Privacy Policy – Mediwhale

Mediwhale Inc. (hereinafter referred to as the “Company”) values your privacy and complies with the Personal Data Protection Act. Through this Privacy Policy, we will inform you of the purpose and manner in which the personal information you provide is being used and what measures are being taken to protect your personal information. If the Company revises the Privacy Policy, the Company will notify you through the website announcement (or individual notice). This policy is effective from April 14, 2025.

“The Privacy Policy consists of the following content

Clicking the Table of Contents will jump to the article..

Purpose of processing, items collected, processing and retention period of personal information
Matters concerning entrustment of personal information processing
Procedures and methods of destruction of personal information
Matters concerning the rights and obligations of the information subject and legal representative and how to exercise them
Matters concerning measures to ensure the safety of personal information
Matters concerning the installation and operation of devices that automatically collect personal information and their refusal
Matters concerning the Chief Privacy Officer
Remedies for infringement of the rights of the information subject
Matters concerning the operation and management of fixed visual data processing device
Matters concerning changes to the privacy policy

Purpose of processing, items collected, processing and retention period of personal information

Diagnosis of cardiovascular disease risk

① The Company processes the personal information of the information subject as follows.

② The Company collects and processes the minimum amount of personal information for the following purposes. The personal information processed will not be used for any purpose other than the following purposes, and if the purpose of use is changed, the Company will take necessary measures such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act.

Services	Purpose of processing	Collection items	Processing and retention periods
Dr. Noon	§ Diagnosis of cardiovascular disease risk § Diagnosis of cataracts, glaucoma, retinal diseases, etc	§ (Required) Retinal fundus photograph § (Optional) Gender, age, date of birth, date of hospital visit	10 years
Contact us	Confirm user’s identity, confirm inquiry, contact for fact-finding, and notify processing results	Name, email address, country, phone number, occupation	Until the processing and response to inquiries and follow-up inquiries are completed
Recruitment	Verification of applicants’ careers, decision on whether to hire, notification, and other employment-related tasks, and all tasks related to concluding and maintaining employment contracts	(Required) Name, mobile phone number, email, address, career history	Until the end of the recruitment process

※ However, personal information for the Dr. Noon service is not collected directly by the company, but is collected through hospitals, etc. if the user agrees to the processing through hospitals, etc.

③ In principle, after the purpose of collecting and using personal information is achieved, the information is destroyed without delay. However, if it is necessary to preserve it in accordance with the provisions of the relevant laws and regulations, the Company shall keep customer information for a certain period of time as stipulated by the relevant laws and regulations as follows.

– Preservation items: Diagnosis information

– Preservation basis: Article 15, Paragraph 1 of the Enforcement Regulations of the Medical Act

– Preservation period: 10 years

Matters concerning entrustment of personal information processing

① The Company entrusts personal information processing as follows to ensure smooth personal information processing.

Entrustee (trustee)	Consignment work	Consignment period
Cafe24.Corp	Cloud server operation and management	Until the end of the consignment contract

② When concluding a consignment contract, the company states in a contract or other document matters related to responsibilities such as prohibition of processing personal information for purposes other than the performance of the consigned work, technical and administrative protection measures, restrictions on re-consignment, management and supervision of the consignee, and compensation for damages in accordance with Article 26 of the Personal Information Protection Act, and supervises whether the consignee safely processes personal information.

③ If the content of the entrusted work or the trustee changes, we will disclose it without delay through this personal information processing policy.

Procedures and methods of destruction of personal information

① The company destroys personal information without delay when the personal information becomes unnecessary, such as when the retention period for personal information expires or the purpose of processing is achieved.

② In cases where the retention period for personal information agreed upon by the data subject has expired or the processing purpose has been achieved, but personal information must be retained in accordance with other laws and regulations, the personal information is transferred to a separate database (DB) or stored in a different location.

③ The procedures and methods for destroying personal information are as follows.

destruction process

The Company shall establish a personal information destruction plan for the personal information (or personal information file) to be destroyed and destroy it. The Company selects the personal information (or personal information file) for which the reason for destruction has occurred, and destroys the personal information (or personal information file) with the approval of the Chief Privacy Officer of the Company.

Information entered for the purpose of using the service is transferred to a separate DB (separate filing cabinet in case of paper) after the purpose is fulfilled and is stored for a certain period of time (see Retention and Usage Period) in accordance with the internal policy and other relevant laws and regulations, and then destroyed.

Personal information moved to a separate DB will not be used for any purpose other than that for which it was retained, unless required by law.

destruction method

– Personal information printed on paper: shredded or incinerated

– Personal information stored in electronic files: deleted using technical means that make the records unrecoverable

Matters concerning the rights and obligations of the information subject and legal representative and how to exercise them

① The information subject may exercise rights such as requesting to view, correct, delete, or suspend the processing of personal information at any time against the Company.

※ Requests access to personal information about children under the age of 14 must be made directly by their legal representative, and information subjects who are minors over the age of 14 may exercise their rights regarding the personal information of the information subject by themselves or through their legal representative. However, the Company does not currently process personal information of children under the age of 14

② The exercise of rights may be made in writing, e-mail, facsimile transmission (FAX), etc. to the Company in accordance with the Enforcement Decree of the Personal Information Protection Act, and the Company will take action without delay.

③ You may also exercise your rights through a representative, such as a legal representative of the data subject or a person authorized by the data subject. In this case, you must submit a power of attorney

④ Requests for access to personal information and suspension of processing may limit the rights of the information subject under Article 35 (4) and Article 37 (2) of the Personal Information Protection Act.

⑤ A request for correction or deletion of personal information cannot be made if the personal information is specified as the subject of collection under another law.

⑥ The Company shall verify whether the person making the request is the person or his/her authorized representative when requesting access, correction, deletion, or suspension of processing in accordance with the rights of the information subject.

⑦ If the information subject requests correction of errors in personal information, we will not use or provide the personal information until the correction is completed. In addition, if we have already provided incorrect personal information to a third party or trustee, we will notify the result of the correction process without delay and take measures to correct it.

⑧ The Company may make requests for access to personal information to the following departments. The Company will endeavor to promptly process the information subject’s request for access to personal information.

▶ Reception and processing department for requests for access to personal information

Department Name : Development

Contact: : 02-6959-8010, g.young@mediwhale.com

Matters concerning measures to ensure the safety of personal information

The Company takes the following measures to ensure the safety of personal information.

administrative measures: establishment and implementation of internal management plan, minimization and training of personal information handling staff. Conducting regular self-audits
technical measures: management of access rights to personal information processing systems, installation of access control system, encryption of unique identification information, installation of security programs
physical measures: access control, such as locks on computer rooms and document storage areas, and access control for unauthorized personnel

Matters concerning the installation and operation of devices that automatically collect personal information and their refusal

① The company does not use ‘cookies’ to store and retrieve user usage information.

Matters concerning the Chief Privacy Officer

① The Company is responsible for the overall handling of personal information and designates a personal information protection officer as follows to handle complaints and remedy damages of information subjects related to the handling of personal information.

Sortation

Name

Contact

Chief Privacy Officer

Geunyoung Lee

02-6959-8010

g.young@mediwhale.com

② The information subject may contact the Chief Privacy Officer and the department in charge regarding the handling of complaints related to personal information protection and the remedy of damage that occurred while using the Company’s services (or business). The Company will respond to and handle inquiries from the information subject without delay.

Remedies for infringement of the rights of the information subject

① The information subject may apply for dispute resolution or counseling to the Personal Information Dispute Mediation Committee, the Personal Information Infringement Report Center of the Korea Internet & Security Agency, etc. to receive relief due to personal information infringement. For other reports and consultations on personal information infringement, please contact the following organizations.

Personal Information Dispute Mediation Committee : (without area code) 1833-6972 (www.kopico.go.kr)
Personal Information Infringement Report Center : (without area code) 118 (privacy.kisa.or.kr)
Supreme Prosecutors’ Office : (without area code) 1301 (www.spo.go.kr)
National Police Agency : (without area code) 182 (ecrm.police.go.kr)

② The Company guarantees the right of self-determination of personal information of the information subject and strives to provide counseling and damage relief due to personal information infringement, and if you need to report or consult, please contact the following departments.

▶ Customer consultation and reporting grievance handling department (name, phone number, and other contact information of the department that handles personal information protection and related grievances)

Department Name : Development

Contact : 02-6959-8010, g.young@mediwhale.com

Matters concerning the operation and management of fixed visual data processing device

① Grounds and purpose of installation of fixed visual data processing device

The Company installs and operates fixed image information processing equipment for the following purposes in accordance with Article 25, Paragraph 1 of the Personal Information Protection Act.

– Facility Safety and Management, Fire Prevention

– Crime prevention for customer safety

② Number of installations, installation location and shooting range

Sortation	Number of installations	Installation location and shooting range
Headquarters	3	Spatial photography of major facilities such as office entrances and interiors

③ Administrators and access rights

In order to protect personal video information and handle complaints related to personal video information, we have the following persons in charge of personal video information management and access rights.

Sortation	Departments	Name	Job title	Contact
Administrator	Development	Geunyoung Lee	Director	02-6959-8010

④ Shooting time, storage period, storage location and processing method of personal video information

Shooting

time

Storage period

storage location

Storage Types

How to destroy (delete)

24 hours

30 days from the shooting date

Where the recording device is installed

File

Auto-delete

– Processing method: Personal video information is recorded and managed for non-purposeful use, provision to third parties, destruction, viewing, and other requests, and is permanently deleted (automatically deleted by the system) in a way that cannot be restored upon expiration of the storage period

⑤ How and where to check personal video information

– How to check: You can check by contacting the person in charge of managing personal video information in advance and visiting the location.

– Verification

Sortation	Location
Headquarters	MediWale, 4F, 746 Nonhyeon-ro, Gangnam-gu, Seoul (Nonhyeon-dong, Seokho Building), Seoul, Korea

⑥ Measures to respond to requests from information subjects to view personal video information

If you wish to view, confirm the existence of, or delete personal video information, you may request the operator of the fixed video information processing device at any time. However, it is limited to personal video information that was recorded by the person requesting access and personal video information that is clearly necessary for the urgent interests of the life, body, or property of the information subject.

The Company will take necessary measures without delay if you request to view, confirm the existence of, or delete personal video information.

Request to view video information	▶	Confirmation of applicant and review of approval	▶	Approval to view video information	▶	Viewing
Fill out the application form	▶	Review of request basis, validity, etc	▶	Check restrictions and notify whether or not to view	▶	Preparation of management ledger and attendance of person in charge

⑦ Measures to secure the safety of personal video information

As an administrative measure to protect personal video information, the Company grants differential access rights to personal information and records and manages the date of creation, purpose of viewing, viewer, and date of viewing to prevent falsification or alteration of personal video information. In addition, locks are installed for safe physical storage of personal video information.

Matters concerning changes to the privacy policy

①This Privacy Policy was revised on April 14, 2025, and if there are any additions, deletions, or modifications to the contents due to changes in laws, policies, or security technologies, the Company will notify the reason and contents of the change through the Company’s website at least 7 days prior to the implementation of the changed Privacy Policy.

② Our previous privacy policy can be found below.

10. 1 ~ 2025. 04. 13 (click)