Privacy Policy

Article 1 (Purpose of Processing Personal Information)

The Company processes personal information for the following purposes. Personal information being processed shall not be used for purposes other than the following, and if the purpose of use changes, necessary measures such as obtaining separate consent pursuant to Article 18 of the Personal Information Protection Act will be implemented.

• Membership registration and management: Processing personal information for the purpose of verifying membership intent, OAuth-based identification and authentication, maintaining and managing membership, and preventing unauthorized use of services.
• Health measurement services: Processing personal information for the purpose of measuring blood pressure and heart rate through BLE (Bluetooth Low Energy) medical devices, storing and managing measurement data, and visualizing measurement results.
• Data sharing services: Processing personal information for the purpose of sharing measurement data with healthcare institutions or other individuals selected by the user.
• Notification services: Processing personal information for the purpose of providing push notifications such as measurement reminders and sharing alerts.
• Grievance handling: Processing personal information for the purpose of verifying the identity of complainants, confirming complaints, and communicating processing results.

Article 2 (Categories of Personal Information Processed)

The Company processes the following categories of personal information.

• Upon registration: (Required) Name, email / (Optional) Phone number, date of birth, gender
• Health information (sensitive data): Blood pressure (systolic/diastolic), heart rate, raw measurement data
• Automatically collected items: Device information (OS, device model), BLE device connection information, FCM token (for push notifications), app usage records

※ Health information is classified as sensitive data under the Personal Information Protection Act and is processed with separate consent.

Article 3 (Methods of Collecting Personal Information)

The Company collects personal information through the following methods.

• Direct input by users during app registration and login (OAuth)
• Automatic collection during health measurements via BLE medical devices
• Automatic generation and collection during service use (device information, FCM tokens, etc.)

Article 4 (Processing and Retention Period of Personal Information)

The Company processes and retains personal information within the period prescribed by law or the retention period agreed upon when collecting personal information from the data subject.

• Member information: Until membership withdrawal. However, information may be retained until the end of the relevant reason in the following cases:
  1. Until the conclusion of any investigation or inquiry in progress due to violations of applicable laws
  2. Until the settlement of any remaining claims or obligations arising from service use
• Health measurement data: Until membership withdrawal or until deletion is requested by the user
• Retention pursuant to applicable laws:
  1. Act on Consumer Protection in Electronic Commerce: Records of contracts or subscription withdrawal — 5 years
  2. Protection of Communications Secrets Act: Communications confirmation data — 3 months

Article 5 (Rights and Obligations of Data Subjects and How to Exercise Them)

Data subjects may exercise the following rights against the Company at any time.

• Request to access personal information
• Request correction in case of errors
• Request deletion (measurement data can be deleted directly within the app)
• Request to suspend processing

Rights may be exercised via email, and the Company will take action without delay. Consent to the processing of personal information may be withdrawn through membership withdrawal.

Article 6 (Destruction of Personal Information)

The Company shall destroy personal information without delay when it is no longer needed due to expiration of the retention period or achievement of the processing purpose.

• Server data: Electronic files are destroyed using technical methods that prevent data recovery.
• On-device data: Local data stored on the device (Realm database, secure storage) is deleted when the app is uninstalled.

Article 7 (Provision of Personal Information to Third Parties)

The Company does not provide personal information to third parties without prior consent of the data subject. However, personal information may be provided to third parties in the following cases.

• User-initiated data sharing: Users may share measurement data (blood pressure, heart rate, etc.) with healthcare institutions or other individuals through the in-app sharing feature. Explicit consent is obtained at the time of sharing.
• When there are special provisions in law or when it is unavoidable to comply with legal obligations

Article 8 (Entrustment of Personal Information Processing)

The Company entrusts the processing of personal information as follows for smooth service provision.

• Google LLC (Firebase): Push notification (FCM) service provision
• Server hosting provider: Server hosting for service operation

When entering entrustment contracts, the Company specifies in contracts and other documents the prohibition of processing personal information beyond the purpose of entrusted work, technical and managerial safeguards, restrictions on re-entrustment, supervision and management of trustees, and liability for damages, pursuant to Article 26 of the Personal Information Protection Act.

Article 9 (Overseas Transfer of Personal Information)

The Company transfers personal information overseas as follows for the provision of push notification services.

• Recipient: Google LLC
• Country: United States
• Items transferred: FCM token (device identification information)
• Purpose of transfer: Push notification delivery
• Retention period: Until termination of service use

Article 10 (Measures to Ensure the Security of Personal Information)

The Company takes the following measures to ensure the security of personal information.

• Administrative measures: Establishment and implementation of internal management plans, minimization and training of personnel handling personal information
• Technical measures: HTTPS encrypted communication, authentication token-based access control, access rights management for personal information processing systems, encrypted storage of sensitive data on devices (Secure Storage)
• Physical measures: Access control for server rooms and data storage facilities

Article 11 (On-Device Data Storage)

The App stores the following data on the user's device for service provision.

• Local database (Realm): Measurement data, user information, etc.
• Secure storage: Authentication tokens and other sensitive information

Uninstalling the app will delete all local data stored on the device. Data synchronized to the server can be deleted by requesting deletion separately or through membership withdrawal.

Article 12 (Privacy Officer and Department)

Privacy Officer

• Name: Hee-Boong Park
• Title: CEO

Privacy Department

• Department: Smart Healthcare Solutions Team
• Email: koabp-cs@medicalpark.co.kr

Article 13 (Remedies for Infringement of Rights)

Data subjects may apply for dispute resolution or consultation with the following organizations to seek remedies for personal information infringement.

• Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)
• Personal Information Infringement Report Center (KISA): 118 (privacy.kisa.or.kr)
• Supreme Prosecutors' Office: 1301 (www.spo.go.kr)
• Korean National Police Agency: 182 (ecrm.cyber.go.kr)

Article 14 (Changes to the Privacy Policy)

This Privacy Policy is effective as of April 27, 2026.