MEDIP Box Mobile Application (Anatomy) Privacy Policy
Medical IP Co., Ltd. (hereinafter “the Company”) complies with the “Personal Information Protection Act” and related laws to protect the freedom and rights of information subjects, processing personal information lawfully and managing it safely. Accordingly, pursuant to Article 30 of the “Personal Information Protection Act,” the Company establishes and discloses this Privacy Policy to guide information subjects on the procedures and standards for processing personal information and to promptly and smoothly handle related grievances.
Applying for membership or using services provided by the Company signifies agreement to the terms of use of the “MEDIP Box Mobile Application (Anatomy)” (hereinafter “Mobile Application”) and this Privacy Policy. This Privacy Policy is always posted on the Company’s official site (www.medicalip.com) and in designated areas within the “Mobile Application.” If amended, notice of the changed content and reasons will be provided on the site and “Mobile Application” so that “MEDIP Box Management Administrators” (hereinafter “Administrators”) and “Mobile Application Users” (hereinafter “Users”) are aware. Terms used in this Privacy Policy are the same as those in the “Mobile Application” terms of use.
1. Purpose of Collection and Use of Personal Information
The Company collects personal information for the following purposes to confirm the identity and intent of “Administrators” and “Users” to provide optimized and customized services. Collected personal information will not be used for purposes other than those below, and if the purpose changes, necessary measures such as obtaining separate consent pursuant to Article 18 of the “Personal Information Protection Act” will be implemented. However, please note that this Privacy Policy does not apply to the collection of personal information by external websites linked to the services provided by the Company.
1.1. Product Inquiry
Personal information is processed for the purpose of confirming the user’s identity regarding product inquiries, confirming inquiries, contacting and notifying for factual investigation, and notifying processing results.
1.2. Service Provision
Personal information is processed to provide “Administrators” and “Users” with smooth service of the “Mobile Application” following the purchase of MEDIP Box, to develop new services, to provide customized services, to provide services and advertisements according to demographic characteristics, to confirm service validity, and to compile statistics on service use.
1.3. Marketing and Advertising Utilization
Personal information is processed for the purpose of providing event and promotional information and participation opportunities according to the information subject’s choice.
1.4. Membership Registration and Management
Personal information is processed for identification and authentication for registration-based member services following the purchase of MEDIP Box, confirmation of intent to join, service provision, usage restrictions for members violating terms of use, restrictions on registration and frequency, sanctions for fraudulent service use, prevention of unauthorized use, record keeping for grievance handling and dispute mediation, delivery of notices, and confirmation of withdrawal intent.
2. Personal Information Collection and Use Policy
The Company collects and uses the personal information of “Administrators” and “Users” as follows to provide services.
2.1. Collection Method
The Company collects personal information through the following methods:
- Website, inquiry boards, mobile applications, email, fax, telephone, and written forms for purchase and maintenance contracts
- Provision from partner companies
- Collection through generated information collection tools
2.2. Personal Information Items Processed
Personal information collected during login provided for “Administrator” management and smooth service use for “Users” within the “Mobile Application” is as follows and is used for the purposes specified in Section 1.
(1) Items for Administrator Management and Identification
| Category | Collected Items |
|---|---|
| Items for "Administrator" Management and Identification | Login ID, password, IP address, name, organization name, email, phone number |
(2) Items for Service Provision
| Category | Collected Items |
|---|---|
| Items for Service Provision | Device information (hardware model, OS version, unique device identifier), cookie information, IP information, access logs, service usage records, visit records |
* Device information, access logs, and usage record information may be automatically generated and collected during the service use process.
(3) Items for Product Inquiry
| Category | Collected Items |
|---|---|
| Product Inquiry Collection Items | Name, Login ID, organization name, email, phone number, country |
(4) Information Generated/Collected During Mobile Service Use
| Category | Access Purpose |
|---|---|
| Mobile App Access Permissions (iOS, Android) | App service provision and optimization |
2.3. Personal Information Usage Policy
(1) Change of Ownership: If the Company is involved in asset bankruptcy, merger, acquisition, reorganization, or sale, user personal information may be sold or transferred as part of that transaction. This Privacy Policy applies to personal information transferred to the new entity.
(2) Administrator Access, Modification, and Deletion: If an account is created for the use of the “Mobile Application,” the Company provides functions for the “Administrator” to access, view, modify, and delete the personal information provided for account creation. Additionally, if an “Administrator” wishes to modify personal information or delete an account, they can log in to the Medical IP website (www.medicalip.com) and follow instructions, or request modification/deletion through the sales representative or technical support department. Unless there is a legal basis to store personal information (such as compliance with tax or accounting laws), the Company will delete or de-identify personal information according to procedures when an “Administrator” requests account deletion.
(3) User Access, Modification, and Deletion: “Users” of the “Mobile Application” can request the technical support department to modify, delete, or correct personal information collected after login in accordance with Section 2.2; otherwise, it is automatically destroyed 2 years from the collection date.
(4) Withdrawal of Consent: Cookies can be enabled, disabled, or deleted according to the guidance of the web browser being used. Refusing or deleting cookies may limit service use. Thereafter, personal information for providing customized advertising experiences will no longer be collected, used, shared, or processed on that device. Unless the Company has another legal basis for storing the information, personal information will be deleted or de-identified within 30 days of a withdrawal request.
(5) Legal Necessity: Personal information is processed as required by law. For example, the Company may collect IP addresses to confirm if users are in the EEA, UK, or Switzerland, but full IP addresses are not shared or maintained internally.
3. Third-party Provision or Entrustment of Processing
The Company uses personal information within the scope notified in Section 2, and in principle, does not provide or entrust personal information to third parties without prior consent. Exceptions include:
- Prior consent from “Administrators” and “Users”
- Requests from investigative agencies according to legal procedures for investigative purposes
- Entrustment for smooth service operation and provision through outsourcing
4. Retention and Use Period of Personal Information
The Company processes and retains personal information within the period prescribed by law or agreed upon at the time of collection. Specifically, the following information is preserved for the stated periods and used for no other purpose.
4.1. Membership Registration and Management
Until the designated expiration date assigned to “Administrators” and “Users” for account creation and service support.
| Category | Retention Period |
|---|---|
| Administrator | Until account deletion or website membership withdrawal |
| User | Up to 2 years from collection date (automatic destruction thereafter) |
However, in the following cases, until the reason ends:
| Category | Retention Period |
|---|---|
| Ongoing investigations for legal violations | Until the end of the investigation |
| Remaining claims/debts from service use | Until settlement of claims/debts |
4.2. Service Provision
Until the completion of the designated service supply and use provided to the “Administrator” and “User” after account creation following the MEDIP Box purchase. However, for records of transactions, etc., under the “Act on Consumer Protection in Electronic Commerce”:
| Category | Retention Period |
|---|---|
| Records on display/advertising | 6 months |
| Records on contracts, withdrawal of subscription, payment, supply of goods | 5 years |
| Records on consumer complaints or dispute resolution | 3 years |
For records under the “Use and Protection of Credit Information Act”:
| Category | Retention Period |
|---|---|
| Records on collection/processing and use of credit information | 3 years |
4.3. Product Inquiry
| Category | Retention Period |
|---|---|
| Records on inquiries, etc. | Up to 2 years after completion of inquiry processing |
5. Personal Information Destruction Procedures and Methods
In principle, the Company destroys personal information without delay when the retention period expires or the purpose is achieved. If information must be preserved due to other laws despite the expiration of the period or achievement of purpose, it is moved to a separate database or stored in a different location.
5.1. Procedures
Personal information subject to destruction is selected and destroyed with the approval of the Privacy Officer.
5.2. Methods
- Electronic files: Destroyed using technical methods that make records unrecoverable.
- Paper documents: Shredded or incinerated.
6. Rights, Duties, and Exercise Methods of Information Subjects
“Administrators” and “Users” may exercise rights such as viewing, correcting, deleting, or requesting suspension of processing at any time. This can be done directly through membership modification/withdrawal after identity verification, or by contacting the Privacy Officer. If correction of an error is requested, the information will not be used or provided until correction is complete. Incorrect information already provided to third parties will be corrected promptly. Deleted information is handled according to Section 4. Rights can be exercised through a legal representative or authorized agent with a power of attorney. Rights may be limited under Article 35(4) and 37(2) of the Personal Information Protection Act. Deletion cannot be requested if the information is explicitly required by other laws.
7. Stability Measures for Personal Information
Pursuant to Article 29 of the Personal Information Protection Act, the Company implements technical and administrative measures:
- Encryption of passwords and important information.
- Countermeasures against hacking: Regular backups, latest vaccines, encrypted communication, and intrusion prevention systems.
- Minimization and training of handling staff: Limited to necessary personnel with regular education and password updates.
- Dedicated Privacy Organization: Operation of a dedicated department to monitor compliance.
8. Privacy Officer and Department
The Company has designated a Privacy Officer to handle inquiries and complaints:
- Name: Lee Chang-hee
- Affiliation/Position: MEDICAL IP ITCM / Leader
- Contact: 02-2135-9148 / tech@medicalip.com
- Inquiry Hours: Weekdays 09:00 ~ 18:00
9. Redress for Rights Infringement
Users can apply for dispute resolution or consultation with the following agencies:
| Agency | Contact |
|---|---|
| Personal Information Dispute Mediation Committee | 1833-6972 (www.kopico.go.kr) |
| Personal Information Infringement Report Center | 118 (privacy.kisa.or.kr) |
| Supreme Prosecutors' Office (Cybercrime Investigation) | 1301 (www.spo.go.kr) |
| National Police Agency (Cyber Bureau) | 182 (ecrm.cyber.go.kr) |
10. Changes to Privacy Policy
Changes will be notified 7 days in advance via website or email. Important changes require 30 days’ notice. Separate consent will be obtained for changes requiring it under the Act on Promotion of Information and Communications Network Utilization. Content may change due to laws, policies, or technology.
- Version Number: v.1
- Effective Date: 2024.05.10
11. GDPR Compliance
The Company makes the following efforts to comply with the European Union (EU) General Data Protection Regulation (GDPR).
- GDPR awareness-raising activities
- Carrying out Data Protection Impact Assessments (DPIA)
- Guaranteeing user rights
- Reporting and notifying personal information breaches
11.1. GDPR Awareness-Raising Activities
The Company is dedicating company-wide effort and interest to comply with the GDPR. We have identified the impact of the GDPR on our organization and are doing our best to ensure compliance by job function through the following activities:
- (1) Participating Departments: Customer Management, HR, Finance, Marketing, System Development, etc.
- (2) Surveys of employees regarding their level of personal information protection knowledge.
- (3) Official declaration of the management’s commitment to GDPR compliance.
- (4) Encouraging participation in GDPR conferences and seminars.
- (5) Managing compliance checklists for each department.
11.2. Carrying out Data Protection Impact Assessments (DPIA)
Pursuant to Article 35 of the GDPR, the Company performs personal information impact assessments in cases where processing is likely to result in a high risk to the rights and freedoms of natural persons, including:
- (1) Systematically and extensively evaluating personal aspects relating to individuals based on automated processing, including profiling, where decisions based on that evaluation produce legal effects concerning the individual or similarly significantly affect them.
- (2) Large-scale, systematic monitoring of publicly accessible areas.
- (3) Large-scale processing of special categories of personal data (sensitive information) as referred to in Article 9(1), or personal data relating to criminal convictions and offenses as referred to in Article 10.
11.3. Guaranteeing User Rights
The Company strives to guarantee the following user rights stipulated by the GDPR.
- Right to erasure (“right to be forgotten”)
- Right to data portability
11.3.1. Right to Erasure
Data subjects have the right to request the deletion of personal data concerning them (right to erasure) pursuant to Article 17 of the GDPR when:
- The personal data is no longer necessary in relation to the purposes for which it was collected or processed as per Article 1 of this Privacy Policy.
- The data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing (In this case, use of the “Mobile Application” service may no longer be possible).
- The data subject objects to the processing pursuant to Article 21(1) of the GDPR (right to object), and there are no overriding legitimate grounds for the processing, or the data subject objects to processing for direct marketing purposes pursuant to Article 21(2) (In the case of Article 21(1), use of the “Mobile Application” service may no longer be possible).
- The personal data has been unlawfully processed.
- The personal data has to be erased for compliance with a legal obligation in EU or EU Member State law.
- The personal data has been collected in relation to the offer of information society services to children.
11.3.2. Limitations on the Right to Erasure
However, pursuant to Article 17(3) of the GDPR, the Company may refuse a request for erasure if the processing is necessary:
- For exercising the right of freedom of expression and information.
- For compliance with a legal obligation which requires processing by EU or EU Member State law, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company.
- For reasons of public interest in the area of public health.
- For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.
- For the establishment, exercise, or defense of legal claims.
11.3.3. Right to Data Portability
Pursuant to Article 20 of the GDPR, the Company provides personal data collected from data subjects in a “structured, commonly used and machine-readable format.” Data subjects have the right to receive the personal data provided to the Company or, where technically feasible, request that the data be transmitted directly to another controller.
11.4. Personal Information Breach Reporting and Notification
In the event of a breach that is likely to result in a risk to the rights and freedoms of individuals, such as the following, the Company will notify the supervisory authority within 72 hours of becoming aware of the breach:
- (1) Acts of discrimination
- (2) Damage to reputation
- (3) Financial loss
- (4) Breach of confidentiality
- (5) Other significant economic or social disadvantage risks
When a personal information breach is likely to result in a high risk to the rights and freedoms of data subjects, the Company will notify the data subject of the breach without undue delay.
12. CPRA Compliance
If the user is a resident of California, USA, this article may apply in accordance with the California Privacy Rights Act (“CPRA”).
12.1. Consumer Information That May Be Collected
The Company may collect information that identifies, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident, device, or household (“Consumer Information”), as well as information described in this Privacy Policy.
12.2. Use of Consumer Information
The Company may use consumer information for business or commercial purposes in relation to personal information in the manner prescribed in this Privacy Policy.
12.3. Disclosure of Consumer Information for Business Purposes
Pursuant to the CPRA, the Company may disclose your consumer information described above to third parties for business purposes in relation to the following categories of consumer information:
- (1) Identifiers: Name, alias, unique personal identifier, online identifier, IP address, email, account ID, etc., pursuant to Article 13(v)(A).
- (2) Personal information categories listed in the California Customer Records Act (Cal. Civ. Code § 1798.80 (e)).
- (3) Internet or other similar network activity.
12.4. Sale of Consumer Information
The Company does not sell consumer information during the period this Privacy Policy is in effect and will not sell it in the future.
12.5. Rights and Choices of California Residents
The CPRA provides California residents with specific rights regarding their consumer information. Section 12.5 describes your CPRA rights (to the extent applicable) and explains how to exercise those rights.
- (1) Right to Request Access to Specific Information and Data Portability: Users have the right to request that the Company provide specific information regarding the collection and use of the user’s consumer information over the past 12 months. Once a verifiable consumer request (as described in Section 12.6 below) is received and confirmed, the Company will disclose the information to the extent required by the CPRA.
- (2) Right to Request Deletion and Correction of Information: Users have the right to request that the Company delete or correct the user’s own consumer information collected and maintained by the Company. Upon receipt and confirmation of a verifiable request as described in Section 12.6, the Company will delete or correct the user’s consumer information. However, the Company may deny the deletion request if retaining the information is necessary for a legitimate business purpose of the Company or a related service provider.
12.6. Exercise of Rights
- (1) The rights of access, portability, deletion, and correction described in Section 12.5 above can be exercised through one of the following methods: 1) Calling the number specified in the Privacy Policy; 2) Visiting the website; or contacting the Company. Only the user, or a person registered with the California Secretary of State authorized to act on the user’s behalf, may make a request related to the user’s consumer information and related rights.
- (2) The Company strives to respond within 45 days of receiving the user’s request. If additional time is required (up to 90 days), the Company will inform the user in writing of the reason and the extension period.
12.7. Non-Discrimination
To the extent permitted by the CPRA, the Company will not discriminate against users for exercising their CPRA rights, including:
- (1) Denying goods or services to the user.
- (2) Charging different prices or rates for goods or services, including granting discounts or other benefits, or imposing penalties.
- (3) Providing a different level or quality of goods or services.
- (4) Suggesting a different price, rate, level, or quality for goods or services.