Privacy Policy

Privacy policy

Mediwhale Inc. (“Mediwhale,” “we, “us,” or “our”) establishes and presents the following privacy policy describing how and why we might collect, store, use, share and/or protect your personal information who use Mediwhale’s website and resolve any relevant complaint thereof promptly and amicably subject to applicable law. Reading this privacy policy will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our website. If you still have any questions or concerns, please contact us at the contact point as set out below.

Article 1. Purpose of Processing Personal Information 

Mediwhale collects and uses personal information for the following purposes:

1. Inquiry Response: identity verification, inquiries confirmation, fact-finding, and outcome notification.
2. Service Improvements and Development: improvement of existing services and development of new services

Article 2. Personal Information to be Collected and Processed

1. Mediwhale collects and processes the following personal information:
   1. Items collected when you write an inquiry: name, email address, country, phone number, job titles; and
   2. Items collected when Mediwhale responds to an inquiry: collecting and processing separate items necessary to respond to that inquiry, including the items specified in Section 2.1.a above.
2. Mediwhale does not collect your personal information if you are under the age of fourteen (14).

Article 3. Period of Retention and Use for Personal Information

1. Mediwhale will only keep your personal information for as long as it is necessary for the purposes set out in this privacy policy unless a longer retention period is required or permitted by law. Accordingly, Mediwhale will, without delay and without your further request, delete and destroy your personal information when we finalize processing and responding to your inquiries and follow-up inquiries; provided that Mediwhale may retain your personal information until the completion of the respective investigation if there is an ongoing investigation regarding a violation of relevant laws and regulations.
2. Notwithstanding the foregoing, Mediwhale may retain the following information until the end of the specified period:
   1. Your log record related to your service use: for three (3) months, which is the retention period prescribed by the Protection of Communications Secrets Act of Korea.

Article 4. Provision of Personal Information to Third Parties
Mediwhale may provide your personal information to third parties when and only when Mediwhale receives your consent to do so or there are special provisions in the Personal Information Protection Act or other laws that allow such provision.

Article 5. Entrustment of Personal Information Processing

1. 회사는 원활한 개인정보 업무처리를 위하여 다음과 같이 개인정보 처리업무를 위탁하고 있습니다.

 Article 6. Use and Provision of Personal Information within the Scope Reasonably Related to the Purpose of Collection

1. Mediwhale may use or provide personal information to a third party without your consent, considering each of the following criteria within a reasonable scope and the original purpose of collection.
   1. Whether such use or provision is related to the original purpose of collection: judgment based on whether the original purpose of collection and the purpose of additional use and provision are related in terms of their nature or tendency;
   2. Whether the further use or provision of personal information is predictable considering the personal information collection circumstances or the processing practices thereof: judgment based on the relationship between the personal information controller and you, the level of technology and the rate of development, and general circumstances (practice) established over a substantial amount of time, etc.;
   3. Whether your interests are unreasonably infringed: judgment based on whether your interests are substantially infringed in relation to the additional purpose of use and whether such infringement is unreasonable, etc.; and
   4. Whether necessary safety measures, such as pseudonymization or encryption, have been taken: judgment by considering whether safety measures are taken in consideration of the possibility of infringement, etc.

Article 7. You and Your Legal Representatives’ Rights, Obligations, and Exercise Methods thereof

1. You may, at any time, exercise the right to peruse, correct, delete, and suspend the processing of your personal information against Mediwhale, which may be requested in writing, by phone, or by e-mail. Mediwhale respects your request without delay, subject to certain exceptions provided by applicable laws.
2. You may exercise the right under Section 7.1. through your agent such as your legal representative or a delegate in which case you will be required to submit to Mediwhale a power of attorney that confirms such delegation and Mediwhale may deny your request in accordance with applicable laws.
3. Your rights under Section 7.1 may be restricted in accordance with relevant laws such as the Personal Information Protection Act. Further, You may not request a correction and deletion of your personal information if such information is required to be collected according to other laws. Mediwhale will confirm whether the person who made the request, such as a request for perusing, correction, or deletion, or request for suspension of the processing, holds such right or is a legitimate agent.
4. In some regions, you may have certain further rights under applicable data protection laws, and you may contact us at the contact point as set out below to request exercising such rights. Mediwhale will consider and act upon any such request in accordance with applicable data protection laws.
5. If you are a California resident, you may further have the following rights:
   1. Right to be informed. You have the right to know the following:
      • Whether we collect and use your personal information;
      • the categories of personal information that we collect, the purposes;
      • the purposes for which we collected personal information is used; and
      • whether we sell or share personal information to third parties, the categories of the sold or shared personal information thereof, and the categories of third parties to whom the personal information was sold or shared;
   2. Right to limit the use and disclosure of sensitive personal information. Mediwhale does not collect sensitive personal information when you use our website.
   3. Right to opt out. Mediwhale does not sell your personal information collected when you use our website.
   4. Right to non-discrimination for your exercise of privacy rights. Mediwhale will not discriminate against you if you exercise your privacy rights.

Article 8. Destruction of Personal Information

1. Mediwhale will, without delay, destroy your personal information when your personal information becomes unnecessary, such as in the cases of the expiration of the personal information retention period, or achievement of the purpose of processing.
2. If Mediwhale needs to preserve your personal information in accordance with the applicable laws and regulations even when the personal information retention period agreed by you has elapsed or the purpose of processing has been achieved, Mediwhale will securely store your personal information and isolate it from further processing by storing it in a separate database.
3. Mediwhale takes the following destruction procedures and methods:
   1. Destruction procedures: Mediwhale will select the personal information that needs to be destroyed and destroy the personal information with the approval of Mediwhale ‘s personnel for management of personal information; and
   2. Destruction method: Mediwhale destroys personal information recorded and stored in electronic file format using technical methods so that the information cannot be reproduced, and personal information recorded and stored on paper documents is destroyed by crushing or incineration with a shredder.

Article 9. Safety Measures for Personal Information
Mediwhale has implemented the following appropriate and reasonable administrative and technical security measures designated to protect the security of your personal information:

1. Administrative measures: establishment and implementation of internal management plans for personal information, regular employee training, etc.
2. Technical measures: technical countermeasures against hackings, etc., encryption of personal data, storage access records, and prevention of forgery, etc.

2. Notwithstanding the foregoing, no electronic transmission over the Internet or information storage technology can be guaranteed 100% secure, so Mediwhale cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will endeavor our best to protect your personal information, the transmission of personal information to and from our website is at your own risk. Further, you should only access our website within a secure environment.

Article 10. Installation, Operation, and Refusal Thereof of Automatic Personal Information Collection
Mediwhale does not use ‘cookies’ to store and retrieve, from time to time, your usage information. If a standard for automatic personal information collection is adopted that Mediwhale will follow in the future, we will inform you about such practice in a revised version of this privacy policy.

Article 11. Collection, Use, and Refusal Thereof of Behavioral Information
Mediwhale does not collect, use, or provide behavioral information for online personalized advertising. If a standard for behavioral information collection that Mediwhale will follow in the future is adopted, we will inform you about such practice in a revised version of this privacy policy.

Article 12. Chief Privacy Officer

1. Mediwhale has designated the Chief Privacy Officer, who is the person in charge of managing personal information tasks and handling your complaints about personal information. Mediwhale will respond to your complaint about personal information, at latest, not more than 45 days from the receipt your complaints. Our Chief Privacy Officer’s contact information is as follows:

2. You may inquire about all personal information protection-related inquiries, handling complaints, damage relief, etc. that occurred while using Mediwhale’s services to our Chief Privacy Officer and the following department in charge:

3. You may apply for dispute resolution or consultation with the Personal Information Dispute Mediation Committee or the Personal Information Infringement Reporting Center of the Korea Internet & Security Agency to receive relief from personal information infringement. For other reports and consultations on personal information infringement, please contact the following organizations:
   • 개인정보분쟁조정위원회 : (국번없이) 1833-6972 (www.kopico.go.kr)
   • Personal Information Infringement Reporting Center: +82-118 (without area code) / privacy.kisa.or.kr
   • Supreme Public Prosecutors’ Office : +82-1301 (without area code) / spo.go.kr
   • National Police Agency: +82-182 (without area code) / ecrm.cyber.go.kr

Article 13. Governing Law
This policy will be interpreted and enforced according to the laws of the Republic of Korea, unless otherwise required by other relevant data protection laws.

Article 14. Amendment of the Privacy Policy
Mediwhale may amend the Privacy Policy in order to comply with applicable law or to reflect any changes in the provision of service, in which case Mediwhale will notify you of such amendment prior to the effective date of such amendment.

The Privacy Policy shall take effect from [October 1, 2023].

Appendix: EU GDPR Privacy Assurance Policy

Section 1.  Lawful Management of Personal Data under GDPR

Mediwhale Inc. (“Mediwhale”) lawfully processes personal data under the conditions below:

1. A user explicitly consents to their personal data being processed.
2. The processing is necessary for executing a contract that a user is part of or for initiating steps required by a user before entering into a contract. This may involve member management, identification, service provision, payment, and settlement of fees, among others.
3. The processing is a legal requirement for Mediwhale, such as adherence to relevant legislation, rules, legal procedures, or governmental requests.
4. The processing is crucial to protect users or other individuals’ vital interests, for example, detecting, preventing, and responding to fraud, abuse, security threats, and technical issues that could harm users or other individuals.
5. The processing is necessary for a task conducted in public interest or in the execution of official authority given to Mediwhale.
6. The processing is essential for the legitimate interests pursued by Mediwhale or by a third party, except where such interests are overridden by the interests or basic rights and freedoms of the data subject, especially where the data subject is a child.

Section 2.  GDPR Rights of Users

Users or their legal representatives have the following rights in relation to the collection, use, and sharing of personal data by Mediwhale:

1. Right to access personal data: Users or their legal representatives can request access to their data and verify the records of the collection, usage, and sharing of their data under the law.
2. Right to correction: Users or their legal representatives can request corrections for any inaccurate or incomplete data.
3. Right to deletion: Users or their legal representatives can request the deletion of their data after the completion of its purpose and the revocation of their consent.
4. Right to restrict processing: Users or their legal representatives can request a temporary suspension of data processing in the event of disputes over data accuracy and the legality of data processing, or if data retention is necessary.
5. Right to data portability: Users or their legal representatives can request the provision or transfer of their data.
6. Right to object: Users or their legal representatives can object to data processing if the data is used for direct marketing, legitimate interests, official duty execution, and research and statistics.
7. Right to avoid automated individual decision-making, including profiling: Users or their legal representatives can request to stop automated processing of personal data, including profiling, which significantly impacts or can legally affect them.

Section 3.  Data Transfer Across Borders

Given Mediwhale’s worldwide operations, users’ personal data may be shared with entities in other countries for explicitly stated purposes in this Policy. In regions where personal data is transferred, stored, or processed, Mediwhale enforces adequate measures to protect the data. If personal data from the European Union or Switzerland is used or disclosed, Mediwhale aligns with the US-EU Privacy Shield, Swiss-US Privacy Shield, or employs other measures or secures user consent following EU regulations, using a standardized agreement clause approved by EU executing organizations or ensuring suitable safeguards.

Section 4.  Third-Party Sites and Services

Mediwhale’s websites, products, or services may include links to third-party websites. The privacy policies of these third-party sites may be different from ours. Users are therefore advised to review the privacy policies of any third-party sites accessed via links on Mediwhale’s site.

Section 5.  Policy Updates

Mediwhale has the right to update this Privacy Assurance Policy as needed. If significant changes are made, Mediwhale will notify users via the website or other suitable means, providing users with a chance to review the changes before they become effective. If a user continues to use our services after changes have been notified, it will be regarded as the user’s acceptance of the changes.

Section 6.  Contact Information

For users or their legal representatives wishing to exercise their rights as described in this policy, or for those with any queries or complaints about Mediwhale’s privacy practices, they can reach out to Mediwhale’s Data Protection Officer or equivalent representative through the contact information available on our website.

Section 7. Governing Law

This policy will be interpreted and enforced according to the laws of the Republic of Korea, unless otherwise required by the GDPR or other relevant data protection laws.

㈜메디웨일 개인정보 처리방침

㈜메디웨일(이하 ‘회사’)은 관련 법령에 따라 홈페이지를 이용하는 이용자의 개인정보를 보호하고, 이와 관련한 고충을 신속하고 원활하게 처리하기 위하여 다음과 같이 개인정보 처리방침을 수립·공개합니다. 　

제1조(개인정보의 처리 목적)

회사는 다음의 목적을 위하여 개인정보를 처리합니다.

1. 문의 응대: 이용자의 신원 확인, 문의사항 확인, 사실조사를 위한 연락통지, 처리결과 통보
2. 서비스 개선 및 개발: 기존 서비스 개선 및 신규 서비스 개발

제2조(처리하는 개인정보 항목)

• 회사는 서비스 이용자에 대하여 다음의 개인정보항목을 수집하여 처리하고 있습니다.

1. 문의 작성 시: 이름, 이메일 주소, 국가, 전화번호, 직업
2. 문의 응대 시: 제1호에 기재된 항목을 포함하여 해당 문의 응대에 필요한 개별 항목을 수집 및 처리

• 회사는 만 14세 미만 아동의 개인정보를 수집하지 않습니다.

제3조(개인정보의 처리 및 보유기간)

• 회사는 이용자가 작성한 문의 및 후속문의에 대한 처리 및 응대가 완전히 종료되는 경우에는 별도의 요청이 없더라도 수집된 이용자의 정보를 지체없이 삭제 및 파기합니다. 다만, 관계 법령 위반에 따른 수사조사 등이 진행 중인 경우에는 해당 수사·조사 종료 시까지 이용자의 정보를 보존합니다.
• 전항에도 불구하고 회사는 다음의 사유에 해당하는 경우에는 해당 기간 종료 시까지 보존합니다.

1. 서비스 이용 관련 로그기록: 「통신비밀보호법」상 보존기간인 3개월

제4조(개인정보의 제3자 제공)

회사는 이용자의 동의를 받거나 개인정보 보호법 또는 다른 법률의 특별한 규정이 있는 경우에만 개인정보를 제3자에게 제공합니다.

제5조(개인정보처리의 위탁)

• 회사는 원활한 개인정보 업무처리를 위하여 다음과 같이 개인정보 처리업무를 위탁하고 있습니다.

제6조(수집목적과 합리적으로 관련된 범위 내의 개인정보 이용 및 제공)

회사는 당초 수집 목적과 합리적인 범위 내에서 아래 각 기준을 고려하여, 이용자의 동의 없이 개인정보를 이용 또는 제3자에게 제공할 수 있습니다.

1. 당초 수집 목적과 관련성이 있는지 여부: 당초 수집 목적과 추가적 이용·제공 목적이 성질이나 경향에 있어 연관이 있는지 등을 고려하여 따라 판단
2. 개인정보를 수집한 정황 또는 처리 관행에 비추어 볼 때 개인정보의 추가적인 이용 또는 제공에 대한 예측 가능성이 있는지 여부: 개인정보처리자와 이용자 간의 관계, 기술 수준 및 발전 속도, 상당한 기간동안 정립된 일반적인 사정(관행) 등을 고려하여 판단
3. 이용자의 이익을 부당하게 침해하는지 여부: 추가적인 이용 목적과의 관계에서 이용자의 이익이 실질적으로 침해되는지 및 해당 이익 침해가 부당한지 등을 고려하여 판단
4. 가명처리 또는 암호화 등 안전성 확보에 필요한 조치를 하였는지 여부: 침해 가능성을 고려한 안전 조치가 취해지는지 등을 고려하여 판단

제7조(이용자와 법정대리인의 권리·의무 및 행사방법)

• 이용자는 회사에 대해 언제든지 개인정보 열람정정·삭제·처리정지 요구 등의 권리를 행사할 수 있습니다.
• 제1항에 따른 권리 행사는 서면, 전자우편 등을 통하여 하실 수 있으며, 회사는 이에 대해 지체 없이 조치하겠습니다.
• 제1항에 따른 권리 행사는 이용자의 법정대리인이나 위임을 받은 자 등 대리인을 통하여서 하실 수 있습니다. 이 경우 수임인에 대한 위임사실을 확인할 수 있는 위임장을 제출하셔야 합니다.
• 개인정보 보호법 등 관계 법령에서 정하는 바에 따라 이용자의 개인정보 열람정정·삭제·처리정지 요구 등의 권리 행사가 제한될 수 있습니다. 또한 법령에서 그 개인정보가 수집 대상으로 명시되어 있는 경우에는 그 삭제를 요구할 수 없습니다.

제8조(개인정보의 파기)

• 회사는 개인정보 보유기간의 경과, 처리목적 달성 등 개인정보가 불필요하게 되었을 때에는 지체없이 해당 개인정보를 파기합니다.
• 이용자로부터 동의 받은 개인정보 보유기간이 경과하거나 처리목적이 달성되었음에도 불구하고 제3조 제2항에 기재된 법령에 따라 개인정보를 계속 보존하여야 하는 경우에는, 해당 개인정보를 별도의 데이터베이스(DB)로 옮기거나 보관장소를 달리하여 보존합니다.
• 개인정보 파기의 절차 및 방법은 다음과 같습니다.

1. 파기절차: 회사는 파기 사유가 발생한 개인정보를 선정하고, 회사의 개인정보 보호책임자의 승인을 받아 개인정보를 파기합니다.
2. 파기방법: 회사는 전자적 파일 형태로 기록·저장된 개인정보는 기록을 재생할 수 없도록 기술적 방법을 이용하여 파기하며, 종이 문서에 기록·저장된 개인정보는 분쇄기로 분쇄하거나 소각하여 파기합니다.

제9조(개인정보의 안전성 확보조치)

회사는 개인정보의 안전성 확보를 위해 다음과 같은 조치를 취하고 있습니다.

1. 관리적 조치: 내부관리계획 수립·시행, 정기적 직원 교육 등
2. 기술적 조치: 해킹 등에 대비한 기술적 대책, 개인정보의 암호화, 개인정보처리시스템의 접근권한 관리, 접속기록의 보관 및 위변조 방지 등

제10조(개인정보 자동 수집 장치의 설치∙운영 및 거부에 관한 사항)

회사는 이용자의 이용정보를 저장하고 수시로 불러오는 ‘쿠키(cookie)’를 사용하지 않습니다.

제11조(행태정보의 수집·이용 및 거부 등에 관한 사항)

회사는 온라인 맞춤형 광고 등을 위한 행태정보를 수집·이용·제공하지 않습니다.

제12조(개인정보 보호책임자)

• 회사는 개인정보 처리에 관한 업무를 총괄해서 책임지고, 이와 관련한 이용자의 불만처리 및 피해구제 등을 위하여 아래와 같이 개인정보보호책임자를 지정하고 있습니다.

▶ 개인정보 보호책임자

• 성명: 이근영
• 직책: 이사
• 연락처: 02-2179-8780, young@mediwhale.com

• 이용자는 개인정보 열람청구를 포함하여 회사의 서비스를 이용하시면서 발생한 모든 개인정보 보호 관련 문의, 불만처리, 피해구제 등에 관한 사항을 개인정보보호책임자 및 아래 담당부서로 문의하실 수 있습니다.
• 부서명: 제품팀
• 연락처: 02-2179-8780, young@mediwhale.com

• 정보주체는 개인정보침해로 인한 구제를 받기 위하여 개인정보분쟁조정위원회, 한국인터넷진흥원 개인정보침해신고센터 등에 분쟁해결이나 상담 등을 신청할 수 있습니다. 이 밖에 기타 개인정보침해의 신고, 상담에 대하여는 아래의 기관에 문의하시기 바랍니다.

1. 개인정보분쟁조정위원회 : (국번없이) 1833-6972 (www.kopico.go.kr)
2. 개인정보침해신고센터 : (국번없이) 118 (privacy.kisa.or.kr)
3. 대검찰청 : (국번없이) 1301 (www.spo.go.kr)
4. 경찰청 : (국번없이) 182 (ecrm.cyber.go.kr)

제14조(개인정보 처리방침의 변경)

회사는 법률이나 서비스의 변경사항을 반영하기 위한 목적 등으로 개인정보처리방침을 수정할 수 있습니다. 개인정보처리방침이 변경되는 경우 회사는 효력발생일 이전에 미리 공지하겠습니다.

이 개인정보 처리방침은 2022. 10. 1.부터 적용됩니다.