ARPI Inc. Privacy Policy
1. Introduction
ARPI Inc. (hereinafter referred to as the "Company") complies with the Personal Information Protection Act of the Republic of Korea and related laws and regulations to protect the freedom and rights of data subjects. The Company processes personal data lawfully and manages it safely. In accordance with Article 30 of the Personal Information Protection Act of the Republic of Korea, this Privacy Policy outlines the procedures and standards for the processing and protection of personal data, and ensures that any related grievances can be promptly and smoothly addressed. This Privacy Policy is established and disclosed as follows.
2. Purpose of Processing Personal Data
The Company processes personal data for the following purposes. Personal data being processed will not be used for any other purpose than the following, and if the purpose of use changes, the necessary measures will be taken in accordance with Article 18 of the Personal Information Protection Act of the Republic of Korea, such as obtaining separate consent.
1.
Membership Registration and Management
The Company performs essential membership registration procedures for professional medical personnel to use the medical device software provided by the Company. During registration, email information is designated as the ID, and separate email verification is conducted. The password is set by the user according to predetermined password rules. Information such as affiliated medical institution, type of institution, position, and department is collected to verify the professional medical personnel status.
1.
Provision of Goods or Services
Provide analysis reports of ECG images to assist doctors' diagnoses. The payment methods required by users for service provision may vary according to the Company's internal policies, and additional personal data may be required for payment.
3. Categories of Personal Data Processed
The Company processes the following categories of personal data.
1.
Membership Registration and Management
Required items: Email, affiliated institution, type of institution, position, department
2.
Provision of Goods or Services
Generate analysis reports using ECG data. Only the patient's ECG information is used in this process, and it is immediately returned and not stored. The generated result reports are not classified as personal data.
4. Processing and Retention Period of Personal Data
In principle, the Company retains and uses the personal data provided by the user during membership registration until the user requests service termination by terminating the Terms and Conditions (T&C) agreement. If the user does not delete the account after requesting service termination and does not log in for 1 year, the account will be converted to a dormant account, and all information will be deleted after an additional year. However, if personal data must be continuously retained despite the expiration of the retention period due to the laws of the relevant country, the data subject will be informed, and the data may be retained.
5. Processing of Pseudonymous Data
The Company may process pseudonymous data for the following purposes. Pseudonymous data refers to personal data that has been processed so that it cannot identify a specific individual without the use of additional information.
1.
When necessary for the preparation of statistics, scientific research, public record preservation, etc.
Pseudonymous data is used to create various statistical data or analyze data for research purposes. In this process, all information that can identify individuals is removed, and technical and managerial protective measures required for the safe processing of pseudonymous data are observed.
2.
Processing and Protection Measures for Pseudonymous Data
The Company complies with the Personal Information Protection Act and related laws when processing pseudonymous data and implements technical and managerial measures to prevent the re-identification of pseudonymous data. Measures such as access control, encryption, and storage and management of access records are taken to ensure the security of pseudonymous data.
6. Procedures and Methods for Destroying Personal Data
The Company promptly destroys personal data when it is no longer necessary, such as after the retention period has expired or the processing purpose has been achieved. The procedures and methods for destroying personal data are as follows.
1.
Destruction Procedures
The Company selects personal data that needs to be destroyed and destroys the personal data with the approval of the Company's personal data protection officer.
2.
Destruction Methods
โ Personal data in electronic file format is destroyed so that the records cannot be reproduced.
โก Personal data recorded on paper documents is destroyed by shredding or incineration.
3.
Destruction Timing
โ Personal data in electronic file format: Personal data whose retention period has expired is destroyed without delay from the end date.
โก Personal data recorded on paper documents: Personal data whose retention period has expired is destroyed without delay from the end date.
4.
Separate Management of Information Preserved According to Laws
If the retention period has expired, but personal data must be continuously preserved according to other laws, such personal data is transferred to a separate database (DB) or stored in a different location. This case is specified in "4. Processing and Retention Period of Personal Data."
7. Provision of Personal Data to Third Parties
The Company may provide personal data to third parties in certain circumstances. Matters related to this are subject to the Terms and Conditions (T&C) Article 9.2.2, which applies between the Company (ARPI Inc.) and the customer. If personal data is provided to a third party, the Customer will be informed of the relevant legal requirements.
8. Outsourcing of Personal Data Processing
The Company does not outsource personal data processing tasks. All personal data processing tasks are performed directly by the Company.
9. Rights of Data Subjects and Their Exercise Methods
Data subjects may exercise the following personal data protection rights against the Company at any time.
1.
Right to access personal data: Data subjects may request access to their personal data being processed by the Company.
2.
Right to request correction if there are errors, etc.: Data subjects may request correction of their personal data if there are errors.
3.
Right to request deletion: Data subjects may request the deletion of their personal data if it falls under certain reasons.
4.
Right to request suspension of processing: Data subjects may request the suspension of processing of their personal data if it falls under certain reasons.
5.
Data subjects may exercise the above rights in accordance with the Enforcement Decree of the Personal Information Protection Act of the Republic of Korea, and the Company will take prompt action in response. The exercise of rights may be done through written communication, email, etc., and the Company will take prompt action in response.
10. Special Situations of the Company
If special situations regarding personal data processing arise, they may be managed in accordance with the Personal Information Protection Act of the Republic of Korea.
11. Personal Data Processing Officer
The Company has designated the following officer to be responsible for personal data processing and handling related grievances:
Responsibility of personal data processing: Jaeho Choi
Contact: +82-31-738-0110
E-mail: [email protected]
Data subjects may contact the Personal Data Processing Officer with any inquiries, complaints, or requests for relief regarding personal data protection arising from the use of the Company's services. The Company promises to respond and address the data subjects' inquiries without delay.