Privacy Policy

This Privacy Policy is a guideline intended to protect important personal information and the rights of the users of the services provided by Bioantibody Biotechnology Co., Ltd. (hereinafter the “Company”) and to suitably handle the user’s problems regarding personal information. This Privacy Policy applies to the user of the Services provided by the Company. The Company collects, utilizes, and provides personal information based on the user’s consent and in compliance with the related laws.

1. Collection of Personal Information

① The Company will only collect minimum personal information necessary to provide the Services.

② The Company will handle the essential information necessary for the provision of the Services based on the user’s consent.

③ The Company may collect personal information without obtaining the user’s consent to collect and use personal information if there is a special provision under the laws or if the Company must do so in order to comply with certain legal obligations.

④ The Company will process personal information during the period of retention and use of personal information as set forth under the relevant laws, or the period of retention and use of personal information as agreed by the user when the collection of personal information from such user is made. The Company will immediately destroy such personal information if the user requests membership withdrawal, the user withdraws consent to the collection and use of personal information, the purpose of the collection and use has been fulfilled, or the retention period ends.

⑤ The types of personal information that are collected by the Company from the user during the membership registration process, and the purpose of the collection and use of such information are the following:

- Mandatory information: name, address, gender, date of birth, email address, mobile phone number, and encrypted identification verification information

- Purpose of collection/use: prevention of misuse of Services, and handling of complaints and resolving disputes.

- Period of retention and use: destroy without delay when the purpose of collection/use has been fulfilled as a result of membership withdrawal, termination of the user agreement or other reasons (provided that, however, limited to certain information that is required to be retained under related laws such will be retained for a set period).

2. Purpose of Personal Information Use

The personal information collected by the Company will be collected and used for the following purposes only. Personal information will not be used for any purpose other than the following. However, in the event the purpose of use has changed, necessary measures will be taken by the Company such as separately obtaining advance consent from the user.

① Provision of the Services, maintenance and improvement of the Services, provision of new Services, and provision of a secure environment for the use of Services.

② Prevention of misuse, prevention of violations of the law and the terms of service, consultations and handling of disputes related to the use of the Services, preservation of records for the resolution of disputes, and individual notice to members.

③ Provision of customized services by analyzing the statistical data of the use of the Services, the access/use logs of the Services and other information.

④ Provision of marketing information, opportunities for participation, and advertising information.

3. Matters relating to the Provision of Personal Information to Third Parties

As a principle, the Company does not provide the personal information of users to third parties or disclose such information externally. However, the following cases are exceptions:

- The user has consented in advance to such provision of personal information for the use of the Services.

- If there is a special rule under law, or if such is inevitable in order to comply with the obligations under law.

- When the circumstances do not allow consent to be obtained from the user in advance but it is recognized that the risk concerning the life or safety of the user or a third party is imminent and that such provision of personal information is needed in order to resolve such risks.

4. Consignment of Personal Information

① Consignment of the processing of personal information means consigning personal information to an external consignee in order to process the work of the person providing the personal information. Even after the personal information is consigned, the consignor (the person who provided the personal information) has the responsibility to manage and supervise the consignee.

② The Company may process and consign the user’s sensitive information for the generation and provision of QR code services based on COVID-19 test results, and in such case, the information regarding such consignment will be disclosed by the Company through this Privacy Policy without delay.

5. Determination Criteria for Additional Use and Provision of Personal Information

In the event the Company uses or provides personal information without the consent of the information subject, the personal information protection officer will determine whether additional use or provision of personal information is being made based on the following criteria:

- Whether it is related to the original purpose of collection: determination will be made based on whether the original purpose of collection and the purpose of additional use and provision of personal information are mutually related in terms of their nature or tendency.

- Whether it was possible to predict additional use or provision of personal information based on the circumstances in which personal information was collected or the processing practices: predictability is determined based on the circumstances pursuant to the relatively specific situations such as the purpose and content of personal information collection, the relationship between the personal information controller processing information and the information subject, and the current technology level and the speed of development of the technology, or the general circumstances in which the processing of personal information were established during a relatively long period of time.

- Whether the information subject’s interests are unfairly infringed: this is determined based on whether the purpose and intention of additional use of the information infringe the information subject’s interests and whether the infringement is unfair.

- Whether necessary measures were taken to ensure security through pseudonymization or encryption: this is determined based on the 「Personal Information Protection Guideline」 and 「Personal Information Encryption Guideline」 published by the Personal Information Protection Committee.

6. Rights of Users and Methods of Exercising Rights

As the personal information subject, the user may exercise the following rights.

① The user may exercise his/her rights to request access, correction, deletion, or suspension of processing concerning the user’s personal information at any time through a written request, email request, and other means to the Company. The user may exercise such rights through the user’s legal representative or authorized person. In such cases, a valid power of attorney under relevant laws has to be submitted.

② If the user requests for the correction of an error in personal information or suspension of processing personal information, the Company will not use or provide the personal information in question until the corrections are made or the request for a suspension of processing personal information has been withdrawn. If incorrect personal information has already been provided to a third party, the results of the processed correction will be notified to such third party without delay.

③ The exercise of rights under this Article may be restricted by laws related to personal information and other laws and regulations.

④ The user will not infringe the user’s own or other person’s personal information and privacy handled by the Company by violating related laws such as the Personal Information Protection Act.

⑤ The Company will verify whether the person who made the request to access information, correct or delete information, or suspend information processing pursuant to the user’s rights is the user himself/herself or the legitimate representative of such user.

7. Exercise of Rights by Users that are Children under 14 years of age and their Legal Representative

① The Company requires the consent of the legal representative of the child user in order to collect, use, and provide personal information of the child user.

② In accordance with the laws related to the protection of personal information and this Privacy Policy, a child user and his/her legal representative may request necessary measures for the protection of personal information, such as requesting access, correction, and deletion of the child user’s personal information, and the Company will respond to such requests without delay.

8. Destruction and Retention of Personal Information

① The Company will, in principle, destroy the personal information of the user without delay when the purpose of processing such information is fulfilled.

② Electronic files will be securely deleted so that they cannot be recovered or restored and with respect to personal information recorded or stored on paper such as records, publications, documents and others, the Company will destroy such materials by means of shredding or incineration.

③ The types of personal information that are retained for a set period and thereafter destroyed in accordance with internal policy are as set forth below.

④ In order to prevent misuse of Services and to minimize damages to the user as a result of identity theft, the Company may retain the information necessary for personal identification for up to 1 year after membership withdrawal.

⑤ In the event the related laws prescribe a set retention period for personal information, the personal information in question will be stored securely for the set period as mandated by the law.

[The Act on the Consumer Protection in Electronic Commerce, etc.]

- Records on withdrawal of agreement or subscription, etc.: 5 years

- Records on payments and provision of goods, etc.: 5 years

- Records on customer complaints or dispute resolutions: 3 years

- Records on labelling/advertising: 6 months

[Electronic Financial Transactions Act]

- Records on electronic financial transactions: 5 years

[Framework Act on National Taxes]

- All ledgers and evidentiary materials regarding transactions prescribed by tax laws: 5 years

[Protection of Communications Secrets Act]

- Records on Services access: 3 months

[Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.]

- Records on user identification: 6 months

9. Amendments to Privacy Policy

This Privacy Policy of the Company may be amended in accordance with the related laws and internal policies. In the event of an amendment to this Privacy Policy such as a supplement, alteration, deletion, and others changes, the Company will notify 7 days before the effective date of such amendment on the Services page, the connecting page, the popup window or through other means. However, the Company will give notice 30 days before the effective date in the event of any serious changes made to the rights of the user.

10. Measures to Ensure the Security of Personal Information

The Company takes the following technical/administrative, and physical measures necessary to ensure the security of personal information pursuant to the relevant laws.

[Administrative measures]

① Minimizing the number of employees processing personal information and training such employees

Measures have been implemented to manage personal information such as minimizing the number of managers processing personal information, providing a separate password for access to personal information only to the required manager and renewing said password regularly, and emphasizing adherence to the Company’s Privacy Policy through frequent training of the responsible employees.

② Establishment and implementation of the internal management plan

An internal management plan has been established and implemented for the safe processing of personal information.

[Technical measures]

Technical measures against hacking

To prevent personal information from being leaked or damaged as a result of hacking, computer viruses and others, the Company has installed security programs, regularly conducts updates/inspections, and frequently performs data backups.

Use of firewall system

The Company controls unauthorized external access by installing a firewall system in areas where external access is restricted. The Company monitors and restricts such unauthorized access through technical/physical means.

Encryption of personal information

The Company stores and manages important personal information of users by encrypting such information, and utilizes separate security functions such as encryption of files and transmitted data or use of file locking functions.

Retention of access records and prevention of falsification/alteration

The Company retains and manages the access records of the personal information processing system for a minimum of 6 months. The Company utilizes security measures to prevent the access records from being falsified, altered, lost or stolen.

[Physical measures]

① Restrictions on access to personal information

The Company is taking necessary measures to control personal information access by granting, changing and terminating access rights to the database system that processes personal information. The Company uses an intrusion prevention system physically to restrict unauthorized external access.

Addendum

This Privacy Policy will take effect on May 12 , 2022.