Effective Date: December 9, 2024

VUNO Inc. (hereinafter referred to as "the Company") values the protection of users'

personal information and rights and strives to address user complaints related to

personal information promptly. This Privacy Policy complies with the Personal

Information Protection Act.

Article 1. Purpose of Processing Personal Information

The Company processes personal information for the following purposes:

1. Providing Website Services:

o Handling inquiries, including demo requests and dispute resolution.

o Delivering webinar services via VUNO Academy.

o Managing service contracts, membership accounts, and promotional

activities through VUNO Mall.

2. Clinical Trials and Research:

o Verifying researchers' identities, qualifications, and professional capabilities.

o Executing contracts, including consultancy agreements.

o Documenting compliance and managing dispute resolutions related to

clinical trials.

3. Marketing Activities:

o Conducting surveys and market research for business improvement.

o Promoting products and services through email, text messages, or calls.

4. Complaint Handling:

o Investigating and resolving safety and quality-related complaints.

o Responding to product inquiries and addressing customer concerns.

5. Legal Compliance:

o Fulfilling legal obligations under relevant laws, such as the Medical Device

Act.

6. Player recruitment:

Verification of applicant's identity and academic background, decision on whether

to hire, and other recruitment-related tasks, confirmation of intent to apply when

hiring, other additional recruitment-related tasks, management of past application

history, prevention of repeated applications from unqualified persons, and

protection and maintenance of employment contracts when hiring.

7. Media Interviews:

Use of media such as interviews, reporting on company products, and press

releases

8. Litigation and administrative opposition Opposition:

Research on the fact that it is in accordance with related laws such as the Medical

Act, Medical Device Act, and lawsuits regarding bioethics and safety, restrictions

on the obligation to submit data and try reports, and the obligation to find

lectures/receive registration of newlyweds, handle tax, etc., pets, pets, registration

and issuance of tax invoices, etc., complex and disposition applications to animal

authorities and related organizations, etc., etc., going to the company, etc.

Opposition and administrative opposition

9. Personal image information processing:

facility safety, fire and prevention, large-scale large-scale and civil complaint

response

10. Hativcare application:

membership registration, measurement, service application, and performance of

customer activities

In addition, the company processes pseudonymized medical data for the purpose of AI

software development and research. Medical data used in research does not contain

information that can identify an individual, such as name or contact information, and the

company uses the data only for scientific research purposes and does not process

pseudonymized information for the purpose of identifying a specific individual.

Meanwhile, in accordance with the Personal Information Protection Act, the company

may use and provide personal information within the scope reasonably related to the

original purpose of collection, considering whether there is any disadvantage to the data

subject and whether necessary measures have been taken to ensure security, such as

encryption. The specific considerations are as follows, and the company will carefully

determine whether to use and provide the information by comprehensively considering

all circumstances, including the Personal Information Protection Act and other related

laws, the purpose of using and providing personal information, the method by which

personal information is used and provided, the personal information items to be used

and provided, the content of any information that the information subject has consented

to or has been notified or disclosed to the information subject, the impact on the

information subject due to use and provision, and the measures taken to protect the

information in question:

• Whether it is related to the original purpose of collection

• Whether it is predictable that the personal information will be used or

provided further in light of the circumstances in which the personal information

was collected or the processing practices

• Whether it unfairly infringes upon the interests of the information subject

• Whether measures necessary to ensure security, such as pseudonymization or

encryption, have been taken.

Article 2. Retention and Use Period

1. The Company retains personal information only for the period necessary to

achieve its stated purposes or as required by relevant laws. Once the purpose is

achieved, the information is securely destroyed.

• Provision of services on the website

• Submit Inquiries: 3 years from the date of submitting an inquiry

• VUNO Academy: Until membership withdrawal

• Viewno Mall: Until membership withdrawal

• Conducting various studies including clinical trials: In the case of medical

device clinical trials, 3 years from the date of manufacturing/change approval,

and in other cases, 3 years from the date of completion of the study, but for

information related to consultation/lectures, 5 years from the date of completion

of the consultation/lecture

• Sales activities: 3 years from the date of collection

• Transaction activities: Until the end of the contract

• Handling civil complaints: 3 years from the date of collection

• Recruitment: 1 year from the date of confirmation of employment

• Media activities: 3 years from the date of collection

• Fulfillment of legal and administrative obligations: Until the fulfillment of

obligations stipulated in relevant laws and regulations (3 years from the date of

reporting in the case of reporting of adverse medical device cases)

• Processing of personal image information: 180 days from the date of collection

• Hativcare Application: Until membership withdrawal

In the case of pseudonymized medical data, it is used for scientific research

purposes and is retained and used until the end of the research.

2. In addition, if personal information protection is required in accordance with relevant

laws such as the Commercial Act and the Communications Secrets Protection Act, the

company retains the relevant information for the retention and use period specified in

the relevant laws. • Important documents related to the company's business

Basis for preservation: Commercial Act

Retention period: 10 years

• Records related to payment and supply of goods, etc., and records related to

contracts or cancellation of subscription, etc.

Basis for preservation: Act on Consumer Protection in Electronic Commerce, etc.

Retention period: 5 years

• Records related to handling of consumer complaints or disputes

Basis for preservation: Act on Consumer Protection in Electronic Commerce, etc.

Retention period: 3 years

• Records related to labeling and advertising

Basis for preservation: Act on Consumer Protection in Electronic Commerce, etc.

Retention period: 6 months

• Website visit records:

Basis for preservation: Protection of Communications Secrets Act

Retention period: 3 months

• Clinical trial plans and records and data related to conducting clinical trials

Basis for preservation: Medical Devices Act

Retention period: 3 years

• Records related to human subject research

Basis for preservation: Bioethics Act

Retention period: 3 years

Article 3. Third-Party Sharing

1. The Company does not share personal information with third parties without the

user’s prior consent unless required by law.

2. Where third-party sharing is necessary (e.g., for service improvement or research),

users will be informed and their explicit consent obtained.

Article 4. Rights of Data Subjects

1. Users may request access, correction, deletion, or restriction of their personal

information.

2. Users may withdraw consent for the processing of their data at any time.

3. Requests must be submitted via the Company’s official contact channels.

Article 5. Measures for Security

The Company employs the following measures to safeguard personal information:

1. Technical Safeguards: Encryption, access control, and firewall protection.

2. Administrative Measures: Regular training for employees handling personal data.

3. Physical Security: Secure storage facilities and restricted access.

Article 6. Categories of Collected Personal Information

1. The data subject may exercise the following personal information protection

rights against the company at any time. However, if there are obligations

stipulated in relevant laws, the exercise of rights may be restricted.

• Request to view personal information

• Request for correction in case of errors, etc.

• Request for deletion

• Request for suspension of processing

• Exercise of the right to withdraw consent

2. The exercise of rights under Paragraph 1 may be made to the company by

submitting a written document, e-mail, facsimile (FAX), etc. to the address listed

below in the format of Appendix 8 of the Enforcement Regulations of the

Personal Information Protection Act, and the company will take action without

delay. However, the right to withdraw consent may also be exercised in the same

manner as the method by which you indicated your consent.

• Address: 9th floor, 479 Gangnam-daero, Seocho-gu, Seoul

• E-mail address: privacy@vuno.co

• Fax number: 02-515-6647

3. If the information subject requests correction or deletion of personal information

due to errors, etc., the company will not use or provide the personal information

until the correction or deletion is completed.

4. The rights under paragraph 1 may be exercised through an agent, such as the

information subject's legal representative or an authorized person. In this case, a

power of attorney in the format of Appendix 11 of the Enforcement Regulations

of the Personal Information Protection Act must be submitted.

5. If the information subject or agent exercises the rights under paragraph 1, the

company will verify whether the person making the request is the person himself

or a legitimate agent.

Article 7. Methods of Information Collection

1. The company processes the following personal information items.

1) Providing services on the website

• Submit Inquiries: User's name, region, affiliation, email address, phone number,

inquiry content

• VUNO Academy: User's name, position, email address, password, hospital name

and department information in case of medical professionals, mobile phone

number

2) Viewno Mall: User's name, date of birth, login ID, email address, password,

mobile phone number, address, payment information, alien registration number

(alien registration number, passport number, nationality) in case of foreigners

3) Conducting various studies including clinical trials

• Name, address, date of birth, affiliation, phone number, email address, license

number, academic background, qualifications, department, education, specialty,

work experience, etc., career history, books, papers published, research experience

and clinical trial management standards, etc. Completion of related education,

and other information listed on the researcher's resume

• Information related to reporting of consultation/lecture: In case of consultation

(purpose of consultation request such as consultation date or consultation period,

event name, name and affiliation of advisor, amount of consultation fee paid,

(Advisory topic), in the case of a lecture (purpose of requesting a lecture such as

lecture date, lecture venue, event name, lecturer's name and affiliation, lecture fee,

lecture topic)

• Voice information

4) Sales activities

• Customer's name, workplace (affiliated hospital and department), email, phone

number

5) Transaction activities

• Company name, business registration number, names of affiliated employees,

addresses, account numbers, email addresses, phone numbers, mobile phone

numbers, and other personal information listed on business cards provided to the

company

• Names of sponsoring organization officials, names of event participants, names

of staff, contact information, address, account numbers, names of beneficiaries,

contact information, email, affiliation

6) Handling complaints and safety information management

• Name, date of birth or age, gender, phone number, address, email, hospital in

charge and doctor in charge (in case of doctors, major, type of employment, and

hospital in charge)

• Sensitive information: Health information (treatment area, inquiry area, product

information, safety information content and period, etc.)

7) Talent recruitment (job application)

• Name, address, nationality, phone number, e-mail address, e-mail address for

veterans and persons with disabilities, academic background, grades, Military

service, career, intellectual property rights/papers/books/research achievements,

overseas stay experience and training activities, social/volunteer activities,

language and other qualifications, self-introduction, photo, date of birth,

academic background, qualifications, career history, foreign language skills,

information written on the applicant's resume, and other information that the

applicant has agreed to collect

8) Media activities

• Information written on the business card such as the reporter's name, affiliation,

email address, and phone number, or information publicly posted on the website

9) Issuance of tax invoices

• Customer's name, business registration number, corporate registration number,

business resident registration number, phone number, email address, date of birth

10) CCTV footage

11) Hativcare Application

(Required general personal information) Name, mobile phone number, email,

encrypted user identification value (CI), date of birth, gender, device model, OS

version, device ID, and other basic information from mobile devices, and

information of the legal representative (name, mobile phone number) for

subscribers under the age of 14 (Required sensitive information)

Electrocardiogram measurement data, average heart rate and measurement time,

height, Other personal information including weight, blood pressure, blood sugar,

body temperature, and other symptoms

(Processing personal information of children under 14 years of age) When

collecting personal information of children under 14 years of age, the company

may request the name and contact information of the child's legal representative

and confirm whether the legal representative has consented.

2. The company collects personal information in No. 1 through the following methods or

processes. • Collected during the application process for services on the website (Submit

Inquiries)

• Collected by receiving researcher resumes when conducting research such as

medical device clinical trials

• Collected by receiving business cards of healthcare professionals who attended

conferences for business activities

• Collected during the process of concluding various contracts with business

partners

• Collected through job applications by job applicants

• Collected by receiving business cards from reporters or public information

posted on the website

• Collected during the process of reporting adverse effects (providing civil

complaints) for non-sale medical devices

• Collected during national projects, IIT, and SIT research processes

• Collected by registering as a member of Hativcare Application and registering

user information

• Collecting additional information through devices connected to Hativcare

Application (Hativ P30)

Article 8. Destruction of Personal Information

The company destroys the relevant personal information without delay when the

personal information becomes unnecessary, such as when the retention period for

personal information expires or the purpose of personal information processing is

achieved. The procedures, deadlines, and methods for destruction are as follows.

1. Destruction Procedure

Collected personal information is transferred to a separate DB (separate documents in

the case of paper) after the retention period expires or the purpose is achieved, and is

stored for a certain period of time or destroyed immediately in accordance with internal

policies and other relevant laws.

In this case, personal information transferred to the DB is not used for any other purpose

except in cases required by law.

2. Destruction Method

Personal information recorded and stored in paper documents is destroyed by shredding

or incineration, and personal information recorded and stored in electronic file formats is

destroyed using a technical method that makes it impossible to reproduce the records.

Article 9. Data Protection Officer

The company is taking the following technical/administrative and physical measures

necessary to ensure safety in accordance with Article 29 of the Personal Information

Protection Act:

1. Administrative measures

Establishment/implementation of internal management plans, regular employee

training, etc.

2. Technical measures

Management of access rights to personal information processing systems, installation

of access control systems, encryption of unique identification information, installation

of security programs

3. Physical measures

Access control to computer rooms, data storage rooms, etc.

In addition to the above, the following measures are taken for pseudonymized

information:

1. Separate storage of pseudonymized information and additional information.

However, if additional information is unnecessary, the additional information is

destroyed.

2. Separation of access rights to pseudonymized information and additional

information

3. Retention of records related to pseudonymized information processing, including

the following:

• Purpose of pseudonymized information processing

• Items of pseudonymized personal information

• Usage details of pseudonymized information

• Recipients when provided to third parties

• Other matters deemed necessary by the Protection Committee and announced

for the purpose of managing the processing of pseudonymized information

Article 10. Automated Decision-Making

1. The company is responsible for the overall management of personal information

processing, and has designated a personal information protection officer as follows to

handle complaints and provide remedies for damages related to personal information

processing.

Personal Information Protection Officer

- Name: Park Jong-hoon

- Affiliation and Position: SW Development Headquarters/Head of Headquarters

- Phone Number and Email Address: 02-515-6646 / privacy@vuno.co

2. The information subject may inquire about all personal information protection-related

inquiries, complaint handling, remedies, etc. that arise while using the company's services

(or business) to the personal information protection officer and the department in

charge. The company will respond to and process the information subject's inquiries

without delay.

Article 11. Legal Compliance and Rights

The company uses ‘cookies’ to store and retrieve user information from time to time in

order to provide personalized and customized services. Cookies are very small text files

that the server used to operate the company’s website sends to the user’s browser and

are stored on the user’s computer hard disk. When the user visits the website, the

website server reads the contents of the cookies stored on the user’s hard disk to

maintain the user’s settings and provide customized services.

The user (information subject) has the option to install cookies. Therefore, the

information subject can allow all cookies, confirm each time a cookie is stored, or reject

all cookies by setting options in the web browser. The information subject can allow all

cookies, confirm each time a cookie is stored, or reject all cookies by selecting options in

the web browser he or she uses.

How to specify whether to allow cookie installation (for Internet Explorer)

• Tools > Internet Options > Personal Information at the top of the web

browser. However, if the user rejects cookie installation, there may be difficulties

in providing services.

Article 12. International Data Transfers

1. The company installs and operates video information processing equipment as

follows. 1. Basis and purpose of installing video information processing devices:

Company facility safety and fire prevention, crime prevention and investigation,

transparency of logistics operations, and customer complaint response

2. Number of units installed, installation location, shooting range, and type of video

information processing devices

• Basement 2 (total 8 units, fixed type): 1 unit at entrance (lobby and hallway), 1

unit at server room entrance (server room entrance lobby), 3 units in server room

(inside server room), 3 units in Hativ warehouse (inside warehouse)

• 8th floor: 1 unit at entrance (lobby and hallway, fixed type)

• 9th floor: 1 unit at entrance (lobby and hallway, fixed type)

• 10th floor: 1 unit at entrance (lobby and hallway, fixed type)

• 11th floor: 1 unit at entrance (lobby and hallway, fixed type)

3. Manager, department in charge, and person with access to video information

• Manager: General Affairs Team Leader

• Person with access: Head of Management Support Headquarters, IT Security

Infrastructure Team Leader, HR Team Leader, Hativ Team Logistics Packaging

Manager (limited to devices installed in Hativ warehouse)

4. Video information shooting time, storage period, storage location, processing method

• Shooting time: 24 hours of shooting

• Storage period: 180 days from shooting

• Storage location: Server room

• Processing method: Record and manage matters related to requests for use of

personal video information other than its intended purpose, provision to third

parties, destruction, viewing, etc., and permanently delete it in a way that cannot

be restored (automatic deletion by system) when the storage period expires

5. Video information confirmation method and location: Request to the manager

6. Measures for requests for viewing video information, etc. by the information subject:

Must apply in the form of a request for viewing, provision, or deletion of personal video

information, and viewing is permitted only when the information subject himself/herself

was filmed or when it is clearly necessary for the life, body, or property interests of the

information subject

7. Technical, administrative, and physical measures for video information protection:

• Establishment of an internal management plan, access control and access

authority restrictions, safe storage and transmission technology for video

information Application, storage of processing records and measures to prevent

forgery and falsification, provision of storage facilities and installation of locking

devices, etc.

8. Other matters necessary for the installation, operation and management of video

information processing devices: The company does not operate video information

processing devices in public places for purposes not permitted by law, and does not

install or operate video information processing devices inside places where there is a risk

of significant infringement on an individual's privacy, such as bathrooms, restrooms,

steam rooms, and changing rooms. The company does not arbitrarily manipulate video

information processing devices or use recording functions..

Article 13. Changes to Privacy Policy

The Company website may contain links to third-party websites, plug-ins, and

applications. If you click on or connect to a link, the third party may collect or use your

personal information. The Company does not control these third-party websites, plug-ins,

and applications and is not responsible for their processing of your personal information.

Article 14. Miscellaneous

1. This Privacy Policy is subject to interpretation in accordance with applicable laws

of the Republic of Korea.

2. For questions regarding this Privacy Policy, users may contact the Data Protection

Officer via the provided contact information.