Article 1 Items of Collected Personal Information and a Method of Collection

The company deals with the following items of personal information.

1. Homepage Membership and Management.

   [Mandatory items] ID, password, name, date of birth, email & mobile phone number, Personally Identifiable Number (CI), Gender

2. Tagless Member Management : Items collected when using the tag-less service.

   [Mandatory items] Mobile Phone Number

3. Ticket Reservation, Issuing, Viewing Service,: Items collected when using the ticket service.

   ① Reservation information
   [Mandatory items] Departure , Destination, Departure time
   ② Credit card information
   [Mandatory items] Credit card number, Date of birth,
   ③ Frequently Used Card information
   [Mandatory items] Credit card number, Date of birth,
   ④ Issuing the ticket for the reservation
   [Mandatory items] Date of birth, Mobile Phone Number
   

4. The following items of personal information can be automatically generated and collected in the course of use of the Internet service.

   IP address

The company collects personal information in following ways.

1. Collected from users
2. Collected through personal authentication system (Date of birth, name & Personally Identifiable Number [CI])
3. Collected from information automatically generated at a time of use of the Internet
4. Collected from credit card information earned at a time of a reservation and cancellation

Article 2 Purpose of Collection and Use of Personal Information

The company collects personal information for following purposes and uses collected personal information only for pertinent purposes.

1. Implementation of the contract on provision of services and calculation of service fees
   

   Provision of contents and specific customized services, delivery of goods, transmission of bills, personal authentication, purchase and calculation and collection of service fees

2. Membership management

   Identification according to usage of membership service and limited identification system, individual identification, prevention of fraudulent use by illegitimate members, prohibition of unauthorized use, confirmation on membership intention, preservation of records for adjustment of disputes, handling of civil applications including complaints, the latest information including announcement, information on change in services, channels of communications with customers including results of consultations and inactivation of customer accounts that have not been used for a long time and etc.

3. Service Management

   Service quality management through the monitoring system.

4. Tagless Member Management

   Personal verification, individual identification, preventing illegal use of faulty members and preventing unauthorized use, verification of membership subscription, retention of records for dispute resolution, processing of complaints, providing latest information, information on changes to the service, communication with customers, processing of dormant account for long-term inactive members, transmission of telephone numbers to HCE service to identify the passenger as related to the operation of the tag-less service

Article 3 Providing and Sharing Personal Information to a Third Party

The Company uses the personal information of clients within the scope notified in [2. Purpose of Collecting and Using Personal Information], will not use beyond the said scope without a prior consent of the clients, and as a rule, the personal information of a client will not be disclosed to the outside.

1. In case the user consents to providing to a third party
   

   The Company may provide the personal information of a client to an affiliated company or share with an affiliated company in order to provide a better service. In case the Company provides or shares the personal information, the Company will obtain a prior consent, and in such a case, the Company will request a consent of the members by stipulating the purpose of using the personal information by the persons provided with the information, items of personal information provided, the retention and use period of personal information by the person provided with the personal information, the fact the users have the right to refuse to provide the consent on the information provision and any disadvantages from refusing to provide the consent, etc.

Person provided with the information	TubeBox Co.
Purpose of provision and use	In order to identify the individual discount coupon list and the discount coupon box
Items of personal information provided	The encrypted user number randomly created upon individual membership registration
The period of retention and use of the personal information by the person provided with the information	Upon membership withdrawal or upon close of the partnership

Person provided with the information	Lotte Card Co., Ltd..
Purpose of provision and use	Verification of subjects of affiliated promotions and processing of promotion-related duties
Items of personal information provided	Personally identifiable number (CI), Client identifiable serial number, name (only when participating in events)
The period of retention and use of the personal information by the person provided with the information	During the user’s use of the Mobile Bus Tago application

Article 4 Entrustment of Collected Personal Information

The company uses outside services in charge of customers’ personal information in order to provide services and designates provisions on safe management of personal information at a time of entrustment contract in accordance with related laws and regulations.
The present personal information processing entrustment institution and its obligations are as follows.

* Entrustment of collected personal information

Entrustment of collected personal information

Entrustment institution	Entrusted obligations
Lotte Data Communication Company	Homepage management & comprehensive management of information system
Booil Information Link Corp	Operation of Customer Service Center for improved efficiency in consulting

If it is entrusted with sending gifts to customers after an event, it is handled based on prior approval from pertinent customers.

Article 5 The Period of Ownership and Use of Personal Information

Personal information on customers shall be immediately destroyed once it fulfills the purpose of collection and use of personal information in principle, provided that the following information shall be preserved for a specified period of time for reasons specified as below.

1. Preservation of information in accordance with related laws and regulations
   1. Records on contracts and revocation: Five (5) years (Act on the Consumer Protection in the Electronic Transactions, etc.)
   2. Records on payment and supply of goods: Five (5) years (Act on the Consumer Protection in the Electronic Transactions, etc.)
   3. Records on handling of consumer complaints and resolution to disputes: Three (3) years Act on the Consumer Protection in the Electronic Transactions, etc.)
   4. Records on identification: Six (6) months (Act on the Promotion of Information and Communications Network Utilization and Information Protection, etc.)
   5. Records on visits to websites: Three (3) months (Protection of Communications Secrets Act)
   6. Until members are withdrawn

Article 6 Deletion of Unused Customer Accounts

The company divides membership accounts into active accounts and inactive ones in order to protect personal information on customers. If there is no record on login or usage of homepage for one year, it shall be classified into an inactive account in order to protect personal information on customers, and customers’ personal information shall not be used and offered to partner companies (third party-agreed partner companies). (The effective date: August 18, 2015)

Article 7 Procedures for Destruction of Personal Information and Pertinent Methods

Personal information on customers shall be immediately destroyed once it fulfills the purpose of collection and use of personal information in principle. Procedures for destruction of personal information by the company and its method shall be as follows.

1. Procedures for destruction

   Information that users entered to subscribe to membership shall be immediately destroyed in accordance with reasons (refer to the period of ownership and usage) for information protection specified in internal principles and other related laws and regulations once it fulfills intended purposes.

   1. Processing of destroying the dormant account of long-term inactive clients: We destroy the dormant accounts, without use records with a 30-day prior notice, in cases of no access or use for 1 year or longer (Refer to the Article 6 Dormant Account of Long-Term Inactive Members).
   2. Procedure of Destroying the Membership Withdrawal (Account Withdrawal): upon implementing 'Change My Info' > 'Withdrawal,' the use and provision to a third party is suspended immediately, and the personal information of the client is destroyed within 5 days (Refer to Article 8 Rights of the Users and Legal Representatives and the Exercise Thereof).
   3. Procedure for Destruction Upon Withdrawal of Consent to an Event: A client may make a request for withdrawal from an event or use by contacting the customer center (+82-2-585-0966, +82-1644-0006) by referring the “Article 8 Rights of the Users and Legal Representatives and the Exercise Thereof,” and the withdrawal and destruction will be implemented pursuant to the internal policy and guidelines (The information on the outcome of the withdrawal can be provided by the customer center).
2. Methods of destruction
   1. Printed personal information shall be shredded or incinerated.
   2. Personal information saved in electronic files shall be deleted through the use of irrevocable technical methods.

Article 8 Rights of Users and Their Legal Representatives and a Method of Exercise

Customers may exercise the following rights related to protection of personal information at any time.

1. 1) Request for view on personal information
2. 2) Request for correction at a time of errors
3. 3) Request for deletion
4. 4) Request for suspension of handling

As for methods of exercise of rights, make sure to view personal information offered in Correct My Information Menu in the homepage and revise contact information, address and email information. In addition, one can proceed with withdrawal through ‘Withdraw from Membership.’

If it is impossible to exercise rights on the homepage, make sure to contact personnel in charge of protecting personal information in writing or via phone or email. Then, the company will take necessary measures immediately. If users made a request to correct errors in personal information, the pertinent personal information shall not be used or provided until correction is completed. In addition, if incorrect personal information was already provided to a third party, the result of correction shall be immediately notified to rectify situation.

The company shall deal with personal information cancelled or deleted as per requests made by a user or a legal representative in accordance with "5. Period of Ownership and Usage of Personal Information" and ensure that it shall not be viewed or used for other purposes.

Article 9 Matters on Installation/Operation and Rejection of Automatic Collection Equipment for Personal Information

The company shall not use cookie that frequently saves and detects information on customers.

Article 10 Technological/Administrative Measures for Protection of Personal Information and Notification on Leakage

The company shall take the following technological/administrative measures in order to secure stability so that personal information on customers cannot be lost, stolen, leaked, altered or damaged.

1. Technological measures
   1. Encryption of personal information
      Personal information on customers shall be encrypted at a time of storage and transmission, and important data shall be protected through separate security functions.
   2. Technological measures against hacking
      The company takes measures to prevent damage caused by computer viruses through the use of vaccine programs. The vaccine programs are regularly updated, and if viruses suddenly appear, the company provides vaccine programs as soon as they are released to prevent personal information from being violated. In the meantime, the company adopts security system that enables users to transmit personal information on the network through the use of encryption algorithm. In addition, it installs a firewall against such outside invasion as hacking and does whatever it can to enhance security through the use of intrusion prevention system and vulnerability detection system installed in each server.
   3. Restriction in access to personal information processing system
      The company does not combine personal information with general information for the purpose of storage. It also designates a computer room and a data storage room as a special protection area to control access.
      The company has only the pertinent personnel deal with personal information on customers and grant a separate password to update it on a regular basis. It provides education to personnel in charge on a frequent basis in order to emphasis the importance of compliance with Privacy Policy all the time.
      It is making efforts to check out implementation of policy on protection of personal information and compliance with a person in charge through an in-house administrative organization so that detected problems can be instantly corrected. Personal information on customers shall be thoroughly protected through the use of a password. Only the customers know their ID password, and they shall confirm and change their personal information because they are the only ones who know their password. Accordingly, customers are advised not to disclose their password. Toward this end, customers are advised to log out online and finish a web browser after using a PC in principle. In particular, if they share a PC with others or use a PC in a public place (a company, a school, a library, an Internet game room and etc.), the above-mentioned procedures are more required to prevent personal information from being disclosed to others.
2. Administrative measures
   1. Control and education for personal information handlers
      The company shall minimize the number of persons authorized to access personal information on customers as follows.

      i. Those who conduct direct marketing activities toward users
      ii. Those who manage personal information including Privacy Supervisor and Privacy Personnel
      iii. Those who are obligated to handle personal information due to business

      The company also provides regular in-house education and external entrusted training to employees in charge of handling personal information with regard to acquisition of new security technologies and obligation to protect personal information. It also prevents information from being leaked through security pledge written by all employee at a time of employment and establishes internal procedures for inspection on implementation of policy on protection of personal information and compliance with employees. Transfer of business by personal information handlers shall be thoroughly conducted under tight security, and the company clearly defines responsibilities for accidents caused by personal information after employment and retirement.
      The company shall not take responsibility for losses caused by accidents occurring due to users’ carelessness or in areas uncontrolled by the company despite the fact that the company fulfilled its responsibility as a personal information handler.
      If personal information was lost, leaked, altered and damaged due to internal administrator’s mistakes or administrative and technological accidents, the company shall make a notification to customers and take appropriate measures to come up with compensation plans.

   2. The company acquired Information Security Management System (ISMS) from KISA for the purpose of protection of information on users before operating it.
3. Notification on leakage of personal information

   The company is doing its utmost to protect personal information on its members by taking technological and administrative measures to protect personal information, but if it finds out that personal information was leaked for such unexpected reasons as hacking, it would immediately notify the situation to its members in writing or via email, FAX, phone, mobile phone or text messages or in other similar ways.

   1. Items of leaked personal information
   2. The time of leakage and details
   3. Information on what members can do to minimize damage caused by leakage
   4. Responses and remedial procedures followed by the company
   5. The company will disclose a department in charge of accepting complaints and related contact information in case of occurrence of losses caused to its members, and if personal information was leaked, related matters will be disclosed in detail on the first screen of the homepage along with notification to its members.

Article 11 Contact Information on Privacy Supervisor and Related Personnel

Customers may report all complaints related to protection of personal information by using corporate service to Privacy Supervisor. The company shall provide prompt and detailed responses to complaints lodged by users.

Contact information on Privacy Supervisor and Privacy Personnel

	National Bus Transportation Association		EB CARD
	Privacy Supervisor	Privacy Manager	Privacy Supervisor	Privacy Manager
Name of Department	Computer Business Team	Computer Business Team	IT Division	IT Division
Name	Hae-gwon Jeong	Beom-yong Kim	Yeon-woo Lee	Cheon-ju Yun
Position	Section Chief	Employee	Division Head	Team Leader
Telephone	02)585-0966	02)585-0966	1644-0006	1644-0006
Email	jhkdoublez@naver.com	kimbeomyong@gmail.com	c-privacy@myezl.com	c-privacy@myezl.com

1. Remedial measures taken at a time of violation of rights and interests

   The main agent of information may file an application for resolution to disputes or consultations with KOPICO and KISA Personal Information Invasion Report Center. If you have any inquiries about complaints about invasion of personal information and counseling, make sure to contact the following institutions.

The Police Headquarters Cyber Security Bureau	Homepage	http://www.netan.go.kr
	Telephone	(Without a telephone exchange number)182
The Supreme Public Prosecutors Office Cyber Criminal Investigation Division	Homepage	http://www.spo.go.kr
	Telephone	(Local number)+1301
Personal Information Invasion Report Center (Operated by Korea Internet & Security Agency)	Homepage	http://privacy.kisa.or.kr
	Telephone	(Without a telephone exchange number)118
Personal Information Dispute Mediation Committee (Operated by Korea Internet & Security Agency)	Homepage	http://kopico.go.kr
	Telephone	(Without a telephone exchange number)118

Article 12 Other Matters

1. Operation of Customer Service Center
   The company operates Customer Service Center in order to facilitate communications with customers.
   [Customer Service Center] 1644-2992
   The company can provide customers with links to websites and data operated by other companies. In that case, the company does not have any control over external websites and data, so it will not be responsible for usefulness of offered services or data. If you move to another website by clicking a link introduced by the company, Privacy Policy of the pertinent website has nothing to do with the company, so it is advised to review policy of the new website.
2. Transmission of advertising information
   The company shall not transmit advertising information for profit against customers’ will. If customers agree to send electronic mails including newsletters or transmit advertising information on products for online marketing via emails, the company shall take appropriate measures to help customers easily find out what they are about by using titles and the texts of emails. If the company sends advertising information for profit via other text messages including fax and mobile text messages than emails, the company shall indicate “(Advertising)” in the beginning of the transmission in addition to sender’s contact information.

Article 13 Revision of Privacy Policy and Notification

If the present Privacy Policy is added, deleted or revised, it shall be notified on the homepage or via email 7 days earlier, and if it is difficult to make a prior notification, it shall be immediately notified. The policy shall take effect for the date of notification.

- Date of public notification : January 20, 2022
- Date of implementation : January 20, 2022