NEED PRIVACY POLICY

Effective as of: August 25, 2025

INTRODUCTION

Need approaches its collection, use, and sharing of your Personal Information with tremendous respect and care.

Please read our Privacy Policy (“Privacy Policy”). By accessing or using the Services provided by Need Korea LLC (“Need”, “we”, “us”, and/or “our”), you understand that your Personal Information will be treated in the ways described herein. We have tried to make the Privacy Policy simple to understand, but if you ever have any questions, you may contact us at the address listed below.

This Privacy Policy provides you with specific details about how we collect, use, disclose and store your Personal Information, which includes your Personal Health Information, when you use the Need Services or otherwise interact with us. This Privacy Policy reflects the requirements of the law of the Republic of Korea, and our own commitments to privacy.

Please note that this Privacy Policy applies to any use of the Services, whether or not that use is connected to your purchase of a qualifying insurance policy.

CONTENTS

1. Data Controller
2. Our Commitments
3. Definitions
4. Collection and Use of Personal Information
5. Sharing and Disclosure of Personal Information     
6. Retention and Destruction 
7. Safeguards     
8. Your Rights
9. Department in Charge of the Protection of Personal Information
10. Changes to Privacy Policy

DATA CONTROLLER

You should be aware that Need Korea LLC is the data controller of the Personal Information collected by and provided to us.

OUR COMMITMENTS

We commit to treating your Personal Information lawfully and fairly; to not processing it in an inappropriate manner or beyond the purposes for which we collected it; to work with you in ensuring the accuracy of your Personal Information; to secure your data to avoid the risk of infringing upon your rights; to inform you of our privacy practices and of your rights with respect to your Personal Information held by us; to use processes such as anonymization and pseudonymization wherever reasonably practicable in order to further protect your privacy; to comply with all applicable privacy laws; and to destroy your Personal Information when it is no longer necessary for the purposes for which it was collected.

DEFINITIONS

The following definitions apply to this Privacy Policy:

Healthcare Providers – Institutions and providers that are or have been involved with providing you with healthcare but are unaffiliated with us. Such Healthcare Providers may include but are not limited to hospitals, clinics, physicians, nurse practitioners, registered nurses, pharmacies, oncologists, pathologists, and radiologists.    

Contractors – Individuals or institutions that act as service providers to Need in providing the Need Services. Such Contractors do not have a direct relationship to you.

Personal Health Information - Any Personal Information related to your health or healthcare, including information that relates to your physical or mental health and healthcare including health history, the provision of healthcare to you, screening assessments, payments or eligibility for healthcare, healthcare provider, substitute decision-maker, national health card number or other healthcare-related personal identification numbers including resident registration numbers (subject to any applicable legal restrictions), or any other information that is collected in the course of your receiving health services from Healthcare Providers. Such information may include any of the following:

• The name(s) of Healthcare Providers(s);
• Patient identification (i.e., name, address, phone number, national health insurance number, insurance policy number, contact person in case of emergencies, copy of identification) and a medical history;              
• Records of examinations carried out by Healthcare Providers and clinical notes for each patient encounter;
• Requisitions for treatment or investigation;
• Consents to treatment obtained in writing;
• Records of healthcare appointments, including missed or canceled appointments;
• Records of treatment you receive from Healthcare Providers;
• Reports of investigative procedures and reports of the results of laboratory, pathology, consultations, diagnostic imaging examinations or tests; and
• Diagnoses.      

Personal Information - Any information about an identifiable individual, including any “personal information” as regulated under the Personal Information Protection Act and any other applicable data privacy laws. Personal Information includes the Policyholder App account profile and Personal Health Information.

Policyholder App - The “Need” app provided by us to individuals who have purchased a cancer insurance policy that includes the Services.

Services – All together, the information technology tools we provide to you, including the Policyholder App and the Need website, and all the tools and services offered within the Policyholder Apps or website, including, but not limited to, assessments, recommendations, appointment-scheduling, and customer support. The Services may include the following:

(a) Supporting users to conveniently receive the most up-to-date, guideline-based cancer screening. Through this service, you will be able to receive information on medical institutions providing screening, information based on international guidelines (NHIS screening guidelines and Korea’s National Cancer Center screening project recommendations) and information from a support team if you have any questions (however, specific examinations and recommendations related to cancer screening are not included in the services, and you should separately consult with a medical institution or professional for such matters).

(b) Need Customer Support Team providing assistance in collecting your medical information and alerting your providers about how to use the separate provider-focused application.

(c) Facilitating users to receive the most up-to-date, international guideline-based cancer treatment from their providers through the following activities, systems, and feature sets: case activation; provider onboarding; data collection and digitization; data validation; and access to the Need customer support team for care navigation.

The decision to use the above service is entirely based on the personal judgment of the attending physician. While Need provides support for the use of this service, it does not require or force the attending physician to use this service, nor does it guarantee the attending physician's use of this service. The user fully understands the above and explicitly acknowledges that this service may not be used based on the attending physician's judgment.

(d) Facilitating users to receive the most up-to-date, guidelines-based follow-up care from their providers and screening, aimed at assisting your provider in optimizing treatment-related symptoms, as well as enabling the detection of cancer recurrence or new cancers. This service incorporates personalized guidelines-based survivorship plans, symptoms monitoring and reporting, as well as support from the Need customer support team.

(e) providing the user’s medical check-up reservation information to the attending physician or other relevant medical professionals and delivering the results of such medical check-up to the user (the “Check-up Coordination Service”).

(e) Other services that Need may provide to the user through the Policyholder App.

COLLECTION AND USE OF PERSONAL INFORMATION

Overview

We collect Personal Information to establish and maintain a relationship with you, to provide you our Services, to develop and enhance our products and services, and to maintain and improve the security and functionality of the Need website and Policyholder App.‬ We may also use your Personal Information, where permitted by law, to facilitate your Healthcare Providers’ care of you and our Contractors’ services to us and to your Healthcare Providers; for alerting you and third parties of opportunities for your health; and for communicating to you opportunities to participate in clinical trials. To the extent permissible under applicable laws, we may also use any of your Personal Information necessary to enforce our agreements, terms and policies, to comply with legal obligations, and for safety or security purposes.

We receive your Personal Information from three main sources: You, when you provide it to us directly in the Policyholder App or via other means; Your Use of the App, when you use the Policyholder App, we collect information about how you use the Policyholder App, information about the device you use to access the Policyholder App, and information from third-party apps you may connect to your account; and Third Parties, those entities or individuals including healthcare providers and authorized partners, who may, with your consent, provide us with your Personal Information (by the means and to the extent permissible under law) to assist in your use of the Need Services.    

We do not accept registrations for the Service by, and will not knowingly collect Personal Information of, individuals under the age of 14.

The table below summarizes the categories of personal information we collect, the purposes for which such information is used, and the retention periods applicable to such information. Please review this information carefully before providing your consent.

Details

We collect and use the following categories of Personal Information from you directly and for the purposes specified:

Name and Contact Information. We may collect information when you create an account or use our Services, such as first and last name, birthdate, gender, email address, postal address, phone number, and other similar contact data. We collect this category of information to establish and maintain a relationship with you and to provide you with access to the Services you request. We may use your contact information to send you electronic messages related to the Services, e.g., notify you that you are eligible for certain Services. If you have consented to receive marketing messages, we may send you marketing messages related to products or services we think you may be interested in. You may withdraw your consent to receive marketing messages at any time. Such withdrawal of consent will not impact your receipt of purely service-related electronic messages. 

Copy of your ID Card. A person contracted with us may request that you submit a copy of your ID card, so that they may, as your agent, obtain a copy of your medical records in accordance with the procedures set forth in the applicable medical laws and regulations. Accordingly, unique identification information set forth in your ID card (resident registration number, driver’s license number, passport number, alien registration number) may be collected. The ID card may, depending on its type, contain your resident registration number.  

Credentials. We may collect passwords, password hints, and similar security information used for authentication and account access if you create an online account. We collect this information for security, authentication, and verification purposes.

Your Communications with Us. We may collect Personal Information, such as email address, phone number, or mailing address, along with the content of your communications, including, in some instances, Personal Health Information, when you request information about our Services, request customer or technical support, or otherwise communicate with us, including online chats on the Need Platform, KakaoTalk, and phone calls.

Personal Health Information. We may collect your Personal Health Information for the purpose of providing you the Services you request, including in-app assessments to provide support for your Healthcare Providers in assessing health risks and planning your healthcare, and for such other purposes as described in this Privacy Policy, such as for alerting you and third parties of opportunities for your health; and for communicating to you opportunities to participate in clinical trials.

The table below summarizes the categories of sensitive information (including personal health information) that we collect, use, the purposes for such processing, and the applicable retention periods. Please review this information carefully before providing your consent.

We collect the following categories of Personal Information when you use the Policyholder App or our website and for the purposes specified:     

Automatic Data Collection. We may collect certain information automatically when you use our Services, such as your Internet protocol (IP) address, user settings, MAC address, cookie identifiers, mobile carrier, unique identifiers, browser or device information (see below), location information (data processed within your smartphone, or approximate location derived from IP address), and Internet service provider. Your UserID, which is a number assigned to your account for internal purposes, may also be collected automatically when you use the Services. This information is used to maintain and improve the security, performance and functionality of the Need website and Policyholder App. Some automatically collected Personal Information may be combined with other information to help improve the Services we offer. 

Data From Connected Applications. We may collect Personal Information from third-party applications if you have connected your Need account with those applications for the purpose of providing you the service or tool you have requested. For example, if you choose to connect your Apple Health app to your account in the Policyholder App, we will collect the data from that application and use it to provide you the Services you request, including analyzing the Personal Information to better provide you the Services. Such data may include “behavioral data”, such as information about the links you click, the types of content you interact with, the frequency and duration of your activities, and other information about how you use that application.

Usage Information. We may also collect information regarding your use of our Services, such as information about the links you click, the types of content you interact with, the frequency and duration of your activities, and other information about how you use our Services. This information is collected for the purposes of developing and enhancing our products and services, including to understand what Services you may be interested in, as well as for administrative purposes. We may also use this information for research purposes. We may aggregate and de-identify the data if we share it with third parties. We also use this information for security purposes and to improve the functionality of the Need Policyholder App and website.

Device Information. Certain limited technical data is required for the Policyholder App to function on your device. The information we collect includes information about your device and operating system, such as the type of device hardware and operating system, unique device identifier, IP address, language settings, and the date and time the Policyholder App accesses our servers. This information is used for the purposes of delivering content appropriate for your device’s capabilities, for delivering push notifications and helping to ensure a secure experience and to detect anomalous behavior in order to protect Personal Information from unauthorized access. In addition, in the event the Policyholder App crashes on your mobile device, we may receive information about your mobile device model software version and device carrier, which allows us to identify and fix bugs and otherwise improve the performance of the Policyholder App.

We collect the following categories of Personal Information from third parties for the purposes specified:

Personal Health Information. In accordance with required procedures under applicable law, we collect your Personal Health Information from third parties such as Healthcare Providers that may be or have been involved in your healthcare. We collect this information to provide you with the Services. We may also collect information that constitutes Personal Health Information from your health insurance provider to help us with the provision of Services to you.

Insurance-Related Information. We collect information related to your health insurance policy from your health insurance provider. This information may include information considered to be Personal Health Information, as well as contact information, policy information, credit information, claims submitted, risk assessments, and other Personal Information insurance providers have used in their decision to provide you a policy or provide coverage under your policy.      

We collect information regarding health examination appointments and results from third parties, including medical institutions and affiliated service providers, for the purpose of providing examination scheduling and related services. Such information may include the patient’s personal health information.

We may also use your Personal Information in the following other ways:

Consent. We may use your Personal Information for other purposes with your additional consent.         

With your consent, we may collect and use your personal information for marketing purposes. The table below summarizes the categories of information collected, the purposes of use, and the applicable retention period. Please review the following before making your decision regarding consent.

Contract. We may use your Personal Information where this is unavoidably necessary, for the purpose of entering into and performing a contract that we have with you.     

Deidentified. We may deidentify your Personal Information and use it for the purposes of improving and developing our Services, to enter into partnerships, to conduct data analysis, to develop new products and services in the future, and other such uses as permitted by law. 

Cookies

Our website and Policyholder App use cookies. Cookies are small text files that are saved on your device when you visit our website that help us in particular to provide you with a good experience when you browse our website and also allow us to improve it. Cookies may contain information about your use of our website or enable us to recognize you and your device the next time you visit our website.

There are various ways to configure and manage cookies. You can deactivate Need or third-party cookies using your browser settings.

For example, the following hyperlinks tell you how to disable the use of cookies in some browsers and/or how to delete cookies:

• Google Chrome‍
• Microsoft Edge

SHARING AND DISCLOSURE OF PERSONAL INFORMATION

Overview

We may share Personal Information with Healthcare Providers, Contractors, and others who assist in the provision of Services to you or to us.

We will not disclose your Personal Information for any purpose other than what has been outlined in this Privacy Policy or as permitted under applicable law, unless we obtain your express consent. We disclose only the limited amount of Personal Information necessary to meet these purposes.

We may share your Personal Information with our service providers, including Contractors, who are contracted by us to perform services or functions on our behalf where they require the information to assist us in providing the Services. In all instances in which we share your Personal Information with third parties providing the Services, we use contractual controls to protect this information and limit its use to what is necessary for the service provider to perform the service. Further details are set out in the Entrustment section below.

We may share your Personal Information with third parties within the permitted scope and in the manner required by law. Further details are set out in the Third-Party Provision section below.      

Details

Entrustment

Whenever we share information outside of Korea, we ensure that the transfer complies with applicable laws so that your Personal Information is adequately protected.

Details of the recipients of each of the categories of personal information set forth under this Privacy Policy, together with their location, purpose of transfer, period of retention by the recipient, and the timing and method of domestic/overseas transfer are as follows.  In cases where the processing of personal information is delegated to third-party companies located overseas, or when the overseas storage of personal information is necessary for contractual reasons, such transfers are carried out  in accordance with Article 28-8(1)1 or Article 28-8(1) 3 of the PIPA. You may refuse the overseas transfer of Personal Information by providing written notice of such refusal (including notice by e-mail). However, consent for overseas transfer of your Personal Information is essential for Need to provide its services to you; therefore, if you refuse to provide or revoke this consent, your access to the Services may be restricted

• Google LLC in the U.S. (Contact: googlekrsupport@google.com), which provides data storage services, and which retains data as long as necessary to provide the Services or until the end of the contract and is transferred at the time of transmission of information and through the network whenever a service is used that requires transfer. The following information may be transferred to Google LLC: name, date of birth, gender, email address, telephone number, IP address, medical records, health conditions, disease-related information, examination results, information regarding medical professionals, and treatment plans.
• Need Inc. in the U.S. (Privacy Officer, privacy@need.ai), which provides administrative and customer support, and which retains data as long as necessary to provide the support, and is transferred at the time of transmission of information and through the network whenever a service is used that requires transfer. The following information may be transferred to Need Inc.: name, date of birth, gender, email address, telephone number, IP address, medical records, health conditions, disease-related information, examination results, information regarding medical professionals, and treatment plans.
• Channel.io in Korea. (Privacy Officer, Contact: privacy@channel.io, Phone: +82.2.1644.4052), which provides a customer support platform, and which retains the data as long as necessary to provide you the Need Services or until end of contract, and is transferred at the time of transmission of information and through the network whenever a service is used that requires transfer.
• Sejong Telecom in Korea (Privacy Officer: privacy@sejongtelecom.net, +82.2.1688.1000), which provides an internet phone and call management service, and which retains the data as long as necessary to provide you the Need Services or until end of contract, and is transferred at the time of transmission of information and through the network whenever a service is used that requires transfer.
• Elastic Search in Korea (Privacy Officer: +1.650.458.2620 or via the form provided at https://www.elastic.co/legal/privacy-statement#contact), which provides search and analytics services, and which retains data as long as necessary to provide you the Need Services or until end of contract, and is transferred at the time of transmission of information and through the network whenever a service is used that requires transfer.
• Sentry in the U.S. (Privacy Officer: compliance@sentry.io), which provides error debugging services, and which retains data for up to 90 days, and is transferred at the time of transmission of information and through the network whenever a service is used that requires transfer. The IP address may be transferred to Sentry.
• The CRC provides proxy services for accessing and obtaining copies of medical records, and may transmit data or deliver documents through a secure network when necessary. Details such as the name and affiliation of the CRC handling your personal information will be provided separately once confirmed.
• Hecto Data Co., Ltd. in Korea (Personal Information Protection Officer: privacy@hectodata.co.kr), which provides services for relaying personal (credit) information using your authentication information, saving request/response data using your authentication information to improve API service quality and respond to business, and processing requests for access, correction, deletion, and suspension of processing of your personal information; and which retains data as long as necessary to provide you the Need Services or until end of contract, and is transferred at the time of transmission of information and through the network whenever a service is used that requires transfer.
• RudderStack in the U. S. (Contact: privacy@rudderstack.com) which provides error debugging services, and which retains data for up to 30 days, and is transferred at the time of transmission of information and through the network whenever a service is used that requires transfer. Date of birth, gender, IP address may be transferred to RudderStack
• PostHog in the U. S. (Contact: privacy@posthog.com) which provides error debugging services, and which retains data as long as necessary to provide the Services or until the end of the contract, and is transferred at the time of transmission of information and through the network whenever a service is used that requires transfer. Date of birth, gender, IP address may be transferred to PostHog

We and our entrustee Need Inc. may entrust Personal Information to service providers specified above, for the following purposes:

Contractors. To provide our Services, we may disclose your Personal Information to Contractors, who are involved in providing the Services. 

Your Personal Health Information will be accessible to Contractors who provide or assist in the provision of the Services.

Service Providers. We may share Personal Information with our suppliers, agents or other organizations or individuals who are contracted to perform services or functions on our behalf, where they require the information to assist us in serving you. For example, we may use service providers for internal administrative purposes, e.g., a customer service platform, to host our website and to store and dispose of information on our behalf. In addition, we may use service providers for our internal processes (such as internal communications platforms and customer support platforms). We strive to minimize the amount of Personal Information that we share with our service providers and partners and ensure that appropriate contractual clauses restrict what they are able to access or do with the Personal Information. 

Third-party data provision 

In order for your Healthcare Providers who are providing medical services to you to obtain information on optimum clinical or treatment methods, or obtain reference material from Contractors, we may provide Personal Health Information, or allow access thereto, to them in accordance with the Terms of Service for the Services and applicable laws.

The table below summarizes the recipients of your personal information, the categories of information disclosed, the purposes of such disclosures, and the applicable retention periods. Please review the following carefully before providing your consent.

We may provide your personal information to an to overseas third parties as described below. Such overseas provisions are carried out  in accordance with Article 28-8(1) 1 of the PIPA (data subject’s consent). You may refuse the overseas provision of Personal Information by providing written notice of such refusal (including notice by e-mail). However, consent for overseas provision of your Personal Information is essential for Need to provide its services to you; therefore, if you refuse to provide or revoke this consent, your access to the Services may be restricted:

Affiliated Companies for the Check-up Coordination Service. We may, with your consent, provide your Personal Information and Sensitive Information to our affiliated companies that operate digital healthcare solutions and their partner hospitals in order to provide you with the Check-up Coordination Service.

Insurance Companies. We may share limited Personal Information, e.g., your policy number and your cancer diagnosis information, as well as information related to your use of the Need Services, with the insurance company through which you purchased a Need-integrated cancer insurance policy in the event you tell us you have received a cancer diagnosis. Disclosure of this personal information is subject to a privacy and security agreement that ensures the insurance company will use your data only for the purposes of administering your Need-integrated policy and will be subject to security required under the law.

Third-Party Partners. We may provide, where permitted by law and/or with your further consent, your Personal Information to third-party partners who may be conducting research, clinical trials, or studies, or may be developing healthcare-related software, programs, or products. We may share your Personal Information if we partner with a third party for the purposes of conducting research or clinical trials. We may provide your Personal Information to third-party partners that have products or services that may be of interest to you. If we do, we will add their names to this Privacy Policy.

Affiliated Providers for Check-Up Coordination Service. We may provide your personal information, including sensitive health information, to affiliated companies that operate digital healthcare solutions and their partner hospitals, with your consent, for the purpose of providing Check-Up Coordination Service.

Disclosures required or permitted by law or regulation. We may disclose Personal Information to the extent necessary where we are required or permitted under applicable law, such as in the event of an emergency that threatens the life, health or security of an individual. We or our service providers will also share Personal Information with law enforcement, courts, other government agencies or other parties if we are required to do so to meet our legal and regulatory requirements in the jurisdictions in which we or our service providers operate; for example, we are required to provide records to law enforcement in response to a valid court order.

Business Transfers. If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of all or a portion of our assets, or transition of service to another provider, your Personal Information may be transferred to a successor or affiliate as part of that transaction along with other assets, subject to all requirements under applicable laws.

Standards for Determining Additional Use/Provision

Pursuant to Article 15(3) and Article 17(4) of the PIPA, we may additionally use and provide personal information without first obtaining consent from the relevant data subject, taking into consideration the matters set forth in Article 14-2 of the Enforcement Decree of the PIPA.

We took into account the following factors in relation to the additional use and provision of personal information.

• In light of the fact that the original purpose of collection of personal information is to facilitate use of the ‘Need Platform Service’ which supports your cancer screening based on the latest clinical guidelines, the additional provision is relevant to such original purpose of collection.
• The data subject would be able to predict during the course of entering into a service agreement that, based on the characteristics of the ‘Need Platform Service’, personal information may be shared with other medical professionals.
• The information is provided to facilitate the provision of ‘Need Platform Service’ pursuant to request of the relevant data subject, and does not unfairly infringe upon such data subject’s interests.
• We take necessary measures to minimize the range of personal information processed, and to ensure safety to minimize exposure of personal information

Possibility of Disclosure of Sensitive Information, and How to Opt for Non-disclosure

During the course of our provision of the Hero App Service (a service whereby a platform is provided on which your attending physician and/or other medical professionals may deliberate upon your symptoms and method of treatment in relation thereto, etc.) certain sensitive information including your health-related information, may be disclosed.  You may opt for non-disclosure through revoking your consent to provision of sensitive information; provided, however, that upon such revocation, your access to the services operated through the Hero App may be restricted.

RETENTION AND DESTRUCTION

In general, we retain Personal Information until termination of service use

Personal Information may be retained for a period of time mandated by law, including as specified below:

Act on Consumer Protection in Electronic Commerce

• Records relating to your cancellation of, or payment for, a transaction, and our supply of a good/service: 5 years
• Records of handling of complaint, or dispute: 3 years

Protection of Communications Secrets Act

• Records/logs of your visits to our website: 3 months

When we destroy your Personal Information, we will take commercially reasonable and technically feasible measures to ensure it is permanently deleted.

We delete Personal Information stored in the form of electronic files by using technical methods that render it impossible to restore the data. Personal information printed on paper is shredded or incinerated. Other types of Personal Information, if any, are permanently destroyed, in accordance with any applicable requirements under law.

SAFEGUARDS

We understand that data security is a critical issue and we are committed to safeguarding the Personal Information in our custody or control. We have implemented a comprehensive information security program in accordance with applicable law that includes written policies and procedures, and security controls, as well as reasonable administrative, technical and physical safeguards, in an effort to protect against unauthorized access, use, loss, modification, and disclosure of Personal Information in our custody or control as follows:    

1. Organizational measures: Establishment and implementation of internal management plans, provision of regular employee training, etc.
2. Technical measures: Management of access rights to the Personal Information processing systems, installation of access control systems, encryption of uniquely identifiable information,     installation of security programs, etc.
3. Physical measures: Access control of IT rooms, data storage rooms, etc.

Please keep in mind that no internet or email transmission is ever fully secure or error free and no security system is impenetrable. We cannot fully guarantee the confidentiality of any information that you provide to us but we can assure you that we will use reasonable and appropriate security controls, reflective of the sensitive nature of Personal Health Information.

It is important for you to play an active role in the protection and safeguarding of your Personal Information, and to guard your privacy when you are online. If the Policyholder App or our website contains links to other websites, apps, or platforms, this Privacy Policy does not govern those websites. You should read their privacy policies and make an informed decision about whether you want to use them or their services.

YOUR RIGHTS

Access: You have the right of access to your Personal Information. For any Personal Information that is not available to you directly in your account, you may request access by contacting us at the address below.

Correction: You have the right to correct incorrect Personal Information. For any Personal Information that you cannot directly correct in your account, you may request correction by contacting us at the address below.

Deletion: You may request deletion of your Personal Information. For any Personal Information that you cannot directly delete in your account, you may request deletion by contacting us at the address below.

Suspension of Processing: You have the right to request that we stop processing your Personal Information. To make such a request, you may contact us at the address below.

We rely on you to ensure that the Personal Information in your account is accurate, complete and up-to-date.

Please be aware that we will take reasonable steps, as permissible under law, to verify your or your legal representative’s identity before providing you with access to your Personal Information or making corrections or deletions to it. In addition, your right to access, correct, or delete your Personal Information is subject to certain legal restrictions.

You and your legal representative/guardian may make requests by contacting us at the address listed in the next section.

DEPARTMENT IN CHARGE OF THE PROTECTION OF PERSONAL DATA

Please contact us at the address below if:

• you have any questions related to the collection, use or disclosure of your Personal Information;
• you need to report any privacy or security violations, including any suspected or actual unauthorized access, use, disclosure or loss of Personal Information;
• you wish to withdraw your consent to the collection, use or disclosure of Personal Information;
• you wish to access, update, and/or correct inaccuracies in your Personal Information;
• you have any questions or comments about this Privacy Policy; or
• you otherwise have a question or complaint about the manner in which we or our service providers treat your Personal Information, including our policies and practices with respect to the use of service providers outside of the Republic of Korea.

Need has designated a chief privacy officer, to oversee processing of Personal Information and for purposes of addressing requests and issues regarding such processing. Need’s chief privacy officer is the following:

• Name: Joonyoung Park 
• Department: Data Protection and Privacy

Email: privacy@need.ai

CHANGES TO PRIVACY POLICY

This Privacy Policy may be updated from time to time to reflect changes to our practices. Any notices regarding modifications to this Privacy Policy will be in written form and provided to you on the Policyholder App and on our website.

If any changes to this Privacy Policy are significant, we will provide a more prominent notice (including email notification, if appropriate).

We encourage you to periodically review this Privacy Policy for the latest information on our privacy practices and to contact us if you have any questions or concerns.

This Policy was last updated on August 25, 2025

• Current version
• May 22, 2025