APIXORA Privacy Policy

The Company processes personal information for the following purposes, and the personal information processed shall not be used for any purpose other than the relevant purpose. Where the purpose of use is changed, the Company shall implement necessary measures, such as obtaining separate consent, in accordance with Article 18 of the Personal Information Protection Act.

1. Membership registration and management: Creating member accounts, identifying and authenticating individuals, maintaining and managing membership status, reviewing company-based registration and obtaining administrator approval, preventing fraudulent use, and delivering various notices and communications.

2. Matching and facilitation: Delivering requests for quotation (RFQ), anonymous matching, facilitating sourcing, technical inquiries, and sample coordination between suppliers and buyers, and processing the disclosure of identities at the point of transaction consent.

3. Sending notifications: Sending notifications regarding transaction progress, quotations and proposals, message receipt, and the like through email, in-app (within the Service), and SMS channels. In such cases, mobile phone numbers are collected and used for the purpose of direct contact (telephone) by operators and the sending of SMS (including international SMS).

4. Transaction and settlement processing: Tracking transaction progress status, processing transaction documents such as PI/PO, supporting the conclusion of standard transaction agreements, and billing and settling service commissions (service commissions are charged on a per-project basis and are individually notified to the relevant party).

5. Regulatory support: Performing support work for regulatory procedures related to overseas manufacturing site registration (KDMF) and the Ministry of Food and Drug Safety (MFDS).

The Company collects and processes the following categories of personal information in order to provide the Service.

1. Member (representative) information: Email, password (stored in encrypted form), full name, department, job title, and mobile phone number (in the E.164 international standard format).

2. Affiliated company information (to the extent processed in combination with the representative's personal information): Company name, business registration number (or an equivalent registration number), and country (ISO 3166-1 country code).

3. Information automatically generated and collected in the course of using the Service: Access date and time, access IP address, cookie and session identifiers, Service usage records, and notification opt-in settings.

Passwords are stored using one-way encryption (hashing) in a manner that cannot be decrypted, and no one, including the Company, can identify the original text.

The Company processes and retains personal information within the retention and use period prescribed by law or within the retention and use period to which the data subject consented at the time of collecting personal information from the data subject.

1. Member information: Retained until the member withdraws from membership or until the termination of the service use agreement of the company to which the member belongs, and destroyed without delay upon the occurrence of such grounds. However, the minimum information necessary for purposes such as preventing fraudulent use and responding to disputes may be retained until the relevant dispute is concluded.

2. Transaction and settlement-related records: Retained for the period prescribed by applicable laws such as the Act on the Consumer Protection in Electronic Commerce, Etc. and the Value-Added Tax Act (e.g., records relating to contracts and withdrawal of offers, records relating to payment and the supply of goods, and other statutory retention periods).

Personal information for which the retention period has elapsed or the processing purpose has been achieved is destroyed in accordance with Article 21 of the Personal Information Protection Act. Information in the form of electronic files is permanently deleted using a method that renders recovery and reproduction impossible, and paper documents are shredded or incinerated.

The Company processes the personal information of data subjects only within the scope specified in Article 1, and provides personal information to third parties only in cases falling under Articles 17 and 18 of the Personal Information Protection Act, such as the consent of the data subject or special provisions of law.

APIXORA operates through an anonymous matching method, and for a matched transaction, the Company provides the following information to the counterparty of the transaction at the point when the data subject consents to the transaction: company name, representative (full name, department, job title), and contact information (email and mobile phone number).

The above disclosure of identity is made to the extent necessary for the progress of the transaction and for direct negotiation and conclusion of contracts between the parties, and is conditioned upon the data subject's consent to the transaction. Otherwise, the Company does not provide personal information externally without the data subject's consent.

The Company outsources personal information processing tasks to external specialized providers (processors) as follows in order to provide the Service smoothly.

1. Cloud infrastructure (database, authentication, storage) hosting: Supabase — the outsourced task is the storage and management of Service data, and the data is processed in the Seoul (Republic of Korea) region.

2. Application deployment and hosting: Vercel — the outsourced task is the deployment and operation of the Service application.

3. Email delivery: Resend — the outsourced task is the sending of notification and notice emails.

4. SMS delivery: Solapi — the outsourced task is the sending of notification and direct-contact SMS (including international SMS).

5. AI interpretation (multilingual translation of messages) processing: Vercel AI Gateway — the outsourced task is the multilingual interpretation processing of messages between the parties.

When concluding an outsourcing agreement, the Company specifies in documents such as the contract, in accordance with Article 26 of the Personal Information Protection Act, matters concerning the prohibition of processing personal information for purposes other than performing the outsourced task, measures to ensure security, restrictions on re-outsourcing, management and supervision of the processor, and liability such as damages, and supervises whether the processor processes personal information safely. In the event of any change to the content of the outsourced task or the processor, the Company shall disclose such change through this Policy.

Personal information may be processed overseas in the course of certain outsourced processing, such as cloud infrastructure. While the Company is configured to process core Service data in the Seoul (Republic of Korea) region, personal information may be transferred overseas due to the nature of the infrastructure operations of certain processors handling deployment, email, SMS, and AI interpretation.

In such cases, the Company notifies the data subject of the items transferred, the country, timing, and method of transfer, the recipient of the transfer, the purpose of use, and the retention period, among other matters, and implements necessary protective measures in accordance with applicable laws such as Article 28-8 of the Personal Information Protection Act.

A data subject may exercise the following rights against the Company at any time.

1. The right to request access to personal information; 2. The right to request correction in the event of errors or the like; 3. The right to request deletion; 4. The right to request suspension of processing.

The exercise of rights may be made to the Company (the chief privacy officer or the responsible department) in writing, by email, or by other means, and the Company shall take action thereon without delay.

Where a data subject has requested the correction or deletion of an error in personal information, the Company shall not use or provide the relevant personal information until the correction or deletion is completed. However, where the personal information is specified as a subject of collection under other laws, the Company may be unable to comply with the request for deletion.

The exercise of rights may also be made through an agent, such as the data subject's legal representative or a duly authorized person, in which case a power of attorney must be submitted.

The Company uses cookies and sessions to maintain member login status and to provide the Service. Cookies are stored in the member's browser when the Service is used, and are used for purposes such as maintaining authentication status, ensuring security, and providing usage convenience.

A data subject may refuse to store, or may delete, cookies through the web browser settings. However, if the data subject refuses to store cookies and sessions that are essential for authentication, there may be restrictions on the use of the Service, such as logging in.

In accordance with Article 29 of the Personal Information Protection Act, the Company takes the following technical, administrative, and physical measures necessary to ensure security.

1. Administrative measures: Establishment and implementation of an internal management plan, minimization of access privileges, and regular inspections.

2. Technical measures: One-way encryption (hashing) storage of passwords, management of data access privileges, encryption of transmission sections (HTTPS), and access control and role-based access control for the database.

3. Physical measures: Physical access control through the data center security systems of the cloud infrastructure processors.

The Company designates a chief privacy officer as set out below to take overall responsibility for tasks related to the processing of personal information and to handle data subjects' inquiries and complaints and provide remedies for damages in connection with the processing of personal information.

Chief Privacy Officer: Cell TheraOn Chief Privacy Officer (operator of APIXORA).

Contact (email): contact@apixora.com.

A data subject may direct to the chief privacy officer all inquiries, complaint handling, and matters concerning remedies for damages relating to personal information protection that arise while using the Service, and the Company shall respond to and process the data subject's inquiries without delay.

A data subject may apply to the following organizations for dispute resolution, consultation, or the like in order to obtain redress for the infringement of personal information.

1. Personal Information Dispute Mediation Committee: 1833-6972 (no area code) (www.kopico.go.kr)

2. Personal Information Infringement Report Center: 118 (no area code) (privacy.kisa.or.kr)

3. Cyber Investigation Division, Supreme Prosecutors' Office: 1301 (no area code) (www.spo.go.kr)

4. National Police Agency Cyber Investigation Bureau: 182 (no area code) (ecrm.police.go.kr)

This Policy applies from its effective date. Where there are additions, deletions, or corrections to the content due to changes in laws, policies, or security technologies, the Company shall notify the reasons for and content of the change through the notices section within the Service from seven (7) days before the effective date of the change.

However, where a material change to the rights of data subjects occurs, the Company shall provide notice thirty (30) days before the effective date and may, where necessary, obtain the data subject's consent again.

The authoritative version of this Policy is the Korean version, and in the event of any conflict with a translated version, the Korean version shall prevail.