Privacy Policy
HNS BioLab Co., Ltd. (the "Company") processes personal information for the purposes set out below. Personal information processed is not used for any purpose other than those stated; where the purpose of use changes, the Company will take the necessary measures, such as obtaining separate consent under Article 18 of the Personal Information Protection Act.
Article 1 (Purposes of Processing Personal Information)
- Membership registration and management: confirming intent to use the service, identifying and authenticating users for membership-based services, maintaining and managing membership, preventing fraudulent use, and handling and notifying various grievances.
- Provision of goods or services: providing health-management services through the application, confirming in-vitro diagnostic results and providing tailored content, identity verification, and service provision and improvement.
- Grievance handling: verifying the member's identity, confirming complaints, contacting and notifying for fact-finding, and reporting outcomes.
- Marketing and advertising: developing new services (products) and providing tailored services, providing event and promotional information and participation opportunities, and compiling statistics on access frequency and members' use of the service.
Article 2 (Processing and Retention Period of Personal Information)
The Company processes and retains personal information within the retention and use period prescribed by law or within the period consented to by the data subject at the time of collection.
- Membership registration and management: until withdrawal of membership. However, if an investigation or inquiry for a violation of applicable laws is in progress, until such investigation or inquiry ends; and where claims or obligations remain, until settlement is complete.
- Provision of goods or services: until the supply of goods/services and the payment/settlement of fees are complete.
Retention requirements under applicable laws are as follows.
- Records on labeling and advertising: 6 months
- Records on contracts or withdrawal of subscription, payment, and supply of goods: 5 years
- Records on consumer complaints or dispute resolution: 3 years
- Communication confirmation data (log records, access tracking data): 3 months
Article 3 (Provision of Personal Information to Third Parties)
The Company processes the data subject's personal information only within the scope specified in Article 1, and provides it to third parties only where the data subject's separate consent is obtained or where it falls under Articles 17 and 18 of the Personal Information Protection Act, such as special provisions of law.
The Company may share data with third-party partner services to provide better services and to integrate with external platforms. In such cases, the Company provides the data only after obtaining the data subject's separate and explicit consent, specifying the recipient, the purpose of provision, the items provided, and the retention and use period.
Article 4 (Rights and Obligations of the Data Subject and Legal Representative, and How to Exercise Them)
The data subject may exercise the following personal-information-protection rights against the Company at any time.
- Request to access personal information
- Request to correct errors, if any
- Request to delete
- Request to suspend processing
These rights may be exercised in writing, by telephone, by email, or by facsimile, and the Company will act on them without delay. Where the data subject requests correction or deletion of errors in personal information, the Company will not use or provide the personal information until the correction or deletion is complete.
The rights may be exercised through an agent such as the data subject's legal representative or a duly authorized person. In such cases, a power of attorney in the form of Annex No. 11 under the Enforcement Rule of the Personal Information Protection Act must be submitted. The data subject must not infringe, in violation of applicable laws, the personal information or privacy of themselves or others processed by the Company.
Article 5 (Items of Personal Information Processed)
- Membership registration and management (required): name, gender, date of birth, login ID, password, email address, mobile phone number / (optional) height, weight
- Provision of health-management and diagnostic services (sensitive information): semi-quantitative levels of glucose, proteinuria, microalbumin, and creatinine, and the resulting ACR (albumin-to-creatinine ratio) level
- Provision of goods or services: payment records and past purchase history (when using paid services)
- Automatically generated during use of the service: IP address, cookies, MAC address, client identifier, device information (model name, OS, IMEI, etc.), service usage records, visit records, access logs
Article 6 (Destruction of Personal Information)
When personal information becomes unnecessary, such as upon the lapse of the retention period or achievement of the processing purpose, the Company destroys it without delay. Where personal information must continue to be retained under other laws despite the lapse of the consented retention period or achievement of the processing purpose, the Company moves it to a separate database or stores it in a different location.
- Destruction procedure: the Company selects the personal information for which a ground for destruction has arisen and destroys it with the approval of the privacy officer.
- Destruction method: information in electronic file form is deleted using a technical method that makes the records irreproducible, and personal information printed on paper is destroyed by shredding or incineration.
Article 7 (Measures to Ensure the Security of Personal Information)
- Administrative measures: establishment and implementation of an internal management plan, regular staff training, and minimization and management of staff handling personal information.
- Technical measures: management of access rights to the personal-information processing system and operation of an access control system; encryption of unique identifying information and passwords; and measures against hacking using anti-virus programs and intrusion prevention systems.
- Physical measures: establishment and operation of access control procedures for physical storage locations such as server rooms and document storage rooms.
Article 8 (Installation, Operation, and Refusal of Automatic Personal-Information Collection Devices)
The Company uses "cookies" that store and frequently retrieve usage information in order to provide individually tailored services. A cookie is a small piece of information that the server (http) used to operate the website sends to the user's browser or mobile device, and may be stored on the hard disk of the user's PC or mobile device.
Users may refuse to store cookies through the options of their web browser or the settings of their mobile device. However, refusing to store cookies may cause difficulty in using tailored services. For the mobile application, a client identifier and device information (model name, OS, etc.) may be automatically generated and collected for service improvement and analysis.
Article 9 (Privacy Officer)
The Company designates the following privacy officer to take overall responsibility for the processing of personal information and to handle complaints and relief for data subjects related to such processing.
- Name: Hyungsik Kim
- Title: Chief Executive Officer
- Contact: +82-31-290-7799
Article 10 (Remedies for Infringement of Rights)
Data subjects may contact the following organizations for relief, consultation, and inquiries regarding infringement of personal information.
- Personal Information Infringement Report Center (operated by KISA): 118 (no area code) / privacy.kisa.or.kr
- Personal Information Dispute Mediation Committee: 1833-6972 / www.kopico.go.kr
- Cyber Investigation Division, Supreme Prosecutors' Office: 1301 / www.spo.go.kr
- Cyber Bureau, National Police Agency: 182 / ecrm.cyber.go.kr
Article 11 (Changes to the Privacy Policy)
This Privacy Policy applies from its effective date. Where there are additions, deletions, or corrections of changes in accordance with laws and policies, the Company will give notice through announcements from seven days before the effective date of the change.
Addendum
This Privacy Policy applies from .