Stronghold Robotics Co., Ltd. (hereinafter referred to as the “Company”) securely handles and protects personal information of users in accordance with relevant laws*. Through this Privacy Policy, the Company facilitates the smooth handling of users’ complaints and informs users about the safe management of their personal information. The content of this Privacy Policy applies to the service provided by the Company, namely Boost (boost.stronghold.coffee, hereinafter referred to as the “Service”).

* Relevant laws: Personal Information Protection Act, Credit Information Act, Electronic Financial Transactions Act, Electronic Commerce Act, Electronic Signature Act, Information and Communications Network Act, etc.

1. Purpose of Processing Personal Information

The Company processes personal information for the following purposes. Personal information being processed is not used for purposes other than the following, and if the purpose changes, necessary actions such as obtaining separate consent will be carried out.

• Membership registration and management
  We process personal information for purposes such as confirming intent to register, identity verification and authentication for member service provision, maintaining membership status, preventing misuse of services, verifying legal representative consent for processing personal information of children under 14, various notifications, and handling complaints.

• Provision of Roastery services
  We process personal information to provide Roastery services, where posts can be registered in the virtual space offered by the service, or other members can be invited to the Roastery to view posts together.

• Service improvement and analysis
  We process personal information for service use analysis, demographic analysis, and service improvement.

• Promotion of services and solicitation of product sales
  The Company processes personal information to promote existing and new services and to solicit product sales to customers.

• Provision of customized advertisements
  We process personal information to provide customized advertisements based on users’ interests.

2. Categories of Personal Information Processed

The Company collects the minimum amount of personal information necessary for the smooth provision of services.

• Personal information processed without the consent of the data subject
  The Company processes the following personal information items without the consent of the data subject in order to operate member services pursuant to the service use contract.

  • Legal basis: Article 15 (1) (4) of the Personal Information Protection Act (‘Performance of Contract’)

  • Items collected/used: ID (email address), password, name, nickname, nationality

• Personal information processed with the consent of the data subject

  • If users agree to the collection of personal information during the service use process and input information directly, the Company processes the following personal information items with the data subject’s consent in accordance with Article 15 (1) (1) of the Personal Information Protection Act.

  • Provision of Roastery services

    • Items collected/used: Product information (Roaster model, Roaster serial number, system error information)

  • Service improvement and analysis

    • Items collected/used: Occupation

  • Processing personal information for service promotion and solicitation of product sales

    • Items collected/used: Name, date of birth, address, phone number, email address, details of interested products

  • Processing personal information for provision of customized advertisements

    • Items collected/used: Website visit/use history

• Additional personal information may be collected in the process of reporting or filing complaints through the customer center. If additional personal information is collected, we provide notice and obtain consent for the ‘items of personal information collected, the purpose of collecting and using personal information, and the retention period’ at the time of collection.

• Additionally, during the service use process, information such as IP address, cookies, visit date and time, service use history, device ID, device model name, OS name, OS version, app version, etc. may be automatically generated and collected.

※ Processing of Pseudonymized Information

The Company utilizes collected personal information processed under a pseudonym in accordance with Article 28-2 of the Personal Information Protection Act for purposes such as statistics, scientific research, and preservation of public interest records, ensuring that specific individuals are not identifiable, as follows.

▶ Measures to Ensure Safety of Pseudonymized Information

- Administrative measures: Establish and implement internal management plans for pseudonymized information, regular employee training, etc.

- Technical measures: Separate storage of pseudonymized information and additional information, destruction of additional information when unnecessary, installation of access control systems to separate access permissions to pseudonymized and additional information, and related protective measures, storage and inspection of processing records and access records of pseudonymized information, installation of security programs, etc.

- Physical measures: Access control of computer rooms, document storage rooms, etc. where pseudonymized information is stored

※ Additional Information

The use of essential personal information for introducing new services, new products, or event information, and prize delivery will only be possible if the user has individually agreed to its receipt.

3. Provision of Personal Information to Third Parties

• The Company may provide personal information to related agencies without the consent of the data subject under the following circumstances.

4. Personal Information Processing and Retention Period, and Destruction

The Company processes and retains personal information for the retention and usage period agreed to when collecting personal information or in accordance with relevant legal provisions.

The retention and processing periods for each personal information item are as follows.

• Personal information collected for membership registration and management: Until membership withdrawal, but inter-member messages are deleted on the 1st of every month after 2 months from withdrawal.

• Personal information collected for providing Roastery services: Until membership withdrawal for Roastery owners, and until Roastery deletion for participants.

• Personal information collected for service improvement and analysis: Until membership withdrawal.

• Personal information collected for service promotion and solicitation of product sales: Until consent withdrawal/membership withdrawal.

• Personal information collected for providing customized advertisements: 3 months from the date of collection.

Boost will promptly destroy personal information when the retention period has expired or the purpose of collection and use is achieved, among other reasons for unnecessary use.

The Company will retain and destroy the following information according to internal policies after a period:

• Records of abnormal service use (records of service use with anomalies in violation of laws, Terms of Use, or internal policies that led to service restrictions by the Company)

  • Items retained: ID (email address)

  • Reason for retention: Prevention of fraudulent registration and use

  • Retention period: 5 years from the date of membership withdrawal

The Company retains user information for a specified period when necessary, in accordance with related laws:

• Records of contracts or withdrawal of subscription, etc.: 5 years (Act on Consumer Protection in Electronic Commerce)

• Records of payment and supply of goods, etc.: 5 years (Act on Consumer Protection in Electronic Commerce)

• Records of electronic financial transactions: 5 years (Electronic Financial Transactions Act)

• Records of consumer complaints or dispute resolutions: 3 years (Act on Consumer Protection in Electronic Commerce)

• Website visit records: 3 months (Communications Secret Protection Act)

The specific procedures and methods for the destruction of personal information are as follows.

• Destruction procedure
  The Company selects personal information subject to destruction due to arising reasons and destroys the personal information after receiving approval from the Company’s personal information protection officer.

• Destruction method
  Personal information printed on paper is shredded or incinerated, and personal information stored in electronic files is deleted by using technical methods to make it irrecoverable.

5. Matters Concerning Automatic Personal Information Collection Devices

Boost operates cookies that store and retrieve user information from time to time. Cookies are very small text files sent to your browser by the server used in operating the website and are stored on the hard disk of your computer.

Boost uses cookies for the following purposes:

• Collecting information about members’ language preferences and using it to enhance the convenience of website use.

Users have the option to allow cookie installation. Therefore, users can set options in their web browser to allow all cookies, confirm each time cookies are stored, or refuse to store all cookies.

Allow/block cookies in web browsers

• Chrome: Web browser settings > Privacy and security > Clear browsing data

• Edge: Web browser settings > Cookies and site permissions > Manage and delete cookies and site data

Allow/block cookies in mobile browsers

• Chrome: Mobile browser settings > Privacy and security > Clear browsing data

• Safari: Mobile device settings > Safari > Advanced > Block all cookies

• Samsung Internet: Mobile browser settings > Internet usage history > Clear browsing data

6. Measures to Ensure the Safety of Personal Information

The Company secures the safety of personal information from loss, theft, leakage, alteration, or damage by implementing the following technical measures.

• Encryption of personal information
  User personal information is protected by a password, and important data is protected by separate security features through data file encryption or file lock functions.

• Technical measures against hacking
  We ensure security by using intrusion prevention systems and vulnerability analysis systems on each server to guard against external intrusions like hacking, etc.

• Minimization and training of personal information handling staff
  The Company limits access to user personal information to a minimum number of personnel, which includes the following:

  • Personnel engaged in direct marketing tasks with users

  • Persons in charge of and responsible for personal information management, etc.

  • Those whose handling of personal information is unavoidable due to specific tasks

• The Company is not responsible for issues arising from user ID or password leakage due to the user's negligence or internet issues.

7. Methods for Exercising Rights and Obligations of Data Subjects and Legal Representatives

• Users can view or modify, delete their personal information at any time on the website, and can also request access to their personal information.

• Users can request the suspension of processing of personal information at any time, and requests for suspension of processing may be rejected in cases of special legal provisions.

• Users can withdraw their consent to the Privacy Policy at any time, but it may cause difficulties in using the services.

• Users can withdraw their consent for personal information collection and use at any time by withdrawing membership, etc.

• When the Company needs consent for processing personal information of children under 14, consent is obtained from the legal representative of the child.

• When obtaining consent from a legal representative for the personal information processing of children under 14, the Company may request minimal information like the legal representative's name and cell phone number and confirms the indication of consent through a text message to the legal representative’s cell phone regarding the consent information posted on the website.

• The legal representative has the right to view, modify, delete, suspend processing, and withdraw consent for the collection and use of personal information of a child under 14.

• If a user requests correction of errors in personal information, the Company will not use or provide the related personal information until the correction is completed. If incorrect personal information has been provided to a third party, the Company will promptly notify the third party of the correction results to ensure proper rectification.

• The rights of users and legal representatives may be requested through inquiries to the personal information protection officer and responsible personnel.

8. Personal Information Protection Officer and Responsible Personnel

Users can report any personal information protection-related complaints that occur while using the services to the personal information protection officer or the responsible department. The Company ensures prompt and sufficient responses to users’ reports.

Personal Information Protection Officer
 Department: Operations Management Headquarters
Position: Head of Headquarters
Name: Sung Hyun Eom
Email: eom@stronghold.kr

Customer Service Center
Email: help@stronghold.kr
Telephone: 1600-3263
Fax: 02-2188-7530
Address: 1157 Beoman-ro, Geumcheon-gu, Seoul

For other reports or consultations on personal information infringement, please contact the following organizations:

• Personal Information Dispute Mediation Committee 1833-6972 (without area code) (www.kopico.go.kr)

• Personal Information Infringement Reporting Center (privacy.kisa.or.kr / without area code 118)

• Supreme Prosecutors’ Office Cybercrime Investigation Department (www.spo.go.kr / without area code 1301)

• Cyber Investigation Bureau of the Police Agency (police.go.kr / without area code 182)

9. Obligations Before Amendments

• If there are additions, deletions, or modifications to the content of this Privacy Policy, we will provide prior notice on the website notice board and via email at least 7 days before the amendment.

• If there is a significant change affecting user rights, such as changes to the collection items or purposes of use of personal information, it will be notified at least 30 days in advance, and user consent may be reacquired if necessary.

• Announcement and Effective Date of this Privacy Policy

  • Announcement Date: June 20, 2025

  • Effective Date: June 30, 2025

10. Processing of Personal Information in the EU

• The Company complies with GDPR regulations, and personal information is processed based on the following under GDPR: (1) consent of the data subject, (2) performance of a contract, (3) compliance with legal obligations, (4) protection of vital interests of the data subject, (5) public interest tasks, (6) legitimate interests of the Company or third party that do not infringe the fundamental rights and freedoms of the data subject.

• The data subject is entitled to exercise the following rights.

  • Right to Information (Articles 12-14 GDPR): The data subject has the right to be provided with clear and concise information about who, what, and for what purposes their personal data is being used.

  • Right of Access (Article 15 GDPR): The data subject has the right to receive confirmation from the controller about whether their personal data is being processed.

  • Right to Rectification (Article 16 GDPR): The data subject has the right to request the controller to correct inaccurate personal data related to them.

  • Right to Erasure (Article 17 GDPR): The data subject has the right to request the erasure of their personal data from the controller.

  • Right to Restriction of Processing (Article 18 GDPR): The data subject has the right to block or restrict the processing of their personal data.

  • Right to Data Portability (Article 20 GDPR): The data subject has the right to receive the personal data they provided to the controller in a structured, commonly used format, and have the right to request the transfer of that data to another controller.

  • Right to Object (Article 21 GDPR): The data subject has the right to object to the processing of their personal data.

• Requests for exercising rights can be made through the website or via email to the personal information protection officer and responsible personnel. The Company will provide information regarding actions taken in response to requests to exercise rights to the data subject within one month of receiving the request, which can be extended for an additional two months if necessary. Requests are processed after verifying the identity, and grievances can be filed with supervisory authorities.