VMS Holdings Co., Ltd. (the “Company”) establishes and discloses this Privacy Policy pursuant to Article 30 of the Personal Information Protection Act of Korea (“PIPA”) to protect the personal information of data subjects (users, physicians, pharmacists, and nurses) and to handle related complaints swiftly and smoothly in accordance with PIPA and applicable laws.

The Company processes personal information for the following purposes. Personal information processed will not be used for purposes other than those stated below, and if the purpose of use changes, the Company will obtain separate consent or take necessary measures pursuant to Article 18 of PIPA.

To confirm the intention to register, identify and verify the individual, maintain and manage membership, handle complaints and CS inquiries, secure communication channels for consultations, analyze visits and usage records, prevent misuse, and manage records for the provision of membership-based services, the Company collects and uses the following personal information

To integrate emergency medical infrastructure, provide membership and personalized products/services/contents, perform identity and age verification, invoice service fees, process payment/settlement/refund, and conduct satisfaction surveys, the Company collects and uses personal information as follows.

With the user’s prior consent, the Company collects and uses personal information to deliver promotional information such as new services and events and to provide personalized notices.

1. The Company has executed personal information processing consignment agreements with affiliated medical institutions. Pursuant to Article 18 (Prescription) and Article 22 (Medical Records) of the Medical Service Act and Article 42-2 of its Enforcement Decree (Processing of Sensitive Information and Unique Identifiers), the Company processes users’ Resident Registration Numbers (or, for foreigners, Foreign Registration Numbers) as necessary for affiliated medical institutions to handle patient registration, medical record creation, prescription issuance, and affiliated pharmacies’ dispensing of prescribed medicines.

2. Unique identifiers collected are used only for purposes permitted by relevant laws (e.g., patient registration, medical record creation, prescription issuance) and are not processed for any other purposes.

3. Unique identifiers are, in principle, processed in encrypted form and are retained and managed as set forth in this Policy.

1. The Company processes and retains personal information within the statutory retention period or the retention/use period consented to by the data subject at collection.

2. The processing and retention periods are as follows.

1. The Company processes personal information only within the scope set forth in Article 1 and provides it to third parties only within the scope permitted by PIPA (e.g., with user consent or where otherwise authorized by law).

2. Personal information may be provided to third parties without consent where permitted by law, including:

1. A data subject may at any time withdraw consent (e.g., by account deletion) and exercise rights to access, correction, deletion, and suspension of processing via “Oceanlife > Data Wallet.”

2. Pursuant to Article 41(1) of the Enforcement Decree of PIPA, the above rights may also be exercised by submitting a request to the Personal Information Protection Officer in Article 6 via mail, email, or fax, and the Company will promptly take action.

3. Where the rights are exercised through a legal representative or delegated agent, a power of attorney in the form prescribed by the “Public Notice on Personal Information Processing Methods (No. 2020-7), Annex Form 11” must be submitted.

4. Requests for access or suspension of processing may be restricted pursuant to Articles 35(4) and 37(2) of PIPA.

5. Requests for deletion may be limited where other laws explicitly require the collection of the relevant information.

6. The Company verifies whether the requester is the data subject or a duly authorized representative when rights are exercised.

1. When personal information becomes unnecessary—such as upon expiration of the retention period or achievement of the processing purpose—the Company promptly destroys it as follows:

2. Where personal information must be retained under other laws despite expiration of the agreed retention period or achievement of the purpose, such information will be stored in a separate database (DB) or kept in a physically separate location.

3. Accounts inactive for one year are converted to “dormant accounts,” and the related personal information is segregated and stored separately. The Company notifies the user by email or SMS at least 30 days prior to such conversion, indicating the scheduled date and the items to be segregated. Dormant accounts may be restored upon login with the user’s consent to resume normal services.

1. For service development, user analytics, and personalized advertising, the Company collects and uses behavioral information as follows. Such information is used in a non-identifiable manner and is not combined with personal information.

• “Recipient” means the party that collects/processes the behavioral information.

2. Users may also contact the Personal Information Protection Officer in Article 9 to exercise opt-out rights or report issues.

1. The Company designates the following Personal Information Protection Officer who is responsible for overall personal information processing and for handling complaints and remedies related to personal information.

For any inquiries, complaints, or damage relief related to personal information arising during the use of the Company’s services, please contact the officer or the relevant department. The Company will respond without delay.

Data subjects may request access to their personal information pursuant to Article 35 of PIPA through the department below. The Company will endeavor to process access requests promptly.

The Company safely manages users’ personal location information (“PLI”) in accordance with the Act on the Protection and Use of Location Information (the “Location Information Act”).

1. Purpose and Retention of PLI

2. Basis and Retention of Records on Collection/Use/Provision of PLI

3. Procedures and Methods of PLI Destruction

4. Provision of PLI to Third Parties

5. Location Information Manager

6. Rights of Guardians of Children Under 8, etc.

1. The Company promptly handles complaints and grievances related to personal information.

2. For dispute resolution or consultation regarding personal information infringement, data subjects may contact the following organizations:

3. Where a data subject’s rights or interests have been infringed by a disposition or omission by the head of a public institution in response to a request under PIPA Articles 35–37 (access, correction/deletion, suspension), an administrative appeal may be filed pursuant to the Administrative Appeals Act.

1. The Company may anonymize personal and sensitive information collected under Article 1 for statistical analysis to improve and develop services.

2. “Anonymization” means processing information so that individuals are no longer identifiable, taking into account time, cost, and technology, even when using all “reasonably foreseeable means.”

3. Anonymized information that can no longer identify individuals is not subject to PIPA pursuant to Article 58-2 (Exemptions).

1. This Privacy Policy is effective as of Feb 20, 2025.

2. Previous versions are available at the following location: [to be provided].