Privacy Policy

OpenHarbor Co., Ltd. (hereinafter the “Company” or “we”) values the user's personal information and uses its best efforts to protect the user's rights by establishing this Privacy Policy based on relevant laws. This Privacy Policy describes how and why we might collect, store, use, and/or share (“process”) your information when you use the Services such as: visiting the Website; downloading and using the App; or engaging with us in other related ways. Capitalized terms used in this Privacy Policy and not otherwise defined herein shall have the meanings attributed to them in our OpenHarbor Terms and Conditions (the “Terms and Conditions”).

If there are any revisions to this Privacy Policy, we will notify you through announcements on the Website and/or on the App. We may send you individual notices.

Residents of California, Virginia, Colorado, Connecticut, and Utah, please review our Supplemental Privacy Policy.

If you do not agree with this Privacy Policy, please do not use our Services.

Article 1. Personal Information We Collect and How and Why We Do It

We collect the following personal information:

1. Personal information you disclose to us

   We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.

   1. Personal Information Provided by You. The personal information that we collect depends on the context of your interactions with us and the Services, the choices you make, and the products and features you use. The personal information we collect may include the following:

      1. Email addresses

   2. Payment Data. In order for you to use our Services, you must sign in with your Google or Apple account and download the App from Google Play or Apple App Store and provide payment information such as your credit card number, and the security code associated with your credit card number, to Google or Apple. All payment data is stored by Google and Apple. We do not collect your payment data or access to such data stored by Google or Apple. For your purchases, we ask Google and Apple to process your payment and Google/Apple provides us with confirmation that your payment has been made. Regarding the privacy policy pertaining to Google Play or Apple App Store payment, please find the links below:

      1. Google: https://www.google.com/policies/privacy/
      2. Apple: https://www.apple.com/legal/privacy/en-ww/

   3. Social Media Login Data. We provide you with the option to register with us using your Google or Apple account details. When you choose to do this, we will receive certain profile information about you from your social media provider. The profile information may include your name, email address and other information you choose to make public on such a social media platform. Regarding the privacy policy of Google and Apple, please find the links below:

      1. Google: https://policies.google.com/privacy
      2. Apple: https://www.apple.com/legal/privacy/en-ww/

   4. Application Data. If you use the App, we may also collect the following information if you choose to provide us with access or permission:

      1. Push Notification. We may request to send you push notifications regarding your account or certain features of the App. If you wish to opt out from receiving these types of communications, you may turn them off in the settings of the Services.
   5. Offering Reward or Money in exchange for Performance. We may have a referral feature, in which if you invite a friend to our Services, your friend may receive a discount on his/her monthly or yearly subscription or receive early access to new investment strategies.
   6. The above information is primarily needed to maintain the security and operation of the App and the Website, for troubleshooting, and for our internal analytics and reporting purposes.
   7. All personal information that you provide to us must be true, complete and accurate and you must notify us of any changes to such information.

2. Information Automatically Collected

   We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity (such as your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use the Services, and other technical information. This information is primarily needed to maintain the security and operation of the Services and for our internal analytics and reporting purposes. The information we collect includes:

   1. Log and Usage Data. Log and usage data is service-related, diagnostic, usage, and performance information the Services automatically collect when you access or use the Services and which we record in log files. This log data may include your service access date and time, registration path, IP address, device information, browser type, election of service functions and authorizations, and other settings and information about your activity in the Services.

   2. Cookies. We may use cookies and similar tracking technologies (like web beacons and pixels) to access or store information. Specific information about how we use such technologies and how you can refuse certain cookies is set out in our Cookie Notice : [Link to Cookie Notice]

      1. Most Web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove cookies and to reject cookies. If you choose to remove cookies or reject cookies, this could affect certain features or services of our Services.

3. Information Collected When You Make Inquiries about the Services Through the Website

   1. When you ask questions on the Services you use, you are requested to provide us with your name, email address for the Service account and the details of your inquiry. We also request that, at your option, you provide us with your device information including model and manufacturer, operating system and its version, and your web browser information including browser name and version, mobile browser capability, and display resolution.

Article 2. Processing Information Collected

1. We process your information to:

   1. Facilitate account creation and authentication and otherwise manage user accounts;
   2. Provide, maintain, operate, and improve the Services (including sending alerts about lost or stolen mobile phone);
   3. Utilize data for service analysis;
   4. Respond to your inquiries or offer support to you;
   5. Resolve disputes with you and handling complaints from you; and/or
   6. Fulfill legal obligations and exercise, establish or defend our legal rights.

Article 3. Legal Bases for Processing Information

1. If you are located in the EU or UK, this section applies to you.

   1. The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on in order to process your personal information. As such, we may rely on the following legal bases to process your personal information:

      1. Consent. We may process your information if you have given us permission (i.e., consent) to use your personal information for a specific purpose. You can withdraw your consent at any time.
      2. Performance of a Contract. We may process your personal information when we believe it is necessary to fulfill our contractual obligations to you, including providing our Services or at your request prior to entering into a contract with you.

      3. Legitimate Interests. We may process your information when we believe it is reasonably necessary to achieve our legitimate business interests and those interests do not outweigh your interests and fundamental rights and freedoms. For example, we may process your personal information for some of the purposes described in order to:

         - Send users information about special offers and discounts on our products and services;

         - Analyze how our services are used so we can improve them to engage and retain users;

         - Support our marketing activities;

         - Diagnose problems and/or prevent fraudulent activities; and/or

         - Understand how our users use our products and services so we can improve user experience.

      4. Legal Obligations. We may process your information where we believe it is necessary for compliance with our legal obligations, such as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are involved.
      5. Vital Interests. We may process your information where we believe it is necessary to protect your vital interests or the vital interests of a third party, such as in situations involving potential threats to the safety of any person.
   2. In legal terms, we are generally the Data controller under European data protection laws of the personal information described in this privacy notice, since we determine the means and/or purposes of the data processing we perform. This privacy notice does not apply to the personal information we process as a Data processor on behalf of our customers. In those situations, the customer to whom we provide services and with whom we have entered into a data processing agreement is the Data controller responsible for your personal information, and we merely process your information on their behalf in accordance with your instructions. If you want to know more about our customers' privacy practices, you should read their privacy policies and direct any questions you have to them.

2. If you are located in Canada, this section applies to you.

   1. We may process your information if you have given us specific permission (i.e., express consent) to use your personal information for a specific purpose, or in situations where your permission can be inferred (i.e., implied consent). You can withdraw your consent at any time.

   2. In some exceptional cases, we may be legally permitted under applicable law to process your information without your consent, including, for example:

      1. If collection is clearly in the interests of an individual and consent cannot be obtained in a timely way;
      2. For investigations and fraud detection and prevention;
      3. For business transactions provided certain conditions are met;
      4. If it is contained in a witness statement and the collection is necessary to assess, process, or settle an insurance claim;
      5. For identifying injured, ill, or deceased persons and communicating with next of kin;
      6. If we have reasonable grounds to believe an individual has been, is, or may be a victim of financial abuse;
      7. If it is reasonable to expect collection and use with consent would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province;
      8. If disclosure is required to comply with a subpoena, warrant, court order, or rules of the court relating to the production of records;
      9. If it was produced by an individual in the course of their employment, business, or profession and the collection is consistent with the purposes for which the information was produced;
      10. If the collection is solely for journalistic, artistic, or literary purposes; and/or
      11. If the information is publicly available and is specified by the regulations.

Article 4. Sharing Your Personal Information with Third Parties

1. We neither sell nor disclose your personal information to our affiliates or business partners without obtaining your consent.
2. Please understand that we may share your personal information when we determine that it is necessary (i) to comply with any legal obligations, (ii) to fulfill our contractual obligations towards you, (iii) to protect the rights, property, or safety of the Company, our users or others, or (iv) for any other purpose permitted by laws or regulations.
3. The Services may link to third-party websites, online services, or mobile applications and/or contain advertisements from third-parties that are not affiliated with us and which may link to other websites, services or applications. We do not guarantee regarding any such third-parties and we will not be liable for any loss or damage caused by the use of such third-party websites, services or applications. We are not responsible for the safety of any information that you share with third-parties that are not affiliated with our Services. You should review such third-party’s privacy policy.

Article 5. Retention of Your Personal Information

1. We will retain the personal information so long as we reasonably need it to achieve the purposes for which we collected by establishing retention periods based on reasonable criteria. Generally, we do not keep your information for longer than 1 year after the termination of your account. As described above, we delete certain information immediately upon your request or upon withdrawal of your permission to process.
2. In the event any relevant legal claims are brought, we may continue to process your personal information for such additional periods as are necessary in connection with those claims.
3. If there is a need to retain personal information in accordance with applicable laws and regulations (such as tax, accounting, or other legal requirements), we will retain the information for the period specified by the laws.

Article 6. Your Rights

1. Subject to applicable law, you may exercise the following rights regarding the processing of personal information by us:

   1. The right to request access to, or copies of, your personal information;
   2. The right to request correction of any inaccuracies, delete your personal information on legitimate grounds and/or withdraw your consent to processing;
   3. The right to object to the processing of your personal information; and
   4. The right to request suspension of processing.
2. If you are located in the EEA or UK and you believe we are unlawfully processing your personal information, you also have the right to complain to your local data protection supervisory authority. You can find their contact details here:
   ‍https://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm
3. If you are located in Switzerland, the contact details for the data protection authorities are available here: https://www.edoeb.admin.ch/edoeb/en/home.html

4. Withdrawing your consent: If we are relying on your consent to process your personal information, which may be express and/or implied consent depending on the applicable law, you have the right to withdraw your consent at any time. You can withdraw your consent at any time by contacting us by using the contact details provided in Article 10 (Privacy Officer) below or by updating your preferences.

   1. However, please note that this will not affect the lawfulness of the processing before its withdrawal, nor when applicable law allows, will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.
5. Opting out of marketing and promotional communications: You can unsubscribe from our marketing and promotional communications at any time by clicking on the unsubscribe link in the emails that we send, or by contacting us using the details provided in Article 10 (Privacy Officer) below. You will then be removed from the marketing lists. However, we may still communicate with you for example, to send you service-related messages that are necessary for the administration and use of your account, to respond to service requests, or for other non-marketing purposes.
6. You can exercise your rights in the foregoing or ask a question by contacting our privacy officer. The contact information of our privacy officer is provided below.
7. If you are a resident of California, Virginia, Colorado, Connecticut, or Utah, please review our Supplemental Privacy Policy.

Article 7. International Transfer of Personal Information

For the operation of our Services, we may transfer your personal information to countries outside of the country where you are located. When transferring data across borders, we will take measures to comply with applicable laws to safeguard the privacy of your personal information, including obtaining your consent and entering into confidentiality and standard contractual clauses with vendors where appropriate.

Article 8. Destruction of Personal Information

1. When the retention period of collected personal information has expired, or when the personal information becomes unnecessary due to the achievement of the processing purpose, or when you have requested that your personal information be deleted, we will promptly destroy the relevant personal information.
2. If the personal information needs to be retained due to relevant laws and regulations despite the expiration of the retention period or the achievement of the processing purpose, we will transfer the personal information to a separate database or store it in a different storage location for retention.

3. The procedure and method of destroying your personal information are as follows:

   1. Procedure: Personal information will be destroyed in accordance with the strict control procedure approved by our privacy officer in accordance with applicable law.
   2. Methods: Personal information recorded and stored in electronic file format will be irreversibly destroyed to prevent reproduction or recovery. Personal information recorded and stored on paper documents will be shredded or incinerated for destruction.

Article 9. Measures to Ensure the Security of Personal Information

1. We take technical, managerial, and physical measures to ensure the security of personal information in compliance with applicable law:

   1. Establishment and Implementation of Internal Management Plan. We establish and implement an internal management plan that includes the following:

      1. Matters regarding the designation of a privacy officer;
      2. Roles and responsibilities of the privacy officer and personal information handlers;
      3. Matters related to necessary measures for ensuring the security of personal information;
      4. Matters related to training of personal information handlers; and
      5. Other necessary matters for personal information protection.
   2. Access Authorization Management. Access rights to the personal information processing system are granted to employees on a need-to-know basis depending on their duties. In the event of personnel changes, such as transfer or retirement, we promptly change or revoke the access rights to the personal information processing system. The details of authorization, changes, or revocations are recorded and kept for a certain period.
   3. Encryption of Personal Information. Personal information is securely stored and managed through encryption and other security measures. Additionally, important data during the processing of personal information is managed with digital rights management (DRM) or file locking features for added security.
   4. Preservation and Prevention of Unauthorized Modification of Access Logs. Access logs of personal information handlers accessing the personal information processing system are stored for a minimum of 6 months. The access logs are securely stored to prevent tampering, theft, or loss.
   5. Installation and Operation of Security Programs. Security programs, such as antivirus software capable of preventing and treating malicious programs, are installed and operated.
   6. Physical Access Control. Separate physical storage spaces, such as computer rooms and document storage rooms, are designated for storing personal information. Access control is established and enforced for these areas.

Article 10. Privacy Officer

1. The Company has appointed a privacy officer who is responsible for overseeing the processing of personal information and handling complaints and remediation related thereto.

   Privacy Officer

   A. Data Controller: OpenHarbor Inc.
   B. Privacy Officer: Kyongdon Kim
   C. Personal Information Department: CEO

2. The Company has appointed a privacy officer who is responsible for overseeing the processing of personal information and handling complaints and remediation related thereto.
3. You may contact the privacy officer and the relevant department regarding any inquiries, complaints, or remedial measures related to the protection of your personal information in connection with the Services. The Company will respond to and handle your inquiries promptly.

4. If you would like to ask any questions, lodge complaints or receive additional information on our Privacy Policy, please visit our Website at https://www.openharbor.finance or email us at general@openharbor.finance, or write to us at:

   • OpenHarbor Inc.
   • L134, L1F, SparkPlus COEX, 524, Bongeunsa-ro, Gangnam-gu, Seoul, Republic of Korea (06164)

Article 11. Minors

We do not knowingly collect personal information from children under the age of 18 or knowingly allow such persons to register for the Services. The Services are not directed at children under the age of 18. By accepting the Terms and Conditions you represent and warrant to us that you are at least 18 years old. If we become aware that personal information has been collected from a child under the age of 18, we will immediately delete the relevant information. If you become aware of any data we may have collected from children under age 18, please contact us at general@openharbor.finance.

Article 12. Controls for Do-not-track Features

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this privacy notice.

Article 13. Changes to Privacy Policy

This Privacy Policy is effective as of the date indicated on the first page. We may update this Privacy Policy from time to time. In the event of additions, deletions, or modifications to its contents, the Company will notify users through the Website and the App no later than 14 calendar days prior to the implementation of such changes. However, if we believe in our sole and absolute discretion that a change is material, we shall notify users at least 30 calendar days in advance.

Supplemental Privacy Policy

For California Residents

This Supplemental Privacy Policy applies only to information collected about individuals residing in California (“Consumer(s),” “you,” “your”) and supplements the information contained in the Privacy Policy. It provides information required under the California Consumer Privacy Act of 2018 and as amended by the California Privacy Rights Act of 2020 (collectively, the “CCPA”) and any and all regulations arising therefrom.

Definitions Specific to this Supplemental Privacy Policy

1. “Consumer” means a natural person who resides in California and to whom we offer Services.
2. “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Consumer or household. Personal Information also includes “Sensitive Personal Information,” as defined below. Personal Information does not include publicly available information from government records, de-identified or aggregated consumer information or information excluded from the CCPA’s scope, such as health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.
3. “Sensitive Personal Information” means Personal Information that reveals a Consumer’s: 1) Social security, driver’s license, state identification card, or passport number; 2) Account log-in, financial account number, debit card number, or credit card number in combination with any required security or access code, password, or credentials allowing access to the individual’s account; 3) Precise geolocation; 4) Racial or ethnic origin; 5) Religious beliefs; 6) Union membership; 7) Contents of email or text messages, unless we are the intended recipient; 8) Genetic data; 9) Biometric information used to uniquely identify the Consumer, and 10) Health, sex life, or sexual orientation.
4. “Third Party” means a person or organization which is not a Consumer, Vendor, or an entity owned or controlled by us.
5. “Vendor” means a “service provider,” “contractor,” or “processor” which collects, stores, or otherwise handles data for us.
6. Other terms used in this Supplemental Privacy Policy may be defined under the CCPA and they shall have the meanings described in the CCPA.

The Personal Information We Collect and Disclose

1. The charts below show the categories of Personal Information we collected within the last twelve (12) months; examples of Personal Information in each category; types of Personal Information we may collect; types of sources from which each category of Personal Information is collected; the business purposes for which each category of Personal Information is collected; and the types of Vendors or Third parties with whom that category of Personal Information is shared. As these charts show, we may share Personal Information to Third Parties or disclose certain Personal Information to Vendors for business purposes.

Sensitive Personal Information We Collect and Disclose

1. We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.
2. As indicated in the above charts, we may disclose your personal information to Vendors or third parties for a business purpose. When we disclose personal information for business purposes, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.
3. In the preceding twelve (12) months, we have not sold any personal information.

Retention of Your Personal Information

1. We will retain personal information so long as we reasonably need it to achieve the purposes for which we collected by establishing retention periods based on reasonable criteria. Generally we do not keep your information for longer than 1 year after the termination of your account. As described above, we delete certain information immediately upon your request or upon withdrawal of your permission to process.
2. In the event any relevant legal claims are brought, we may continue to process your personal information for such additional periods as are necessary in connection with those claims.
3. If there is a need to retain personal information in accordance with applicable laws and regulations (such as tax, accounting or other legal requirements), we will retain the information for the period specified by the laws.

Your Rights to Your Personal Information

1. Consumers have certain rights with respect to the collection and use of their Personal Information. As required by the CCPA, we provide detailed information below regarding the data subject rights available to Consumers.

2. Right to Receive Information on Privacy Practices. You have the right to receive the following information at or before the point of collection:

   1. The categories of Personal Information to be collected;
   2. The purposes for which the categories of Personal Information are collected or used;
   3. Whether or not that Personal Information is sold or shared with Third Parties or disclosed to Vendors;
   4. If the business Collects Sensitive Personal Information, the categories of Sensitive Personal Information to be collected, the purposes for which it is Collected or used, and whether that information is sold or shared; and
   5. The length of time the business intends to retain each category of Personal Information, or if that is not possible, the criteria used to determine that period.

   We have provided such information in this Supplemental Privacy Policy and the main Privacy Policy. You may request further information about our privacy practices by contacting us at the contact information provided in the main Privacy Policy.

3. Right to Access to Specific Information and Data Portability. You have the right to request certain information regarding the Personal Information we have collected about you over the past 12 months.

   You have the right to request:

   1. Specific pieces and categories of Personal Information we collected about you;
   2. The categories of sources from which Personal Information was collected;
   3. The purposes for which Personal Information was collected, shared, sold, or processed;
   4. The categories of Personal Information we shared, sold or disclosed; and
   5. The categories of Vendors or Third Parties with whom we shared, sold or disclosed Personal Information.

   We will provide a copy of Personal Information we have collected about you in a portable and, to the extent technically feasible, readily usable format.

4. Right to Delete Your Personal Information. You have the right to request that we delete certain Personal Information that we have collected. Once we receive and confirm your verifiable customer request, we will delete (and direct our Vendors to delete) your Personal Information, unless an exception applies.
5. Right to Correct Your Inaccurate Personal Information. You have a right to request that we correct any inaccurate Personal Information we may retain about you. Once we receive and confirm your verifiable customer request, we will correct the Personal Information we have, unless an exception applies.
6. Right to Limit the Use and Disclosure of Your Sensitive Personal Information. You have the right to instruct us to limit the use and disclosure of your Sensitive Personal Information to only that which is necessary to perform the Services reasonably expected by an average Consumer or for specific business purposes defined by applicable law. However, we do not use Sensitive Personal Information for purposes other than those specified in the CCPA.

How to Exercise Above Rights

1. To exercise the rights described above, please submit a verifiable consumer request to us by email at general@openharbor.finance or by visiting our Website at https://www.openharbor.finance. Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your Personal Information. You may also make a verifiable consumer request on behalf of your minor child. You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

   1. Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
   2. Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
2. We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request, confirm the personal information relates to you or if there is a conflict with our own obligations to comply with other legal or regulatory requirements. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
3. We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time, we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to the email you provided to us. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable.
4. We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Non-discrimination

We will not discriminate against you for exercising these rights. Unless permitted by the CCPA, we will not deny you the use of our Services or provide you with a different level or quality of Services.

Personal Information of Minors

Our Service is not intended for children or minors under the age of 18 years. Accordingly, we do not knowingly store information from minors under the age of 18 years except as required pursuant to applicable law. If you believe that a child has submitted personal information to us, please contact us at general@openharbor.finance or by visiting our Website at https://www.openharbor.finance and we will delete the information.

Changes to Our Supplemental Policy

The Company reserves the right to amend this Supplemental Privacy Policy at our discretion and at any time. When we make changes to this Supplemental Privacy Policy, we will post an updated policy on our website with the revised date.

Additional Information

If you would like additional information regarding our Supplemental Privacy Policy, please visit our Website at https://www.openharbor.finance or email us at general@openharbor.finance or write to us at:

• OpenHarbor Inc.
• L134, L1F, SparkPlus COEX, 524, Bongeunsa-ro, Gangnam-gu, Seoul, Republic of Korea (06164)

For Residents of Virginia, Colorado, Connecticut, Utah

The above Supplemental Privacy Policy applies also to information collected about individuals residing in Colorado, Virginia, Utah, or Connecticut (“Consumer(s),” “you,” “your”) as modified or supplemented by state-specific requirements under the Colorado Privacy Act of 2021 (the “CPA”), the Virginia Consumer Data Protection Act of 2021 (the “VCDPA”), the Utah Consumer Privacy Act of 2022 (the “UCPA”), and the Connecticut Data Privacy Act of 2022 (“CDPA”) and any and all regulations arising therefrom.

The definition of “Personal Information” above includes “personal data” as that term is defined in the CPA, VCDPA, UCPA, and CDPA.

The definition of “Sensitive Personal Information” above includes “sensitive personal data” as that term is defined in the CPA, VCDPA, UCPA, and CDPA.

The definition of “Third Party” above also has the meaning as defined in the CPA, VCDPA, UCPA, and CDPA.

“Service provider,” “contractor,” or “processor” also have the respective meanings as defined in the CPA, VCDPA, UCPA, and CDPA.

Other terms used in this Supplemental Privacy Policy may be defined under the CPA, VCDPA, UCPA, and CDPA and they shall have the meanings described in those statutes. If there are variations between such definitions in different laws, you will be covered by the definition that applies in your state.

Regarding your request to access specific information and data portability, we may not disclose certain information that is covered by one or more exemptions as outlined in the CPA, VCDPA, UCPA, and CDPA, as applicable.

For Residents of Virginia, Colorado and Connecticut, you have the right to appeal our decision if we deny your data request. We will respond to appeals within 45 days. If you would like to appeal a decision regarding your data request, please visit our Website at https://www.openharbor.finance or email us at general@openharbor.finance or write to us at:

• OpenHarbor Inc.
• L134, L1F, SparkPlus COEX, 524, Bongeunsa-ro, Gangnam-gu, Seoul, Republic of Korea (06164)