(hereinafter referred to as the 'Company'), in compliance with the Personal Information Protection Act and related laws and regulations, establishes and discloses its personal information processing policy as follows.

Article 1 (Items of Personal Data Processed)

We collect personal information as follows

1. Contact us online :

(Required) First Name, Last Name, Email Addresss, Country/Region, Phone Number, Company, Position, Message

2. (Optional) Marketing purpose: First Name, Last Name, Email Addresss, Country/Region, Phone Number, Company, Position, Message

Article 2 (Purpose of Processing Personal Information)

The Company processes personal information for the following purposes. Personal information processed by the Company will not be used for any purpose other than the above, and if the purpose of use changes, the Company will take necessary measures such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act.
• Online inquiries: We process personal data for the purpose of processing online inquiries.
• Recruitment: Personal information is processed for the purpose of performing human resources-related tasks such as verifying applicants' identity, education, and work history, managing past applications, conducting pre-employment screening, informing applicants about recruitment progress, determining and notifying applicants whether to be hired, and confirming applicants' intention to apply for further recruitment, and fulfilling obligations prescribed by law.
• Marketing use: We process personal information for the purpose of providing advertising information such as company introduction.

Article 3 (Processing and Retention of Personal Information)

① The Company shall process and retain personal information for the period of retention and use agreed upon at the time of collection of the relevant personal information or until the purposes listed above are fulfilled.
• Recruitment: (Domestic applicants) retained for 1 year and deleted, (International applicants) retained for 180 days from application date and deleted
• Marketing uses: Until consent is withdrawn
• Online inquiries: Until we're done processing your online inquiry.

However, if there is a basis for retaining personal information in applicable laws and regulations, we may retain personal information for the period specified in such laws and regulations.
1. If there is an ongoing investigation or inquiry into a violation of applicable laws, etc.
2. If a debt-debt relationship remains due to the use of the website, until the debt-debt relationship is settled.

Article 4 (Outsourcing of Personal Information Processing)
① The Company entrusts personal information processing as follows to ensure smooth personal information processing.

Custodian (trustee)
Outsourcing
Retention and Usage Period

CAFE24 Hosting a homepage server
Until the end of the outsourcing agreement


② When entering into a consignment contract, the Company specifies in documents such as contracts the prohibition of processing personal information other than for the purpose of performing consignment work, technical and administrative protection measures, restrictions on re-consignment, management and supervision of the consignee, and liability for damages in accordance with Article 26 of the Personal Information Protection Act, and supervises whether the consignee handles personal information safely.
③ If the contents of the consignment work or the trustee change, we will disclose it through this privacy policy without delay.

Article 5 (Rights and Obligations of Information Subjects and Legal Representatives and How to Exercise Them)
① The information subject may exercise the right to request the Company to correct, delete, or suspend the processing of personal information at any time.
② The exercise of rights under Paragraph 1 may be made in writing, e-mail, facsimile transmission (FAX), etc. to the Company, and the Company will take action without delay.
③ If the information subject requests the correction or deletion of errors in personal information, the Company will not use or provide the personal information until the correction or deletion is completed.
④ The rights under Paragraph 1 may be exercised through an agent, such as a person authorized by the information subject. In this case, a power of attorney in accordance with the Enforcement Rules of the Personal Information Protection Act must be submitted.
⑤ A request for correction or deletion of personal information cannot be made if the personal information is specified as the subject of collection under another law.
⑥ The Company shall verify whether the person making the request is the person or his/her authorized representative when requesting access, correction, deletion, or suspension of processing in accordance with the rights of the information subject.

Article 6 (Destruction of Personal Information)

① The Company shall destroy personal information without delay when it becomes unnecessary, such as the expiration of the personal information retention period or the achievement of the purpose of processing.
② If the retention period of personal information agreed to by the information subject has expired or the purpose of processing has been achieved, but the personal information must continue to be retained in accordance with other laws and regulations, the personal information shall be transferred to a separate database (DB) or preserved in a different storage location.
③ The procedures and methods for destroying personal information are as follows.

1. Destruction Procedure
The Company selects the personal information for which the reason for destruction has occurred and destroys the personal information in accordance with the Company's internal policies and applicable laws.
2. Destruction MethodsInformation in the form of electronic files is destroyed using technical methods that make the records irrecoverable, and paper documents and other record media other than electronic files are destroyed by shredding or incineration.

Article 7 (Measures to ensure the safety of personal information)

The Company takes the following measures to ensure the safety of personal information.

1. Administrative measures: establishment and implementation of internal management plans, regular employee training, etc.
2. Technical measures: Managing access rights to personal information processing systems, installing security programs, etc.
3. Physical measures: access control in computer rooms, etc.

In addition to the matters stipulated by laws and regulations, the Company implements the following activities to ensure the safety of personal information.

1. Minimizing and training employees who handle personal information

We take measures to manage personal information by designating and minimizing the number of employees who handle personal information.
2. Establishment and implementation of internal management plan

We have established and implemented an internal management plan for the safe handling of personal information.
3. Technical measures against hacking, etc.

The Company installs security programs, periodically updates and inspects them, installs systems in areas with controlled access from outside, and monitors and blocks them technically and physically to prevent leakage and damage of personal information due to hacking or computer viruses.
4. Encryption of personal information

Your personal information is stored and managed in encrypted form so that only you know your password, and we use additional security features to protect sensitive data, such as encrypting file and transmission data or using file locks.
5. Retention of access records and prevention of forgery

Records of access to the personal information processing system are kept and managed for at least one year, and security functions are used to prevent
access records from being falsified, stolen, or lost.
6. Restriction of access to personal information

The Company takes necessary measures to control access to personal information by granting, changing, or canceling access rights to the database system that processes personal information, and uses an intrusion prevention system to control unauthorized access from the outside.
7. Use locks to secure documents
I keep
documents, secondary storage media, etc. that contain personal information in a locked, secure location.
8. Controlling access for unauthorized persons

We have a separate physical storage location for personal information and have established and operated
access control procedures for it.

Article 8 (Installation, Operation, and Rejection of Automatic Personal Information Collection Devices)

The Company does not use 'cookies' that store and retrieve the usage information of the information subject from time to time.

Section 9 (Privacy Officer)

① The Company is responsible for the overall handling of personal information and designates a personal information protection officer as follows to handle complaints and remedy damages of information subjects related to the handling of personal information.

Privacy Officer

1. Full Name: Lee Geun-Young
2. Job Title: CPO
3. Contact: +82 2 6959 8010
4. Email: g.young@mediwhale.com

② The information subject may inquire about all personal information protection-related inquiries, complaints, damage relief, etc. arising from the use of the Company's business to the personal information protection officer and the department in charge. The Company will respond to and handle inquiries from the information subject without delay.

Section 10 (Remedies for Infringement)

The information subject may apply for dispute resolution or consultation to the Personal Information Dispute Mediation Committee or the Personal Information Infringement Report Center of the Korea Internet & Security Agency to obtain relief from personal information infringement. For other reports and consultations on personal information infringement, please contact the following organizations.

Personal Information Dispute Mediation Committee: (without area code) 1833-6972 (www.kopico.go.kr)

Personal Information Infringement Report Center: (without area code) 118 (privacy.kisa.or.kr)

General Prosecutor's Office: 1301 (without area code) (www.spo.go.kr)

National Police Agency: 182 ( ecrm.police.go.kr)

"A person whose rights or interests have been infringed by an action or omission taken by the head of a public organization in response to a request under the provisions of the Personal Information Protection Act may file an administrative appeal as provided in the Administrative Appeals Act.

For more information about administrative appeals, please visit the website of the Central Administrative Appeals Commission (www.simpan.go.kr).

Section 11 (Changes to the Privacy Policy)

This Privacy Policy may be amended as necessary, in which case we will take the necessary steps to inform data subjects of the changes in accordance with applicable law.

Privacy Policy Effective Date: October 1, 2022

1. Purpose of collecting personal information: Utilized for sales and marketing, including company introduction

2. Personal information collection items: First Name, Last Name, Email Address, Country/Region, Phone Number, Company, Position, Message

3. Personal information retention period: Destroyed upon withdrawal of consent

You may refuse this consent, but if you refuse, you will be restricted from receiving commercial information for commercial purposes.

I agree to receive information from us, such as offers and information about our company.