MDTalk Privacy Policy

MDsquare Inc. and its affiliates (hereinafter referred to as the "Company") comply with the relevant legal provisions, including the Act on Promotion of Information and Communications Network Utilization and Information Protection (hereinafter referred to as the "Information and Communications Network Act"), the Personal Information Protection Act, the Act on Protection of Communication Secrets, and the Telecommunications Business Act, which information service providers must adhere to in relation to personal information protection. We have established a privacy policy in accordance with the relevant laws to protect the rights and interests of users to the best of our ability.

This privacy policy applies to the use of the "website (user.mdtalk.io and www.mdsqr.com)" and the mobile applications MDTalk/MDCare (hereinafter referred to as "MDTalk" or "Service") provided by the Company and contains the following contents.

Collection Items and Purposes of Personal Information

The Company processes personal information for the following purposes. Personal information collected for the purposes below will not be used for any other purposes, and if the purpose of use is changed, we will take necessary measures, including obtaining separate consent.

The Company uses the collected personal information for the following purposes:
- Member identification and confirmation of intention to join, identity and age verification, prevention of unauthorized use
- Development of new services, provision of various services, handling of inquiries or complaints, delivery of notices
- Information delivery for events, marketing and advertising
- Utilization for service usage records, access frequency, and statistics on service usage, provision of personalized services, and service improvement
- Prevention and sanctions of acts that disrupt the smooth operation of the service, including fraudulent activities, prevention of account theft and fraudulent transactions

The personal information of users processed by the company is as follows:

Category		Items Processed	Purposes of Processing
Membership (Individual)	Join via Email	(Required) Name, Email, Password	Confirmation of membership registration, identification and authentication, maintenance and management of member qualifications, identity verification, prevention of unauthorized use of services, various notices and notifications, complaint handling, service provision and consultation, confirmation of age over 14, satisfaction surveys
	Join via Kakao Account	(Required) Kakao Linked ID, Facebook Token, Name, Profile Picture
	Join via Facebook Account	(Required) Facebook Linked ID, Facebook Token, Name, Profile Picture
	Join via Google Account	(Required) Google Linked ID, Google Token
	Join via Apple Account	(Required) Name, Email, Apple Linked ID
Membership (Hospital)		Name, Mobile Phone Number, Representative Phone Number, Email, Password, Medical Professional Information (Hospital/Pharmacy Name, Hospital/Pharmacy Phone Number, Business Registration Number, Care Facility Number, Address, Representative Name)
Non-face-to-face Medical Treatment and Health Management Service		Name, Resident Registration Number, Mobile Phone Number, Child's Name, Child's Resident Registration Number, Preliminary Examination Information, Reference Materials such as Existing Prescriptions/Medication Bags/Symptom Photos, Nationality, Personal Location Information (Longitude, Latitude), Delivery Address, Post-Consultation Information such as Prescriptions	Non-face-to-face medical treatment, health consultation, medication formulation, drug delivery, health management, provision of information to medical professionals/medical institutions/pharmacies
My Health Information		Date of Birth, Gender, Preliminary Examination Information
Information Automatically Generated When Using the Service		Service usage records, access logs, cookies, IP address, device unique identifier (device ID or IMEI), records of improper use, advertising identifiers, mobile carrier used	Statistical analysis of service/product usage information
When Using the Hospital/Pharmacy Locator Service		Personal location information (Longitude, Latitude)	Provision of the hospital/pharmacy locator service
Card Registration and Payment Services		Card number, expiration date, first 2 digits of the card security code, CVC, payment amount, signature	Provision of payment processing services
Hospital Member Settlement		Business registration number, hospital/pharmacy name, phone number, financial institution account number	Direct settlement or provision of settlement agency services
Event Participation and Consultation Request		(Required) Name, Mobile Phone Number (Optional) Gender, Date of Birth	Use for marketing and advertising, notification of events and benefits, event prize delivery
Non-face-to-face Medical Treatment Services for Overseas Koreans		Passport number, mobile phone number	Authentication of overseas Koreans

Processing and Retention Period of Personal Information

The personal information of users is generally destroyed when the purpose of collection or provision has been achieved or when the user requests termination of the service contract (withdrawal of membership). In such cases, the personal information of the user is completely deleted from the system by an irreversible method and is no longer accessible or usable for any purpose. Additionally, personal information collected for temporary purposes (e.g., surveys) is processed in a manner that makes it impossible to be reused after the purpose has been achieved.

The company may retain the personal information of a user for up to 1 year from the date of termination of the service contract (withdrawal of membership) to prevent the recurrence of unauthorized use by problematic members. Furthermore, in cases where it is necessary to retain member information under the provisions of related laws and regulations, such as the Commercial Act and the Act on Consumer Protection in Electronic Commerce, the company retains member information for a specific period as specified by such laws and regulations. In this case, the company only uses the retained information for the purpose of retention, and the retention periods are as follows:

※ Information collected and used according to internal company policies

Category	Items	Retention Period
Retention per Company Policy (Retention based on company policies, such as excluding fraudulent transactions)	User ID, DI (Duplication Information)	1 year after membership withdrawal

※ Information collected and used according to legal requirements

Basis of Law	Items for Retention	Retention Period
Act on Consumer Protection in Electronic Commerce, etc.	Records related to contracts or withdrawal of offers	5 years
	Records of payment settlement and supply of goods, etc.	5 years
	Records related to consumer complaints or dispute resolution	3 years
	Records related to display/advertisement	6 months
Act on the Use and Protection of Credit Information	Records related to the collection/processing and use of credit information	3 years
Protection of Communications Secrets Act	Service visit records	3 months
Electronic Financial Transactions Act	Records related to electronic financial transactions	5 years

If a member violates the terms of use and related laws, the company may retain the member's information for up to 2 years after membership withdrawal in order to protect other members and use it as evidence in the event of an investigation by judicial authorities.
If a member who joined after August 1, 2020, has no service transaction records for 1 year, the company will notify the member in advance and destroy their personal information or store it separately in compliance with Article 29 of the Information and Communications Network Act. If the customer requests, a different retention period can be set. However, if there is a need to retain member personal information under related laws and regulations such as the Protection of Communications Secrets Act and the Act on Consumer Protection in Electronic Commerce, the company will retain the member's personal information for the period specified by such laws and regulations. The company informs the customer of the fact that personal information will be destroyed or stored/managed separately, the expiration date, and the items of the personal information 30 days before the end of the 1-year period. To do this, the customer must provide/update accurate contact information.

Disclosure of Personal Information to Third Parties

The company uses the personal information of users within the scope notified in the "Collection of Personal Information and Purpose of Use" and generally does not exceed this scope or disclose the user's personal information to external parties without the user's prior consent. However, the user's personal information may be provided (including sharing) with third parties in the following cases:

If the user has given prior consent to the provision of personal information to third parties separately from the consent for the collection and use of personal information: The company will inform the user in advance of the name and contact information of the recipient of personal information, the purpose of using the recipient's personal information, the items of personal information to be provided, the retention and use period of the recipient's personal information, and the right to refuse consent, as well as the consequences of refusing consent.
When there is a legal obligation or necessity to comply with applicable laws and regulations.
When investigative agencies request personal information in accordance with the procedures prescribed by related laws for the purpose of investigation.
When it is necessary for the purpose of statistics and academic research, and personal information is provided in a form that cannot identify specific individuals or members.

Recipient	Purpose of Provision	Information Provided
Hospital Members	Provision of Non-face-to-face Medical Treatment and Health Management Services	Name, Resident Registration Number, Mobile Phone Number, Child's Name, Child's Resident Registration Number, Preliminary Examination Information, Reference Materials such as Existing Prescriptions/Medication Bags/Symptom Photos, Nationality, Personal Location Information (Longitude, Latitude), Delivery Address, Post-Consultation Information such as Prescriptions

Outsourcing of Personal Information Processing

In order to provide enhanced services, the company may outsource the processing of personal information. When outsourcing tasks, the company informs users of the following details and obtains their consent, and this applies even if any of the details change. To provide better services, the following are entrusted with personal information processing within the country:

Entrusted Company	Outsourced Task	Information Provided	Retention Period
Danal	Mobile Phone Verification	Name, Date of Birth, Mobile Carrier, Gender, Mobile Phone Number	Until the Purpose of Use is Achieved
NHN KCP	Credit Card Payment Processing and Agency	Card Number, Expiration Date, First 2 Digits of Card Password, CVC, Payment Amount, Signature
NHN KCP	Settlement for Hospital Members	Business Registration Number, Hospital/Pharmacy Name, Phone Number, Financial Institution Account Number

The company entrusts the processing of personal information to ensure the stability of service provision and utilizes Amazon Web Services Inc. (AWS) to store personal information acquired or generated from users in a database located in Korea. AWS is responsible only for the physical management of the server and cannot access the personal information of users.

Entrusted Company	Items Transferred	Country Transferred To	Date and Method of Transfer	Retention Period
AWS	Service Usage Records or Collected Personal Information	Korea	Transferred via network at the time of service usage	Until a change in cloud service usage

When entering into outsourcing contracts, the company specifies matters such as prohibition of personal information processing beyond the entrusted purpose, technical and administrative protection measures, limitations on re-outsourcing, supervision and management of the trustee, and liability in contracts or documents. If the content of the outsourced work or the trustee changes, it will be promptly disclosed through this Privacy Policy.

Rights and Obligations of Personal Information Subjects and How to Exercise Them

Users can request access to their own personal information registered on the company's service at any time. They can also inquire about the status of how the company uses their personal information or whether it has been provided to third parties. Users have the right to request the viewing or provision of this information. If there are errors, they can request corrections, and they can also request deletion or withdrawal of consent.
To view or modify personal information of users or children under the age of 14, users can click on 'Modify Personal Information' (or 'Modify User Information,' etc.). To withdraw consent and cancel membership, users can click on "Withdraw Membership" and go through the self-verification process.
In these cases, the company promptly investigates the personal information and takes necessary measures such as correction, deletion, etc., in accordance with the user's request. The company will not use or provide the personal information until necessary measures are taken.
Users can request the company to suspend the processing of their personal information at any time. In this case, the company promptly suspends all or part of the processing of personal information in accordance with the user's request and takes necessary measures, such as destruction of the suspended personal information.

Personal Information Disposal Procedure and Method

When personal information becomes unnecessary due to the expiration of the retention period or the achievement of the purpose of collection and use, the company promptly disposes of it. The company's personal information disposal procedure and method are as follows:

Disposal Procedure: The company records and manages matters related to the disposal of personal information. Disposal is carried out under the responsibility of the personal information protection manager, and the results of disposal are confirmed by the personal information protection manager. In cases where personal information needs to be retained under other laws, the company may not dispose of the user's personal information.
Disposal Method: Personal information stored in paper or other recording media is shredded or incinerated. Personal information stored in electronic file form is permanently deleted using a method that cannot reproduce the records.
Method of Preserving Un-Disposed Information: When the company needs to preserve personal information in accordance with the law, it separates and stores the personal information or personal information file from other personal information. The company does not use personal information stored in a separate database for purposes other than retention unless otherwise provided by law.

Personal Information Protection Manager and Department

The company is responsible for overall personal information processing and has designated a personal information protection manager and department to handle user complaints, damage relief, and other matters related to personal information processing. Users can contact the personal information protection manager and department for all inquiries, complaints, damage relief, and other matters related to personal information protection while using the company's service. The company promptly responds to user inquiries.

[Personal Information Protection Manager]: - Personal Information Protection Manager: Inseon Son; - Department/Position: Service Operations Division/Team Leader; - Phone Number: 070-5159-8454; - Email Address: admin@mdsqr.com

Changes to the Privacy Policy

If there are any changes to the privacy policy, the company will notify users at least 7 days before the effective date of the revised privacy policy through the website/mobile app's announcements or by email. In addition, if necessary, the company may seek user consent again.

Ensuring the Security of Personal Information

The company has implemented the following technical measures to ensure the security of users' personal information and prevent its loss, theft, leakage, alteration, or damage:

Users' personal information is protected by passwords, and important data is protected by encryption or file lock functions. Important data is also protected through separate security features.
The company uses antivirus programs to prevent damage from computer viruses. Antivirus programs are regularly updated, and in the event of a sudden virus outbreak, the company provides immediate protection by providing the latest antivirus solutions to prevent infringement of personal information.
To prepare for external intrusions such as hacking, each server is equipped with intrusion prevention systems and vulnerability analysis systems to ensure security.
The company limits access to users' personal information to the minimum number of personnel necessary. Only employees responsible for personal information management, including those who perform marketing tasks directly related to users, personal information protection managers, and personnel who must handle personal information in the course of their work, are allowed access. Regular education emphasizes compliance with this policy.

Installation/Operation and Refusal of Personal Information Automatic Collection Devices

The company uses 'cookies' to provide users with customized services and retrieve user information frequently to deliver personalized content. Cookies are small pieces of information sent by the server (HTTP) that operates the website to the user's web browser and may be stored on the user's PC's hard disk.

Purpose of Using Cookies: Cookies are used to understand how users visit and use the company's services and websites, popular search terms, whether secure connections are established, and the size of the user base in order to provide optimized information to users.
Installation/Operation and Refusal of Cookies:
- 1) Users have the option to allow or refuse cookies. Therefore, users can choose to allow all cookies, confirm each time a cookie is stored, or refuse all cookies by configuring options in the web browser. However, if cookies are refused, some services that require login may be difficult to use.
- 2) To refuse the setting of cookies, users can select options in the web browser they use to allow all cookies, confirm each time a cookie is stored, or refuse all cookies.

Supplementary Provisions

(1) This policy will be effective from March 12, 2020, and the previous privacy policy, which was in effect from June 1, 2019, will be replaced by this policy.
Changes: Amendments related to personal information handling by subcontracted companies.
(2) This policy will be effective from August 1, 2020, and the previous privacy policy, which was in effect from March 12, 2019, will be replaced by this policy.
Changes: Overall policy revisions and improvements in accordance with government guidelines.
(3) This policy will be effective from February 1, 2022, and the previous privacy policy, which was in effect from August 1, 2020, will be replaced by this policy.
Changes: Addition of personal information collection items.