personal Information Protection Act and Article 30 of its Enforcement Decree. Article 23 [Privacy Officer and Privacy Personnel] Privacy Officer Name: Ki-wook Yoon Position: CTO Contact: 1899-3058 / service@laonpeople.com Privacy Personnel Name: Hyun-chang Choi Contact: 1899-3058 / service@laonpeople.com Article 24 [Remedies for Infringement of Data Subject Rights] See the Korea items in Article 12 of this Policy: Personal Information Dispute Mediation Committee (1833-6972), KISA 118, Supreme Prosecutors' Office Cyber Investigation Division (1301), and Korean National Police Agency Cyber Bureau (182). *** Part IV: Additional Terms for California Residents This Part applies to California residents and provides additional disclosures under the CCPA/CPRA. Article 25 [Processing Status by California CCPA Category] Personal information processing status during the past 12 months: CCPA Category Collected Sold Shared for Behavioral Advertising Disclosed for Business Purpose A. Identifiers, such as email, IP, device ID, and device identifier hash Yes No No Cloud hosting and email delivery processors B. California customer records, such as Preferred name Yes No No Cloud hosting processors C. Protected classification characteristics, such as date of birth and gender when voluntarily entered by the user Yes, optional No No Cloud hosting processors D. Commercial information No No No - E. Biometric information No; skeleton (landmark) data is not collected by our servers and is processed only on the user device No No - F. Internet/network activity, such as Google Analytics data Yes No No Google LLC as analytics processor G. Location data No precise location; country-level information based on IP only No No - H. Sensory data, such as audio or video No; original video is not collected and is stored only locally on the device No No - I. Professional/employment information No No No - J. Education information No No No - K. Inferences, such as improvement statistics and Swing Score Yes No No Cloud hosting processors L. Sensitive personal information (SPI) No; skeleton (landmark) data is not collected by our servers No No - Sources of personal information: the user directly and automatic collection during Service use. Collection purposes: see the processing-purpose table in Article 4 of this Policy. Financial incentives: We do not provide financial incentives, price differences, or service-level differences in exchange for personal information. Article 26 [Additional California Rights] Opt-Out of Sale or Sharing: We do not sell personal information or share it for cross-context behavioral advertising. Therefore, we do not provide a separate "Do Not Sell or Share My Personal Information" opt-out link. If this policy changes in the future, we will provide prior notice and introduce the required mechanism. Right to Limit Use and Disclosure of Sensitive Personal Information (SPI Limit): We do not collect data that may qualify as sensitive personal information, such as skeleton (landmark) data, on our servers. Therefore, there is no processing activity subject to a separate SPI limit request. If such processing is introduced in the future, we will limit purposes and provide choices to the extent required by applicable law. Automated Decision-Making Technology (ADMT): Swing Scores and drill recommendations are generated automatically, but they are not automated decisions that produce legal or similarly significant effects on a person. Therefore, ADMT-related regulations, such as human review, do not apply. Global Privacy Control (GPC): Because we do not sell personal information or share it for cross-context behavioral advertising, there is no processing activity to which a universal opt-out signal such as GPC applies. Personal information of minors: We do not sell or share personal information of minors under 16. If such activity occurs, we will obtain prior opt-in consent as required by law. *** Part V: Changes, Contact, and Governing Language Article 27 [Changes to this Privacy Policy] If this Policy changes, we will provide notice as follows. Material changes: In-app notice plus registered email notice 30 days before the effective date Re-consent procedure for changes requiring separate consent General changes: In-app notice 7 days before the effective date Differences stated on the website change-history page Users may view all changes in [Settings → Terms Change History]. Article 28 [Company Contact] Company information Company name: Laon People Inc. Business registration number: 129-86-41679 Representative: Seok-joong Lee Address: 5th/6th Floor, Building C, Gwacheon Urban Hub, 60 Gwacheon-daero 7na-gil, Gwacheon-si, Gyeonggi-do 13840, Republic of Korea Main phone: 1899-3058 Email: service@laonpeople.com Privacy Officer: Ki-wook Yoon / CTO Privacy Personnel: Hyun-chang Choi EU Representative (GDPR Article 27) / UK Representative (UK GDPR Article 27): Not currently appointed. If appointed later, contact details will be added to this Policy. Until then, EU/EEA and UK users may contact the Privacy Officer above at service@laonpeople.com. Article 29 [Governing Language] This Policy is provided in Korean and English. If there is any difference in interpretation between the two versions, the English version controls for users outside the Republic of Korea, and the Korean version controls for users in the Republic of Korea. *** © 2026 Laon People Inc. All rights reserved.