2. PRIVACY POLICY

2.1 Scope and Applicability

This Privacy Policy ("Policy") describes how CubeBerry Inc. ("Company," "we," "us," or "our") collects, uses, discloses, and protects the personal information of users of the XConda platform, with particular focus on residents of the United States. This Policy is intended to comply with:

California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA)
Virginia Consumer Data Protection Act (VCDPA)
Colorado Privacy Act (CPA)
Connecticut Data Privacy Act (CTDPA)
Utah Consumer Privacy Act (UCPA)
Other applicable state and federal privacy laws

Effective Date: January 13, 2026 Last Updated: January 13, 2026

2.2 Information We Collect

2.2.1 Categories of Personal Information Collected Within the preceding twelve (12) months, we have collected the following categories of personal information:

A. Identifiers: Email address, Account username, Unique online identifier, Internet Protocol (IP) address, Device identifiers.
B. Commercial Information: Subscription plan type (Standard, Pro, Max), Payment transaction history, Credit usage records, Purchase history.
C. Financial Information: Payment card information (processed through PortOne), Card type, Last four digits of card number, Cardholder name, Expiration date, Billing address.
D. Internet/Electronic Network Activity: Browsing history on our platform, Search history within XConda, User interaction with platform features, Usage patterns and preferences, Device information (browser type, operating system), Log data and cookies.
E. Geolocation Data: Coarse location based on IP address (country/region level).
F. Audio/Visual Information: Content you create using our AI video production tools, Uploaded media files.
G. Inferences: Preferences derived from your usage patterns, Predicted interests based on platform interaction.

2.2.2 Sensitive Personal Information We collect and process the following sensitive personal information only when necessary and with appropriate safeguards:

Financial account credentials (processed securely through PortOne)
Account log-in credentials (encrypted and hashed)

We do NOT collect:

Social Security numbers
Driver's license or passport numbers
Precise geolocation data
Health information
Racial or ethnic origin
Religious beliefs
Sexual orientation

2.2.3 Information Collected Automatically When you use XConda, we automatically collect:

IP address
Device type and operating system
Browser type and version
Cookies and similar tracking technologies
Service usage data
Crash reports and diagnostic data

2.2.4 Information from Third Parties We receive personal information from:

Payment Processors: PortOne (Eximbay) provides transaction data and payment verification
Social Login Providers: If you use social login features (e.g., Google, Apple), we receive basic profile information
Analytics Services: Third-party analytics providers may share aggregated usage data

2.3 How We Use Your Personal Information

We use your personal information for the following business and commercial purposes:

Service Provision

Account creation and management
Service authentication and access control
Processing subscription payments
Delivering platform features and credits
Providing customer support

Service Improvement

Analyzing usage patterns to improve platform functionality
Developing new features
Testing and troubleshooting
Conducting research and data analysis

Communications

Sending transaction confirmations and receipts
Providing service updates and notifications
Responding to your inquiries
Sending marketing communications (with your consent, in compliance with CAN-SPAM Act)
We comply with the CAN-SPAM Act for all commercial email communications. See Section 2.14 for details.

Security and Fraud Prevention

Detecting and preventing fraudulent transactions
Protecting against unauthorized access
Ensuring platform security
Preventing abuse of service

Legal Compliance

Complying with applicable laws and regulations
Responding to legal requests and processes
Enforcing our Terms of Service
Protecting our legal rights

Analytics and Personalization

Understanding user preferences
Customizing user experience
Providing relevant content recommendations

2.4.1 Service Providers We share personal information with third-party service providers who perform services on our behalf:

PortOne: Payment orchestration and gateway connection (Shares transaction/order data; PCI-DSS compliant)
Eximbay (via PortOne): International payment processing (Shares card info/billing address; PCI-DSS compliant, does not store full card numbers)
Cloud Storage Providers: Data hosting and storage (Encrypted at rest and in transit)
Email Service Providers: Customer communications (GDPR and privacy shield compliant)
Analytics Providers: Usage analysis (Anonymized usage data, IP addresses)

Payment Processing Notice: We use PortOne as a payment orchestrator and Eximbay as our payment gateway to process international transactions. Your payment information is processed securely by these third-party providers and is not stored on our servers. Only the last four digits of your card number and expiration date are retained for your reference.

Service Provider Obligations:

Process data only as instructed
Maintain confidentiality
Implement appropriate security measures
Return or delete data upon request

2.4.2 Business Transfers In the event of a merger, acquisition, reorganization, or sale of assets, your personal information may be transferred to the successor entity.

2.4.3 Legal Requirements We may disclose personal information when required by law or in response to:

Court orders or subpoenas
Law enforcement requests
National security requirements
Legal obligations

2.4.4 With Your Consent We may share your information with third parties when you provide explicit consent.

2.4.5 Sale or Sharing of Personal Information We DO NOT:

Sell your personal information to third parties
Share your personal information for cross-context behavioral advertising
Use or share sensitive personal information for purposes other than providing our services (This applies to both the definitions of "sale" and "share" under California law.)

2.5 Your Privacy Rights

As a U.S. resident, you may have the following rights depending on your state of residence:

2.5.1 Right to Know/Access You have the right to request:

Categories of personal information we collect
Specific pieces of personal information we have collected
Categories of sources from which we collect information
Business purposes for collecting information
Categories of third parties with whom we share information

2.5.2 Right to Delete You have the right to request deletion of your personal information, subject to certain exceptions:

Complete a transaction
Detect security incidents
Exercise free speech rights
Comply with legal obligations
Engage in research

2.5.3 Right to Correct You have the right to request correction of inaccurate personal information we maintain about you.

2.5.4 Right to Opt-Out You have the right to opt-out of:

Sale of personal information (we do not sell)
Sharing of personal information for targeted advertising (we do not share)
Certain automated decision-making

2.5.5 Right to Limit Use of Sensitive Personal Information You have the right to limit our use of sensitive personal information to:

Providing the services you requested
Security and fraud prevention
Legal compliance

2.5.6 Right to Non-Discrimination We will not discriminate against you for exercising your privacy rights by:

Denying goods or services
Charging different prices or rates
Providing different quality of services
Suggesting you will receive different prices or quality

2.5.7 State-Specific Rights

California Residents: Right to opt-out of sale/sharing (available even though we don't sell/share), Right to limit use of sensitive personal information, Additional disclosure requirements.
Virginia, Colorado, Connecticut, Utah Residents: Right to appeal our decision regarding your rights request, Right to opt-out of profiling (we do not engage in profiling).

2.6 How to Exercise Your Rights

To exercise any of the privacy rights described above, you may:

Submit a Request:

Email: mattew@cuberry.kr
Phone: +82-70-8095-2302 (Monday-Friday 10:00-17:00 KST)
Online: Through your account settings at XConda platform

Verification Process: We will verify your identity by:

Matching information you provide with information in our records
Requiring you to log into your account
Requesting additional verification if needed for sensitive requests

Authorized Agent: You may designate an authorized agent to make requests on your behalf by:

Providing written permission signed by you
Verifying the agent's authority
Verifying your identity directly with us

Response Timeline:

We will respond to your request within 45 days
If we need additional time (up to 45 more days), we will inform you

No Fee: We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded.

2.7 Data Retention

We retain personal information only as long as necessary to fulfill the purposes outlined in this Privacy Policy:

Account Information: Until account deletion + 90 days (Contract performance)
Payment Records: 7 years (Tax and financial regulations)
Usage Data: 2 years (Legitimate interest)
Customer Support Records: 3 years (Contract performance)
Marketing Consent: Until withdrawn + 30 days (Consent)

After retention periods expire, we securely delete or anonymize personal information.

2.8 Data Security

We implement administrative, technical, and physical safeguards to protect your personal information:

Administrative: Employee training on data privacy, Access controls and authorization procedures, Privacy policies and procedures.
Technical: Encryption in transit (TLS/SSL), Encryption at rest, Secure authentication mechanisms, Regular security assessments, Intrusion detection systems.
Physical: Secure data center facilities, Restricted access to servers, Environmental controls.

Despite these measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

2.9 Children's Privacy

XConda is not intended for children under 18 years of age. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will delete that information promptly. If you believe we have collected information from a child under 18, please contact us at mattew@cuberry.kr.

2.10 International Data Transfers

Data Processing Location: Your personal information may be processed and stored in South Korea (primary data center), United States (cloud service providers), and other countries where our service providers operate.
Transfer Mechanisms: We ensure adequate protection for international transfers through Standard Contractual Clauses (SCCs), Service provider agreements with data protection obligations, and compliance with applicable data protection laws.
Your Rights: International transfers do not affect your privacy rights under this Policy.

2.11 Cookies and Tracking Technologies

2.11.1 Types of Cookies We Use

Strictly Necessary Cookies: Session management, Authentication, Security features.
Analytics Cookies: Usage statistics, Performance monitoring, Error tracking.
Preference Cookies: User settings, Language preferences, Interface customization.

2.11.2 Your Cookie Choices

Browser Controls: Most browsers allow you to refuse or delete cookies. Disabling cookies may affect platform functionality.
Do Not Track: We honor Do Not Track (DNT) browser signals for California residents.
Opt-Out Options: Google Analytics (https://tools.google.com/dlpage/gaoptout), Your browser's cookie settings.

2.12 California-Specific Disclosures

2.12.1 California Shine the Light Law California residents may request information about disclosure of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

2.12.2 CCPA Metrics (Annual Reporting) In the preceding 12 months:

Requests to Know: To be updated annually
Requests to Delete: To be updated annually
Requests to Opt-Out: To be updated annually
Average Response Time: Within 45 days

2.13 Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes:

We will post the updated Policy on our website
We will update the "Last Updated" date
We will notify you via email (if you have provided an email address)
For material changes, we will provide at least 30 days' notice Your continued use of XConda after changes become effective constitutes acceptance of the updated Policy.

2.14 CAN-SPAM Act Compliance

We comply with the CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act) for all commercial email communications sent to U.S. recipients.

2.14.1 What is CAN-SPAM? The CAN-SPAM Act is a U.S. federal law that sets rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have you stop emailing them, and spells out tough penalties for violations.

2.14.2 Our CAN-SPAM Commitments

Accurate Header Information: Our "From," "To," and "Reply-To" fields accurately identify who is sending the message. Our routing information is accurate and identifies the sender.
Non-Deceptive Subject Lines: Subject lines accurately reflect the content of the email. We do not use misleading or false subject lines.
Identification as Advertisement: Marketing emails clearly identify themselves as advertisements or promotional content. Transactional emails are not considered advertisements.
Physical Address: All commercial emails include our valid physical postal address: CubeBerry Inc., 60 Jejung-ro, Nam-gu, Gwangju, Republic of Korea 61649
Opt-Out Mechanism: Every marketing email includes a clear and conspicuous unsubscribe link. The unsubscribe mechanism is easy to recognize, read, and use. The opt-out link remains functional for at least 30 days after sending.
Prompt Opt-Out Processing: We honor opt-out requests within 10 business days. We do not charge a fee or require any information beyond your email address. We do not require you to log in to unsubscribe.
No Transfer of Opt-Out Email Addresses: Once you opt out, we will not sell or transfer your email address to any third party (Exception: Transfer to a service provider for compliance purposes only).

2.14.3 Types of Emails We Send

Transactional/Relationship Emails (CAN-SPAM Exempt): Order confirmations, Payment confirmations, Password reset requests, Account notifications, Security alerts. You cannot opt out of these emails as they are necessary for account management and security.
Marketing/Promotional Emails (CAN-SPAM Regulated): Newsletter subscriptions, New feature announcements, Special offers, Product recommendations, Survey requests. You can opt out of these emails at any time using the unsubscribe link.

2.14.4 Your Email Preferences

How to Unsubscribe from Marketing Emails:
Option 1: Click the "Unsubscribe" link at the bottom of any marketing email.
Option 2: Log in to XConda account > Settings > Email Preferences > Toggle off "Marketing Emails".
Option 3: Email us at mattew@cuberry.kr with "Unsubscribe" in the subject line.
Option 4: Reply to any marketing email with "Unsubscribe" or "Stop".
What Happens After Unsubscribing: You'll stop receiving marketing emails within 10 business days. You'll still receive transactional emails.

2.14.5 Third-Party Email Service Providers We use third-party email service providers to send emails on our behalf. These providers are bound by our instructions, comply with CAN-SPAM Act requirements, and do not use your email address for their own purposes.

2.14.6 Reporting CAN-SPAM Violations If you believe you've received an email from us that violates CAN-SPAM:

Report to Us: Email mattew@cuberry.kr with Subject "CAN-SPAM Complaint". Include a copy of the email.
Report to FTC: Forward spam emails to spam@uce.gov or report online at reportfraud.ftc.gov.

2.14.7 Penalties for Non-Compliance We understand that CAN-SPAM violations carry severe penalties (up to $51,744 per violation). We maintain strict compliance procedures.

2.14.8 Email Best Practices Beyond legal requirements, we follow these best practices:

We only send relevant, valuable content
We respect your inbox and limit email frequency
We segment our lists to ensure you receive content that interests you
We regularly clean our email lists to remove inactive addresses
We monitor our sender reputation and deliverability

2.15 Contact Information

Privacy Inquiries: Email: mattew@cuberry.kr / Phone: +82-70-8095-2302 / Hours: Monday-Friday 10:00-17:00 KST
Data Protection Officer: CubeBerry Inc., Attn: Privacy/Data Protection, 60 Jejung-ro, Nam-gu, Gwangju, Republic of Korea (Gwangju Content Startup Center Room 309, Yangnim-dong)
Mailing Address: CubeBerry Inc., 60 Jejung-ro, Nam-gu, Gwangju, Republic of Korea 61649