Aura Law Office (hereinafter referred to as the "Law Office") establishes and discloses this Privacy Policy in accordance with Article 30 of the Personal Information Protection Act to protect the personal information of data subjects and to promptly and smoothly handle related complaints.

Article 1 (Items of Personal Information Collected)

The Law Office collects the following personal information for the provision and management of services.

① Through the website consultation request form, the following mandatory information is collected: name, mobile phone number, type of legal matter (foreigner, family, criminal, civil), and consultation details.

② During the use of services, information such as IP address, cookies, device information, date and time of visit, and service usage records may be generated and collected.

Article 2 (Methods of Collecting Personal Information)

The Law Office collects personal information through the following methods.

① Personal information directly entered by users is collected through the consultation request form on the website (www.lawfirmaura.com).

② Device information, access records, and similar information may be automatically generated and collected during the use of the PC website and mobile website.

Article 3 (Purpose of Collection and Use of Personal Information)

The Law Office uses the collected personal information for the following purposes. The collected personal information will not be used for any purpose other than those listed below, and if the purpose of use changes, necessary measures, including obtaining separate consent, will be taken in accordance with Article 18 of the Personal Information Protection Act.

Provision of Case and Consultation Services [Required Consent]

Purpose of Collection: Responding to consultation requests, confirming consultation intent and identity verification, contacting users regarding service information, performing and managing cases related to clients, providing updates and results of cases, tax reporting, and other customer management activities.

Items Collected: Name, mobile phone number, type of legal matter, consultation details, and case-related information.

Retention and Use Period: Five (5) years after case completion or for the retention period required under relevant laws such as the Attorney-at-Law Act.

Right to Refuse Consent and Disadvantages

You have the right to refuse consent to the collection and use of your personal information. However, if you refuse consent to the required items, consultation and case-related services may be restricted.

Article 4 (Retention and Use Period of Personal Information)

In principle, the Law Office destroys personal information without delay once the purpose of collection and use has been achieved. However, the following information will be retained for the periods specified by applicable laws and regulations.

Records regarding contracts or withdrawal of subscriptions: 5 years (Act on Consumer Protection in Electronic Commerce, etc.)

Records regarding payment and supply of goods or services: 5 years (Act on Consumer Protection in Electronic Commerce, etc.)

Records regarding consumer complaints or dispute resolution: 3 years (Act on Consumer Protection in Electronic Commerce, etc.)

Records regarding visits (logs): 3 months (Protection of Communications Secrets Act)

Article 5 (Destruction of Personal Information)

The Law Office destroys personal information without delay once the retention and use period specified in Article 4 has expired. The procedures and methods of destruction are as follows.

Destruction Procedure: Information entered by users is destroyed immediately after the purpose has been achieved. However, items required to be retained by law are separately managed and destroyed after the applicable retention period has elapsed. Such personal information will not be used for any purpose other than the purpose of retention unless required by law.

Destruction Method: Personal information recorded and stored in electronic file form is permanently deleted in a manner that prevents recovery, while personal information recorded and stored on paper documents is destroyed by shredding or incineration.

Article 6 (Provision of Personal Information)

In principle, the Law Office does not provide personal information to third parties. However, exceptions are made only in the following cases.

Where the user has directly consented to the provision of personal information.

Where a legal obligation to submit information arises under applicable laws.

Where an investigative agency requests information in accordance with procedures and methods prescribed by law for investigative purposes.

Article 7 (Rights and Obligations of Data Subjects and Methods of Exercise)

① Data subjects may exercise the following rights related to personal information protection at any time with respect to the Law Office.

Access to personal information.

Correction of errors, if any.

Deletion.

Suspension of processing.

② The rights under Paragraph 1 may be exercised in writing, by telephone, email, or other means, and the Law Office will take action without delay.

③ The rights under Paragraph 1 may be exercised through a legal representative or an authorized agent. In such cases, a power of attorney in the form prescribed by Appendix Form No. 11 of the Enforcement Rules of the Personal Information Protection Act must be submitted.

④ The Law Office may verify whether the person requesting access, correction, deletion, or suspension of processing is the data subject or a duly authorized representative.

⑤ Personal information deleted at the request of the user or legal representative will be processed in accordance with Article 4 and will not be viewed or used for any other purpose.

⑥ Requests for access to personal information and suspension of processing may be restricted under Article 35(5) and Article 37(2) of the Personal Information Protection Act. Requests for correction and deletion may also be restricted where the relevant personal information is required to be collected under other laws.

Article 8 (Measures to Ensure the Security of Personal Information)

In accordance with Article 29 of the Personal Information Protection Act, the Law Office implements the following technical, administrative, and physical measures necessary to ensure the security of personal information.

Administrative Measures: Establishment and implementation of internal management plans, regular personal information protection training, etc.

Technical Measures: Access control and management of access rights to personal information processing systems (including website administrator pages), installation of security programs, etc.

Physical Measures: Use of locking devices and access controls to ensure the safe storage of documents and storage media containing personal information.

Article 9 (Chief Privacy Officer)

① The Law Office designates the following person as the Chief Privacy Officer, who is responsible for overseeing personal information processing and handling complaints and remedies related to personal information protection.

Chief Privacy Officer: Sanghyun Kim

Contact Information: +82-2-6382-7700 / aura@lawfirmaura.com

② Data subjects may contact the above contact information regarding all inquiries, complaints, and requests for remedies related to personal information protection arising from the use of the Law Office’s services. The Law Office will respond promptly to such inquiries.

Article 10 (Request for Access to Personal Information)

Data subjects may request access to their personal information pursuant to Article 35 of the Personal Information Protection Act. The Law Office will make every effort to ensure that such requests are processed promptly.

For requests and inquiries regarding access to personal information, please contact:

Address: Room 1023, 10th Floor, 7 Beopwon-ro 11-gil, Songpa-gu, Seoul, Republic of Korea (Munjeong-dong, Munjeong Hyundai Knowledge Industry Center Building C 1-2)

Telephone: +82-2-6382-7700

Email: aura@lawfirmaura.com

Article 11 (Methods of Remedy for Infringement of Rights)

Users may contact the following institutions for remedies related to personal information infringement.

Institution Service Website Telephone

Personal Information Infringement Report Center Reporting personal information infringement and consultation privacy.kisa.or.kr 118

Personal Information Dispute Mediation Committee Dispute mediation and collective dispute mediation www.kopico.go.kr 1833-6972

Supreme Prosecutors' Office Cyber Crime Investigation Division Cybercrime investigation and complaint reception www.spo.go.kr 1301

National Police Agency Cyber Bureau Cybercrime investigation and complaint reception ecrm.cyber.go.kr

Article 12 (Notification of Changes to the Privacy Policy)

If additions, deletions, or corrections are made due to changes in laws, policies, or technologies, notice will be provided through the website (www.lawfirmaura.com) announcements at least seven (7) days prior to the effective date of such changes.

※ This Policy shall take effect on June 8, 2026.