Agent to Agent (hereinafter referred to as "Company") processes personal information for the following purposes:

• • Member registration and management
• • Service provision and contract fulfillment
• • User inquiry handling and customer service
• • Service improvement and new service development
• • Marketing and advertising utilization
• • AI API key management and security
• • Project and content management
• • Service usage statistics analysis
• • Customer inquiries and support
• • Service improvement and new service development

• • Required items: Email address, name, profile picture (social login provided information)
• • Optional items: API keys (OpenAI, DeepSeek, Claude, Gemini)
• • Automatically collected items: Service usage records, access logs, cookies, access IP information
• • Generated information: Project information, agent settings, conversation content, content

Retained until membership withdrawal and destroyed immediately upon withdrawal.

However, if preservation is required by relevant laws, it is kept for the corresponding period:

• Records related to contracts or withdrawal of subscription: 5 years

• Records related to payment and supply of goods: 5 years

• Records related to consumer complaints or dispute resolution: 3 years

• Login records: 3 months

The company processes personal information only within the scope of the processing purposes in Article 1, and provides personal information to third parties only when it corresponds to Article 17 of the Personal Information Protection Act, such as consent of the data subject or special provisions of the law.

• • Recipient: None
• • Purpose of provision: Not applicable
• • Items provided: Not applicable
• • Retention and use period: Not applicable

The company outsources personal information processing tasks as follows for smooth personal information processing:

• • Consignee: Supabase Inc.
• • Content of outsourced work: Database management and backup
• • Consignee: Paddle.com Market Limited
• • Content of outsourced work: Payment processing and management

When concluding an outsourcing contract, the company specifies in documents such as contracts the matters related to prohibition of personal information processing other than the purpose of performing outsourced work, technical and administrative protection measures, restrictions on re-outsourcing, management and supervision of consignees, and liability for damages in accordance with Article 26 of the Personal Information Protection Act, and supervises whether the consignee safely processes personal information.

Data subjects may exercise the following personal information protection-related rights against the company at any time:

• Request to stop personal information processing

• Request to view personal information

• Request to correct or delete personal information

• Request to stop personal information processing

Rights may be exercised through documents, email, fax, etc. in accordance with Article 41, Paragraph 1 of the Enforcement Decree of the Personal Information Protection Act, and the company will take action without delay.

Rights may be exercised through legal representatives of data subjects or authorized agents. In this case, a power of attorney according to Form 11 of the Enforcement Rules of the Personal Information Protection Act must be submitted.

The company takes the following technical/administrative/physical measures necessary to ensure security in accordance with Article 29 of the Personal Information Protection Act:

The company designates a personal information protection officer as follows to take overall responsibility for personal information processing and to handle complaints and remedy damages related to personal information processing of data subjects:

• • Personal Information Protection Officer: Ahn Go-eun
• • Contact: ahngo13@naver.com
• • Data subjects may contact the Personal Information Protection Officer regarding all personal information protection-related inquiries, complaint handling, damage remedy, etc. that occur while using the company's services.

This personal information processing policy is applied from the effective date, and if there are additions, deletions, and corrections of changes according to laws and policies, it will be announced through announcements 7 days before the implementation of changes.

The company transfers personal information overseas as follows to provide services:

Recipient: Supabase Inc. (USA)

Personal information items transferred: Member information, project data, content

Purpose of personal information use by recipient: Database service provision

Personal information retention and use period by recipient: Until membership withdrawal