Privacy Policy

 

VUNO Inc. (hereinafter referred to as the “Company”) hereby adopts and publishes this Privacy Policy in accordance with applicable data protection laws to safeguard the personal information and privacy rights of individuals and to address privacy-related inquiries and concerns in a prompt and appropriate manner.

※ Effective Date: 23 March 2026

 

 

Article 1. Purpose of Processing, Categories of Personal Information Collected, and Retention Period

When the Company processes Personal Information, it provides advance notice of the purpose of collection, categories of Personal Information collected, and applicable retention period through this Privacy Policy and/or a separate Notice and Consent Form, in accordance with applicable data protection laws.

 

The Company may collect and use Personal Information where one or more of the following legal bases applies, and will process such information solely within the scope of the disclosed purpose:

1. Where the individual has provided prior affirmative consent;
2. Where processing is required or expressly permitted by applicable law, or is necessary to comply with a legal obligation;
3. Where processing is necessary to perform a contract with the individual, or to take steps at the individual’s request prior to entering into a contract;
4. Where processing is necessary to protect the vital interests of the individual or another person in an emergency situation involving imminent risk to life, health, or property;
5. Where processing is necessary for the Company’s legitimate business interests and such interests are not overridden by the individual’s rights and freedoms; or
6. Where processing is urgently required to protect public health, public safety, or other significant public interests.

 

The Company processes Personal Information for the following purposes and categories:

Category	Purpose	Required/Optional	Categories of Personal Information Collected	Retention Period
[VUNO Website] Submit Inquiries	Responding to inquiries, handling complaints, and managing disputes	Required	Name, region, affiliated organization, job title, phone number; email address, country of affiliation, and inquiry details	3 years from the date the inquiry is submitted
	Sending newsletters and providing promotional information about the Company’s products, services, and events	Optional	email address	3 years from the date of consent
[Hativmall] Account Registration	Performance of a contract for the provision of services, billing and payment processing, and account administration	Required	Name, date of birth, login ID, email address, password, payment information, and nationality (if a foreign national)	Until the account is deleted or membership is terminated
		Required	[Unique Identifiers] foreigner registration number (e.g., alien registration number or passport number), if applicable to foreign nationals
	Marketing and Advertising	Optional	email address, phone number
	Performance of a Contract for Service Provision and Account Administration	Optional	phone number, address
[VUNO Careers] Apply for a Job Posting	Providing recruitment-related communications and notices; contacting applicants regarding the recruitment process and use of the careers website; evaluating candidate qualifications; using application materials for resume screening and interviews; and maintaining a talent database for future opportunities	Required	name, phone number, email	3 years from the date of application submission
		Optional	date of birth, mailing address, cover letter, resume/CV, education history, photograph, video, certifications or licenses, employment history, portfolio, detailed work experience statement, position applied for, desired salary, most recent salary, references, source of application, and any other information voluntarily entered or uploaded by the applicant (including via attachments) that may identify the individual
[Company-Hosted Events] Event Registration	Event administration and participant communications	Required	name (in Korean and/or English), affiliated organization, contact information, email address	90 days from the event end date
	Administration of and related communications for VUNO-hosted events	Optional	name (Korean and/or English), affiliated organization, contact information, email address	5 years from the date of consent
[Advisory] Medical Advisory Services	Verification of advisory board member identity and payment of advisory fees	Required	name, date of birth, affiliated organization, contact information, email address, bank account number, advisory service date, and advisory fee amount	5 years from the date of collection
	Evaluating future advisory engagements and conducting product-related marketing activities	Optional	photograph, education history, employment history, research experience, fax number
[Government-Funded Projects] Performance of National R&D Projects	Submission of required documentation for the performance of government-funded R&D projects	Required	name, affiliated organization, email address, contact information, education history, graduation year	For the period specified in the applicable National R&D Project RFP (which may vary by project)
[Clinical Trials] Records and Documentation Relating to the Conduct of Clinical Trials	Verification of researcher qualifications	Required	name, title, position, phone number, email address, resume/CV (education history, employment history, license number, training records, clinical trial participation information)	3 years from the date of completion of the clinical trial; if separate consent has been obtained, for the period specified in the applicable Personal Information Collection and Use Consent Form (which may vary by study)
	Collection of clinical trial data	Required	age, gender, and other subject clinical information (which may vary by study)
[VUUC] User Management Service	Administration and management of users of VUNO products	Required	affiliated institution, name, email address	Until the service is terminated
		Optional	phone number, address
[Hativ Care] Account Registration	Account registration; measurement and analysis; processing of service applications and consultation activities; and scientific research purposes	Required	name, phone number, encrypted user identification value (CI), date of birth, gender	Until the account is deleted or membership is terminated
	Account registration; measurement and analysis; and processing of service applications and consultation activities	Optional	email
	Measurement and analysis; processing of service applications and consultation activities; and scientific research purposes	Required	[Sensitive Personal Information] electrocardiogram (ECG) measurement data, average heart rate, measurement time
		Optional	[Sensitive Personal Information] height, weight, blood pressure, blood glucose level, body temperature, other symptoms (discomfort, palpitations, dizziness, shortness of breath, chest pain), and notes

 

The Company processes patient information on behalf of healthcare institutions in connection with the provision of its AI-based medical device services.

 

In providing AI-based medical device services to healthcare institutions, the Company processes patient information entered into the system by healthcare providers, solely as a service provider acting on behalf of such institutions and only for the purpose of delivering the contracted medical device services, as described below:

Category	Purpose	Required/Optional	Categories of Personal Information Collected	Retention Period
[Medical Device] DeepCARS	Analysis of patient electrocardiogram (ECG) measurement data	Required	name, gender, date of birth, patient identification number(PID), electrocardiogram(ECG) measurement data	Until termination of service use
[Medical Device] Chest X-ray	Interpretation of patient chest X-ray images	Required	name, gender, date of birth, patient identification number(PID), chest X-ray images	5 years from the date the patient information is stored
[Medical Device] Fundus AI	Interpretation of patient fundus images	Required	name, date of birth, patient identification number(PID), fundus images	5 years from the date the patient information is stored

 

The Company may retain Personal Information beyond the originally disclosed retention period, to the extent necessary, until the applicable period expires or the relevant condition is satisfied, in the following circumstances:

1. Where the individual has provided separate consent for a specified retention period, the Company will retain the Personal Information for the duration of that consented period;
2. Where the service has been terminated or discontinued, but outstanding fees or other payment obligations remain unpaid, the Company may retain the relevant Personal Information until such amounts are paid in full;
3. Where a complaint, claim, audit, investigation, or legal dispute involving the Company is pending and has not been resolved within the standard retention period, the Company may retain the relevant Personal Information until the matter is fully resolved;
4. Where retention is required for a specified period under applicable laws or regulations (including, without limitation, commercial or consumer protection laws), the Company will retain Personal Information for the duration mandated by such laws, as set forth below:

Applicable Law	Categories of Personal Information Collected	Retention Period
Commercial Act	Personal information included in key business records of the Company	10 years
Act on Consumer Protection in Electronic Commerce, etc	Personal information included in records relating to contracts or withdrawal of offers (including cancellation or rescission)	5 years
	Personal information included in records relating to payment of consideration and the supply of goods or services	5 years
	Personal information included in records relating to consumer complaints or dispute resolution	5 years
	Personal information included in records relating to labeling and advertising	6 months
Protection of Communications Secrets Act	Personal information included in website access logs	3 months
Medical Device Act	Personal information included in clinical trial protocols and records and materials relating to the conduct of clinical trials	3 years
Digital Medical Products Act	Personal information included in clinical trial protocols and records and materials relating to the conduct and management of clinical trials	3 years
Bioethics and Safety Act	Personal information included in records relating to human subject research	3 years

 

 

Article 2. Personal Information of Children Under 14

When collecting Personal Information from a child under the age of 14, the Company obtains verifiable consent from the child’s parent or legal guardian and collects only the minimum Personal Information necessary to provide the relevant services.

 

In connection with such collection, the Company may request limited information from the child, such as the name and contact information of the parent or legal guardian, for the purpose of obtaining and verifying parental consent. The Company verifies that valid consent has been provided by the parent or legal guardian through one of the following methods:

1. Requiring the parent or legal guardian to indicate consent on a website that presents the relevant consent terms, and verifying their identity through mobile phone authentication or a comparable identity verification process;
2. Providing a written consent form directly, or delivering it by mail or facsimile, and requiring the parent or legal guardian to sign and return the executed form;
3. Notifying the parent or legal guardian of the consent terms by telephone and obtaining consent during the call, or providing instructions (e.g., by email) on how to review the consent terms and subsequently obtaining confirmation through a follow-up telephone call; or
4. Using any other method that is reasonably designed to inform the parent or legal guardian of the consent terms and to verify their affirmative authorization, consistent with applicable law.

 

 

Article 3. Data Retention and Secure Disposal

The Company securely disposes of Personal Information without undue delay once the purpose for which it was collected and used has been fulfilled or the applicable retention period has expired, unless continued retention is required pursuant to the individual’s consent, applicable terms of service, or relevant laws and regulations.

 

Personal Information maintained in paper form is destroyed by shredding or incineration. Personal Information stored in electronic form is permanently deleted using secure technical methods designed to prevent recovery or reconstruction of the data.

 

If, due to technical limitations, complete deletion is not reasonably feasible, the Company will take appropriate measures to irreversibly anonymize the information so that it can no longer be used to identify an individual, taking into account reasonable considerations of time, cost, and available technology.

 

 

Article 4. Disclosure of Personal Information to Third Parties

The Company processes Personal Information only within the scope of the purposes described in this Privacy Policy. The Company discloses Personal Information to third parties only where (i) the individual has provided prior consent, or (ii) such disclosure is required or expressly permitted under applicable law. Except as described herein, the Company does not disclose Personal Information to third parties.

 

The Company discloses Personal Information to the following third parties for the purposes described below:

Category	Recipient	Purpose of Disclosure	Categories of Personal Information Disclosed	Retention Period
Customer(Healthcare Professional) Information	Ahngook, Bijutech, PuzzleAI, Maihub, Corelinesoft, SangsinMedical, UniMedical, MIK, MediMac, Olin, Sonamu, MAI, SmartOnHealthcare, YeosamInter, MDCompany	Responding to purchase inquiries regarding medical devices, providing product information, and performing maintenance services	institution name, name, field of specialty, email address, phone number	Until the purpose of use has been fulfilled
Researcher Information	Korea Medical Devices Industry Association	Reviewing quarterly reporting compliance and adherence to lecture/advisory fee caps under the Medical Device Fair Competition Code	name, affiliated organization, lecture/advisory service date, lecture/advisory fee amount	Until 5 years from January 1 of the year following the year in which the lecture or advisory service was provided
	Small and Medium Business Administration, Korea Industrial Complex Corporation, Korea Institute of Startup & Entrepreneurship Development, Korea Health Industry Development Institute, Korea International Cooperation Agency, Korea Health Industry Development Institute, Korea Institute of Industrial Technology Evaluation and Planning, National IT Industry Promotion Agency, Ministry of Science and ICT, Korea Institute for Advancement of Technology, Korea Software Industry Association, Institute for Information & Communications Technology Planning & Evaluation, Ministry of SMEs and Startups, Korea Technology Venture Foundation, Ministry of Food and Drug Safety, Ministry of Health and Welfare, and other government agencies responsible for national R&D projects	Submission of agreements and related documentation for the performance of government-funded R&D projects	name, affiliated organization, email address, contact information, education history, graduation year	Until the period specified in the applicable National R&D Project RFP (which may vary by project)
Shareholder Information	Financial Supervisory Service, Korea Exchange	Disclosure of shareholder personal information for the purpose of fulfilling statutory disclosure obligations	name of major shareholder, ownership percentage, number of shares held	Until the retention period required under applicable laws and regulations
Adverse Event Information	Ministry of Food and Drug Safety and other health regulatory authorities in countries where the Company’s products have obtained marketing authorization or regulatory approval.	Reporting adverse reactions in accordance with applicable laws and regulations	initials of name, gender, date of birth, age, height, weight, and other health-related information	Until the retention period required under applicable laws and regulations
Records and materials relating to the conduct of clinical trials	Institutional Review Board(IRB)/Ethics Committee(EC), Ministry of Food and Drug Safety, and other health regulatory authorities in countries where the Company’s products have obtained marketing authorization or regulatory approval	Verification of clinical trial procedures and data integrity, and obtaining marketing authorization/manufacturing approval	researcher information (name, title, position, phone number, email address, CV, clinical trial participation information), subject clinical information (which may vary by study), and safety information including adverse events	Until the purpose of use has been fulfilled, or for the retention period required under applicable laws and regulations, whichever is longer

 

 

Article 5. Criteria for Ongoing Additional Use or Disclosure

Where the Company engages in ongoing additional use or disclosure of Personal Information, it will do so only to the extent reasonably related to the original purpose of collection and consistent with applicable data protection laws. In making this determination, the Company considers, among other factors, whether the additional use or disclosure could result in material harm or disadvantage to the individual and whether appropriate safeguards (e.g., encryption) have been implemented.

 

In particular, the Company will carefully evaluate the totality of circumstances, including: the purpose of the use or disclosure; the manner in which the Personal Information will be used or disclosed; the categories of Personal Information involved; whether the individual has consented to, been notified of, or could reasonably expect such use or disclosure; the potential impact on the individual; and the safeguards in place to protect the information.

 

Key factors include:

• The relationship between the additional use/disclosure and the original purpose of collection;
• Whether the additional use/disclosure is reasonably foreseeable based on the context of collection and the Company’s processing practices;
• Whether the additional use/disclosure would unfairly or unreasonably prejudice the individual’s interests; and
• Whether appropriate security and privacy measures—such as pseudonymization or encryption—have been applied.

 

 

Article 6. Engagement of Service Providers

To facilitate efficient operations and provide improved services and user convenience, the Company engages third-party service providers to process Personal Information on its behalf.

 

When entering into agreements with such service providers, the Company requires, in accordance with applicable data protection laws, that the service provider: (i) process Personal Information solely for the specified and authorized business purpose; (ii) implement appropriate technical and organizational safeguards to protect Personal Information; (iii) refrain from further subcontracting without authorization; and (iv) assume contractual responsibility, including indemnification and liability, for the protection of Personal Information. These requirements are set forth in written agreements, and the Company oversees and monitors its service providers to ensure that Personal Information is processed securely and in compliance with applicable law.

 

The Company engages the following service providers to process Personal Information on its behalf:

Service Provider	Categories of Outsourced Processing Activities	Sub-Processor (Subcontracted Processing Activities)
Doodlin	Recruitment website and applicant management services	Channel Corporation(Consultation services)
		NHN Cloud(Mobile messaging services)
		Twilio(Email transmission services)
Goorm	Coding assessment service for job applicants	-
Sinaforyou	Booth fabrication, installation, rental, dismantling, and storage services, as well as storage and delivery of promotional materials	-
KB Kookmin Bank	Securities transfer agency services, including account registration for securities, issuance of securities, and administration of dividend and bond principal/interest payments	-
Samsung Securities	Electronic voting management services	-
Synex	Clinical trial data management and statistical analysis services	CSRcube(Electronic Case Report Form (eCRF) services)
Promedis		CSRcube(Electronic Case Report Form (eCRF) services)
Digital2s		CSRcube(Electronic Case Report Form (eCRF) services)
JNPMEDI		-
C&K INSIGHT
CSRcube
Amazon Web Services	Cloud infrastructure services	-
Google LLC	Service usage tracking and evaluation	-
NICE Information Service	Identity verification services	-
NAVER Cloud Corp	Mobile messaging services
Korea Post(Postal Parcel Service)	Product delivery services	-
CJ Logistics Corporation	Product delivery services	-
Mau Communications	Management of symposium pre-registrants	-
S-1 Corporation	Maintenance of video surveillance systems	-

 

 

Article 7. Cross-Border Transfers of Personal Information

The Company does not transfer Personal Information overseas.

 

 

Article 8. Information Security Safeguards

The Company implements commercially reasonable administrative, technical, and physical safeguards designed to protect Personal Information from unauthorized access, acquisition, disclosure, alteration, or destruction. In addition, the Company has obtained objective certifications—such as information security management system certifications—from independent third-party assessors for its major systems and facilities.

 

The Company has implemented the following measures:

1. Establishing and maintaining internal policies and procedures governing the protection of Personal Information;
2. Restricting access to Personal Information to personnel on a need-to-know basis;
3. Providing regular privacy and data protection training to employees who handle Personal Information;
4. Requiring employees to execute confidentiality and security agreements upon hire, and conducting internal audits to monitor compliance with this Privacy Policy and related data protection requirements; and
5. Designating secure areas, such as server rooms, as restricted access zones and implementing access controls.

 

To prevent loss, theft, unauthorized disclosure, alteration, or damage to Personal Information, the Company applies the following technical measures:

1. Implementing controls to prevent the tampering or falsification of system access logs;
2. Applying encryption standards appropriate to the sensitivity and classification of Personal Information, consistent with applicable legal requirements;
3. Utilizing anti-malware and antivirus software to protect systems against malicious code;
4. Encrypting Personal Information during transmission over networks; and
5. Conducting periodic vulnerability assessments and security testing to mitigate risks of hacking or other external intrusions.

 

 

Article 9. Processing of Pseudonymized Information

The Company processes pseudonymized information for purposes including clinical trials, AI software development, and related research activities.

 

The medical data used for these purposes does not include direct identifiers such as name, contact information, or other information that would directly identify a specific individual. The Company uses such data solely for scientific research and product development purposes and does not process pseudonymized information for the purpose of re-identifying any individual.

 

Details regarding the Company’s processing of pseudonymized information are as follows:

Service	Purpose of Processing	Categories of Processed	Retention Period
Clinical trials	Conduct of medical device clinical trials and obtaining manufacturing and marketing authorization	age, gender, and other clinical information (which may vary by study)	3 years from the date of completion of the clinical trial; if separate consent has been obtained, for the period specified in the applicable Personal Information Collection and Use Consent Form (which may vary by study)
Hativcare	Research and development of medical diagnostic algorithms	login ID, year and month of birth, weight, height, electrocardiogram(ECG) data	Until completion of the research (no later than December 31, 2026)

 

In addition to the safeguards described in Article 8 (Information Security Safeguards), the Company implements the following additional measures to ensure the security of pseudonymized information:

1. Pseudonymized information is stored separately from any additional information (e.g., re-identification keys) that could potentially enable re-identification. If such additional information is no longer necessary, it is securely deleted.
2. Access rights to pseudonymized information and to any corresponding key or supplemental information are segregated and restricted to authorized personnel only.
3. The Company maintains records of its pseudonymization processing activities, including:
   • The purpose of processing pseudonymized information;
   • The categories of Personal Information that have been pseudonymized;
   • The scope and details of how the pseudonymized information has been used;
   • The identity of any third parties to whom pseudonymized information has been disclosed; and
   • Any other matters required by applicable regulatory authorities for the proper management of pseudonymized information.
4. If the risk of re-identification increases, the Company will immediately suspend processing and securely dispose of the relevant pseudonymized information.
5. Pseudonymized information will be securely deleted without undue delay upon expiration of the applicable retention period.

 

 

Article 10. Cookies and Similar Technologies

The Company uses cookies and similar tracking technologies to collect and store certain information about users and to retrieve such information as needed.

 

A cookie is a small text file that is placed on a user’s computer or mobile device by a web server when the user accesses a website. Cookies are transmitted back to the Company’s servers when the user revisits the website and are used to support website functionality, enhance user experience, and analyze site usage.

 

Users have the option to control the use of cookies. Most web browsers allow users to manage cookie preferences through their browser settings, including the ability to accept all cookies, reject all cookies, or receive a notification when a cookie is set. Please note that disabling cookies may affect the availability or functionality of certain features of the website.

Browser	How to Block Cookies
Chrome	Select the three-dot menu (⋮) in the upper-right corner → New Incognito Window (or New Incognito Tab)
Microsoft Edge	Select the three-dot menu (…) in the upper-right corner → New InPrivate Window
Safari(iOS)	Settings → Safari → Advanced → Block All Cookies
Samsung Internet	Tap the Tabs icon at the bottom → Turn on Secret mode → Start

 

 

Article 11. Rights of Individuals and Legal Representatives; How to Exercise Those Rights

Individuals may exercise the following rights with respect to their Personal Information, subject to applicable law:

1. Individuals may request access to, correction of, or deletion of their Personal Information, request restriction of processing, and withdraw previously provided consent at any time, to the extent permitted by applicable law.
2. Requests relating to Personal Information of a child under the age of 14 must be made by the child’s parent or legal guardian. A minor aged 14 or older may exercise their rights directly or through a legal guardian, as permitted by applicable law.
3. Requests may be submitted to the Company in writing, by email, or by fax. The Company will respond within ten (10) days of receipt of a verifiable request, unless a longer period is permitted by law.
   Requests to withdraw consent may also be made using the same method with which consent was originally provided.
   • Address: 9F, 479 Gangnam-daero, Seocho-gu, Seoul
   • Email: privacy@vuno.co
   • Fax: +82-2-515-6647
4. Where an individual requests correction or deletion of inaccurate or incomplete Personal Information, the Company will not use or disclose the relevant information until the correction or deletion process has been completed.
5. Where an individual or authorized representative exercises the rights described above, the Company will take reasonable steps to verify the identity and authority of the requester before processing the request.

 

 

Article 12. Installation and Operation of Fixed Video Surveillance Systems (CCTV)

The Company installs and operates fixed video surveillance systems (CCTV) as described below:

1. Legal Basis and Purpose of Installation
   • Video surveillance systems are installed and operated for purposes including facility security and fire prevention, crime prevention and investigation, ensuring transparency in logistics operations, and responding to customer complaints.
2. Location, Number of Cameras, Coverage Area, and Storage Location
   • The Company installs and operates fixed video surveillance systems as follows:

Location of Installation	Number of Cameras Installed	Area Monitored	Location of Footage Storage
Sinnonhyeon Tower B2F	8	entrance, warehouse area, server room	Server room
Sinnonhyeon Tower 8F	1	entrance	Server room
Sinnonhyeon Tower 9F	1	entrance	Server room
Sinnonhyeon Tower 10F	1	entrance	Server room
Sinnonhyeon Tower 11F	1	entrance	Server room
Hativ Warehouse	7	entrance, warehouse area	Server room

 

3. Responsible Personnel and Access Authorization
   • The Company designates a responsible manager, the relevant department, and authorized personnel who are permitted to access recorded video information.

Category	Department	Title
Responsible Manager	General Affairs Team	Team Manager
Authorized Personnel	Corporate Management Division	Head of Division
	IT Security Infrastructure Team	Team Manager
	Human Resources Team	Team Manager
Authorized Personnel(Warehouse)	Hativ Team	Logistics and Packaging Staff

 

4. Recording Hours, Retention Period, and Handling Method
   • Recording Hours: 24 hours per day
   • Retention Period: 180 days
   • Handling Method: The Company maintains records of any use of recorded video information for purposes other than the original purpose, any disclosure to third parties, deletion, or access requests. Upon expiration of the retention period, recorded footage is permanently deleted using methods that prevent recovery or restoration.
5. Method and Location for Accessing Video Information
   • Method: Requests must be submitted to the designated manager (Tel: +82-2-515-6646).
   • Location: VUNO office.
6. Requests by Individuals for Access to Recorded Footage
   • Individuals may request access to, confirmation of the existence of, or deletion of their recorded video information by contacting the designated manager.
   • Such requests are limited to footage in which the individual appears, or where access is clearly necessary to protect the requester’s life, body, or property.
7. Safeguards for Protection of Video Information
   • The Company implements administrative, technical, and physical safeguards to protect recorded video information, including:
   • Establishing internal management plans;
   • Access controls and restriction of access rights;
   • Secure storage and transmission technologies;
   • Maintenance of processing logs and measures to prevent tampering; and
   • Secure storage facilities and locking devices.
8. Additional Operational Restrictions
   • The Company does not operate video surveillance systems in publicly accessible areas for purposes not permitted by law, and does not install or operate such systems in areas where there is a significant risk of infringing upon individuals’ reasonable expectation of privacy.
   • The Company does not arbitrarily manipulate surveillance equipment or enable audio recording functionality.

 

 

Article 13. Additional Efforts to Protect Personal Information

1. The Company is committed to safeguarding the Personal Information of individuals and makes commercially reasonable efforts to ensure its security. In addition to implementing the safeguards required under applicable data protection laws, the Company takes additional measures to strengthen its privacy and information security practices.
2. The Company has obtained recognized privacy and information security certifications, as applicable, to demonstrate its commitment to maintaining industry-standard data protection controls.

  

Category	ISO/IEC 27001:2022	ISO/IEC 27701:2019
Scope of Certification	The provision of Medical Services including the development and supply of solutions and SaaS	The provision of Medical Services including the development and supply of solutions and SaaS as both PII Controller and PII Processor
Certification Period	November 24, 2025 – November 23, 2028	November 24, 2025 – November 23, 2028

 

3. The Company has established internal procedures governing access to and management of Personal Information and ensures that its employees are appropriately trained and informed regarding these procedures.
4. The Company further promotes a culture of privacy and data protection through ongoing initiatives, including simulated phishing exercises, information security awareness campaigns, internal privacy committee meetings, and other activities designed to enhance secure data processing practices and organizational accountability.

 

 

Article 14. Chief Privacy Officer

The Company has designated a Chief Privacy Officer who is responsible for overseeing the Company’s Personal Information processing activities and for handling inquiries, complaints, and requests for redress relating to privacy and data protection matters.

• • Name: Jonghoon Park
  • Title: Chief Information Security Officer (CISO) / Chief Privacy Officer (CPO)
  • Email: privacy@vuno.co
  • Phone: +82-2-515-6646

 

 

Article 15. Remedies for Infringement of Privacy Rights

If you have any complaints or concerns regarding the protection of your Personal Information arising from your use of the Company’s services, you may contact the Company’s designated privacy response department:

• • Department: IT Security Infrastructure Team
  • Email: privacy@vuno.co

If you require additional assistance or wish to report a privacy-related concern, you may contact the following authorities:

Agency Name	Website	Contact Number
Personal Information Dispute Mediation Committee	www.kopico.go.kr	+82-1833-6972
Personal Information Infringement Report Center	privacy.kisa.or.kr	118(Korea only)
Supreme Prosecutors’ Office Cyber Investigation Division	www.spo.go.kr	1301(Korea only)
National Police Agency Cyber Bureau	ecrm.police.go.kr	182(Korea only)

Privacy Policy

 

VUNO Inc. (hereinafter referred to as the “Company”) hereby adopts and publishes this Privacy Policy in accordance with applicable data protection laws to safeguard the personal information and privacy rights of individuals and to address privacy-related inquiries and concerns in a prompt and appropriate manner.

※ Effective Date: 23 March 2026

 

 

Article 1. Purpose of Processing, Categories of Personal Information Collected, and Retention Period

When the Company processes Personal Information, it provides advance notice of the purpose of collection, categories of Personal Information collected, and applicable retention period through this Privacy Policy and/or a separate Notice and Consent Form, in accordance with applicable data protection laws.

 

The Company may collect and use Personal Information where one or more of the following legal bases applies, and will process such information solely within the scope of the disclosed purpose:

1. Where the individual has provided prior affirmative consent;
2. Where processing is required or expressly permitted by applicable law, or is necessary to comply with a legal obligation;
3. Where processing is necessary to perform a contract with the individual, or to take steps at the individual’s request prior to entering into a contract;
4. Where processing is necessary to protect the vital interests of the individual or another person in an emergency situation involving imminent risk to life, health, or property;
5. Where processing is necessary for the Company’s legitimate business interests and such interests are not overridden by the individual’s rights and freedoms; or
6. Where processing is urgently required to protect public health, public safety, or other significant public interests.

 

The Company processes Personal Information for the following purposes and categories:

Category	Purpose	Required/Optional	Categories of Personal Information Collected	Retention Period
[VUNO Website] Submit Inquiries	Responding to inquiries, handling complaints, and managing disputes	Required	Name, region, affiliated organization, job title, phone number; email address, country of affiliation, and inquiry details	3 years from the date the inquiry is submitted
	Sending newsletters and providing promotional information about the Company’s products, services, and events	Optional	email address	3 years from the date of consent
[Hativmall] Account Registration	Performance of a contract for the provision of services, billing and payment processing, and account administration	Required	Name, date of birth, login ID, email address, password, payment information, and nationality (if a foreign national)	Until the account is deleted or membership is terminated
		Required	[Unique Identifiers] foreigner registration number (e.g., alien registration number or passport number), if applicable to foreign nationals
	Marketing and Advertising	Optional	email address, phone number
	Performance of a Contract for Service Provision and Account Administration	Optional	phone number, address
[VUNO Careers] Apply for a Job Posting	Providing recruitment-related communications and notices; contacting applicants regarding the recruitment process and use of the careers website; evaluating candidate qualifications; using application materials for resume screening and interviews; and maintaining a talent database for future opportunities	Required	name, phone number, email	3 years from the date of application submission
		Optional	date of birth, mailing address, cover letter, resume/CV, education history, photograph, video, certifications or licenses, employment history, portfolio, detailed work experience statement, position applied for, desired salary, most recent salary, references, source of application, and any other information voluntarily entered or uploaded by the applicant (including via attachments) that may identify the individual
[Company-Hosted Events] Event Registration	Event administration and participant communications	Required	name (in Korean and/or English), affiliated organization, contact information, email address	90 days from the event end date
	Administration of and related communications for VUNO-hosted events	Optional	name (Korean and/or English), affiliated organization, contact information, email address	5 years from the date of consent
[Advisory] Medical Advisory Services	Verification of advisory board member identity and payment of advisory fees	Required	name, date of birth, affiliated organization, contact information, email address, bank account number, advisory service date, and advisory fee amount	5 years from the date of collection
	Evaluating future advisory engagements and conducting product-related marketing activities	Optional	photograph, education history, employment history, research experience, fax number
[Government-Funded Projects] Performance of National R&D Projects	Submission of required documentation for the performance of government-funded R&D projects	Required	name, affiliated organization, email address, contact information, education history, graduation year	For the period specified in the applicable National R&D Project RFP (which may vary by project)
[Clinical Trials] Records and Documentation Relating to the Conduct of Clinical Trials	Verification of researcher qualifications	Required	name, title, position, phone number, email address, resume/CV (education history, employment history, license number, training records, clinical trial participation information)	3 years from the date of completion of the clinical trial; if separate consent has been obtained, for the period specified in the applicable Personal Information Collection and Use Consent Form (which may vary by study)
	Collection of clinical trial data	Required	age, gender, and other subject clinical information (which may vary by study)
[VUUC] User Management Service	Administration and management of users of VUNO products	Required	affiliated institution, name, email address	Until the service is terminated
		Optional	phone number, address
[Hativ Care] Account Registration	Account registration; measurement and analysis; processing of service applications and consultation activities; and scientific research purposes	Required	name, phone number, encrypted user identification value (CI), date of birth, gender	Until the account is deleted or membership is terminated
	Account registration; measurement and analysis; and processing of service applications and consultation activities	Optional	email
	Measurement and analysis; processing of service applications and consultation activities; and scientific research purposes	Required	[Sensitive Personal Information] electrocardiogram (ECG) measurement data, average heart rate, measurement time
		Optional	[Sensitive Personal Information] height, weight, blood pressure, blood glucose level, body temperature, other symptoms (discomfort, palpitations, dizziness, shortness of breath, chest pain), and notes

 

The Company processes patient information on behalf of healthcare institutions in connection with the provision of its AI-based medical device services.

 

In providing AI-based medical device services to healthcare institutions, the Company processes patient information entered into the system by healthcare providers, solely as a service provider acting on behalf of such institutions and only for the purpose of delivering the contracted medical device services, as described below:

Category	Purpose	Required/Optional	Categories of Personal Information Collected	Retention Period
[Medical Device] DeepCARS	Analysis of patient electrocardiogram (ECG) measurement data	Required	name, gender, date of birth, patient identification number(PID), electrocardiogram(ECG) measurement data	Until termination of service use
[Medical Device] Chest X-ray	Interpretation of patient chest X-ray images	Required	name, gender, date of birth, patient identification number(PID), chest X-ray images	5 years from the date the patient information is stored
[Medical Device] Fundus AI	Interpretation of patient fundus images	Required	name, date of birth, patient identification number(PID), fundus images	5 years from the date the patient information is stored

 

The Company may retain Personal Information beyond the originally disclosed retention period, to the extent necessary, until the applicable period expires or the relevant condition is satisfied, in the following circumstances:

1. Where the individual has provided separate consent for a specified retention period, the Company will retain the Personal Information for the duration of that consented period;
2. Where the service has been terminated or discontinued, but outstanding fees or other payment obligations remain unpaid, the Company may retain the relevant Personal Information until such amounts are paid in full;
3. Where a complaint, claim, audit, investigation, or legal dispute involving the Company is pending and has not been resolved within the standard retention period, the Company may retain the relevant Personal Information until the matter is fully resolved;
4. Where retention is required for a specified period under applicable laws or regulations (including, without limitation, commercial or consumer protection laws), the Company will retain Personal Information for the duration mandated by such laws, as set forth below:

Applicable Law	Categories of Personal Information Collected	Retention Period
Commercial Act	Personal information included in key business records of the Company	10 years
Act on Consumer Protection in Electronic Commerce, etc	Personal information included in records relating to contracts or withdrawal of offers (including cancellation or rescission)	5 years
	Personal information included in records relating to payment of consideration and the supply of goods or services	5 years
	Personal information included in records relating to consumer complaints or dispute resolution	5 years
	Personal information included in records relating to labeling and advertising	6 months
Protection of Communications Secrets Act	Personal information included in website access logs	3 months
Medical Device Act	Personal information included in clinical trial protocols and records and materials relating to the conduct of clinical trials	3 years
Digital Medical Products Act	Personal information included in clinical trial protocols and records and materials relating to the conduct and management of clinical trials	3 years
Bioethics and Safety Act	Personal information included in records relating to human subject research	3 years

 

 

Article 2. Personal Information of Children Under 14

When collecting Personal Information from a child under the age of 14, the Company obtains verifiable consent from the child’s parent or legal guardian and collects only the minimum Personal Information necessary to provide the relevant services.

 

In connection with such collection, the Company may request limited information from the child, such as the name and contact information of the parent or legal guardian, for the purpose of obtaining and verifying parental consent. The Company verifies that valid consent has been provided by the parent or legal guardian through one of the following methods:

1. Requiring the parent or legal guardian to indicate consent on a website that presents the relevant consent terms, and verifying their identity through mobile phone authentication or a comparable identity verification process;
2. Providing a written consent form directly, or delivering it by mail or facsimile, and requiring the parent or legal guardian to sign and return the executed form;
3. Notifying the parent or legal guardian of the consent terms by telephone and obtaining consent during the call, or providing instructions (e.g., by email) on how to review the consent terms and subsequently obtaining confirmation through a follow-up telephone call; or
4. Using any other method that is reasonably designed to inform the parent or legal guardian of the consent terms and to verify their affirmative authorization, consistent with applicable law.

 

 

Article 3. Data Retention and Secure Disposal

The Company securely disposes of Personal Information without undue delay once the purpose for which it was collected and used has been fulfilled or the applicable retention period has expired, unless continued retention is required pursuant to the individual’s consent, applicable terms of service, or relevant laws and regulations.

 

Personal Information maintained in paper form is destroyed by shredding or incineration. Personal Information stored in electronic form is permanently deleted using secure technical methods designed to prevent recovery or reconstruction of the data.

 

If, due to technical limitations, complete deletion is not reasonably feasible, the Company will take appropriate measures to irreversibly anonymize the information so that it can no longer be used to identify an individual, taking into account reasonable considerations of time, cost, and available technology.

 

 

Article 4. Disclosure of Personal Information to Third Parties

The Company processes Personal Information only within the scope of the purposes described in this Privacy Policy. The Company discloses Personal Information to third parties only where (i) the individual has provided prior consent, or (ii) such disclosure is required or expressly permitted under applicable law. Except as described herein, the Company does not disclose Personal Information to third parties.

 

The Company discloses Personal Information to the following third parties for the purposes described below:

Category	Recipient	Purpose of Disclosure	Categories of Personal Information Disclosed	Retention Period
Customer(Healthcare Professional) Information	Ahngook, Bijutech, PuzzleAI, Maihub, Corelinesoft, SangsinMedical, UniMedical, MIK, MediMac, Olin, Sonamu, MAI, SmartOnHealthcare, YeosamInter, MDCompany	Responding to purchase inquiries regarding medical devices, providing product information, and performing maintenance services	institution name, name, field of specialty, email address, phone number	Until the purpose of use has been fulfilled
Researcher Information	Korea Medical Devices Industry Association	Reviewing quarterly reporting compliance and adherence to lecture/advisory fee caps under the Medical Device Fair Competition Code	name, affiliated organization, lecture/advisory service date, lecture/advisory fee amount	Until 5 years from January 1 of the year following the year in which the lecture or advisory service was provided
	Small and Medium Business Administration, Korea Industrial Complex Corporation, Korea Institute of Startup & Entrepreneurship Development, Korea Health Industry Development Institute, Korea International Cooperation Agency, Korea Health Industry Development Institute, Korea Institute of Industrial Technology Evaluation and Planning, National IT Industry Promotion Agency, Ministry of Science and ICT, Korea Institute for Advancement of Technology, Korea Software Industry Association, Institute for Information & Communications Technology Planning & Evaluation, Ministry of SMEs and Startups, Korea Technology Venture Foundation, Ministry of Food and Drug Safety, Ministry of Health and Welfare, and other government agencies responsible for national R&D projects	Submission of agreements and related documentation for the performance of government-funded R&D projects	name, affiliated organization, email address, contact information, education history, graduation year	Until the period specified in the applicable National R&D Project RFP (which may vary by project)
Shareholder Information	Financial Supervisory Service, Korea Exchange	Disclosure of shareholder personal information for the purpose of fulfilling statutory disclosure obligations	name of major shareholder, ownership percentage, number of shares held	Until the retention period required under applicable laws and regulations
Adverse Event Information	Ministry of Food and Drug Safety and other health regulatory authorities in countries where the Company’s products have obtained marketing authorization or regulatory approval.	Reporting adverse reactions in accordance with applicable laws and regulations	initials of name, gender, date of birth, age, height, weight, and other health-related information	Until the retention period required under applicable laws and regulations
Records and materials relating to the conduct of clinical trials	Institutional Review Board(IRB)/Ethics Committee(EC), Ministry of Food and Drug Safety, and other health regulatory authorities in countries where the Company’s products have obtained marketing authorization or regulatory approval	Verification of clinical trial procedures and data integrity, and obtaining marketing authorization/manufacturing approval	researcher information (name, title, position, phone number, email address, CV, clinical trial participation information), subject clinical information (which may vary by study), and safety information including adverse events	Until the purpose of use has been fulfilled, or for the retention period required under applicable laws and regulations, whichever is longer

 

 

Article 5. Criteria for Ongoing Additional Use or Disclosure

Where the Company engages in ongoing additional use or disclosure of Personal Information, it will do so only to the extent reasonably related to the original purpose of collection and consistent with applicable data protection laws. In making this determination, the Company considers, among other factors, whether the additional use or disclosure could result in material harm or disadvantage to the individual and whether appropriate safeguards (e.g., encryption) have been implemented.

 

In particular, the Company will carefully evaluate the totality of circumstances, including: the purpose of the use or disclosure; the manner in which the Personal Information will be used or disclosed; the categories of Personal Information involved; whether the individual has consented to, been notified of, or could reasonably expect such use or disclosure; the potential impact on the individual; and the safeguards in place to protect the information.

 

Key factors include:

• The relationship between the additional use/disclosure and the original purpose of collection;
• Whether the additional use/disclosure is reasonably foreseeable based on the context of collection and the Company’s processing practices;
• Whether the additional use/disclosure would unfairly or unreasonably prejudice the individual’s interests; and
• Whether appropriate security and privacy measures—such as pseudonymization or encryption—have been applied.

 

 

Article 6. Engagement of Service Providers

To facilitate efficient operations and provide improved services and user convenience, the Company engages third-party service providers to process Personal Information on its behalf.

 

When entering into agreements with such service providers, the Company requires, in accordance with applicable data protection laws, that the service provider: (i) process Personal Information solely for the specified and authorized business purpose; (ii) implement appropriate technical and organizational safeguards to protect Personal Information; (iii) refrain from further subcontracting without authorization; and (iv) assume contractual responsibility, including indemnification and liability, for the protection of Personal Information. These requirements are set forth in written agreements, and the Company oversees and monitors its service providers to ensure that Personal Information is processed securely and in compliance with applicable law.

 

The Company engages the following service providers to process Personal Information on its behalf:

Service Provider	Categories of Outsourced Processing Activities	Sub-Processor (Subcontracted Processing Activities)
Doodlin	Recruitment website and applicant management services	Channel Corporation(Consultation services)
		NHN Cloud(Mobile messaging services)
		Twilio(Email transmission services)
Goorm	Coding assessment service for job applicants	-
Sinaforyou	Booth fabrication, installation, rental, dismantling, and storage services, as well as storage and delivery of promotional materials	-
KB Kookmin Bank	Securities transfer agency services, including account registration for securities, issuance of securities, and administration of dividend and bond principal/interest payments	-
Samsung Securities	Electronic voting management services	-
Synex	Clinical trial data management and statistical analysis services	CSRcube(Electronic Case Report Form (eCRF) services)
Promedis		CSRcube(Electronic Case Report Form (eCRF) services)
Digital2s		CSRcube(Electronic Case Report Form (eCRF) services)
JNPMEDI		-
C&K INSIGHT
CSRcube
Amazon Web Services	Cloud infrastructure services	-
Google LLC	Service usage tracking and evaluation	-
NICE Information Service	Identity verification services	-
NAVER Cloud Corp	Mobile messaging services
Korea Post(Postal Parcel Service)	Product delivery services	-
CJ Logistics Corporation	Product delivery services	-
Mau Communications	Management of symposium pre-registrants	-
S-1 Corporation	Maintenance of video surveillance systems	-

 

 

Article 7. Cross-Border Transfers of Personal Information

The Company does not transfer Personal Information overseas.

 

 

Article 8. Information Security Safeguards

The Company implements commercially reasonable administrative, technical, and physical safeguards designed to protect Personal Information from unauthorized access, acquisition, disclosure, alteration, or destruction. In addition, the Company has obtained objective certifications—such as information security management system certifications—from independent third-party assessors for its major systems and facilities.

 

The Company has implemented the following measures:

1. Establishing and maintaining internal policies and procedures governing the protection of Personal Information;
2. Restricting access to Personal Information to personnel on a need-to-know basis;
3. Providing regular privacy and data protection training to employees who handle Personal Information;
4. Requiring employees to execute confidentiality and security agreements upon hire, and conducting internal audits to monitor compliance with this Privacy Policy and related data protection requirements; and
5. Designating secure areas, such as server rooms, as restricted access zones and implementing access controls.

 

To prevent loss, theft, unauthorized disclosure, alteration, or damage to Personal Information, the Company applies the following technical measures:

1. Implementing controls to prevent the tampering or falsification of system access logs;
2. Applying encryption standards appropriate to the sensitivity and classification of Personal Information, consistent with applicable legal requirements;
3. Utilizing anti-malware and antivirus software to protect systems against malicious code;
4. Encrypting Personal Information during transmission over networks; and
5. Conducting periodic vulnerability assessments and security testing to mitigate risks of hacking or other external intrusions.

 

 

Article 9. Processing of Pseudonymized Information

The Company processes pseudonymized information for purposes including clinical trials, AI software development, and related research activities.

 

The medical data used for these purposes does not include direct identifiers such as name, contact information, or other information that would directly identify a specific individual. The Company uses such data solely for scientific research and product development purposes and does not process pseudonymized information for the purpose of re-identifying any individual.

 

Details regarding the Company’s processing of pseudonymized information are as follows:

Service	Purpose of Processing	Categories of Processed	Retention Period
Clinical trials	Conduct of medical device clinical trials and obtaining manufacturing and marketing authorization	age, gender, and other clinical information (which may vary by study)	3 years from the date of completion of the clinical trial; if separate consent has been obtained, for the period specified in the applicable Personal Information Collection and Use Consent Form (which may vary by study)
Hativcare	Research and development of medical diagnostic algorithms	login ID, year and month of birth, weight, height, electrocardiogram(ECG) data	Until completion of the research (no later than December 31, 2026)

 

In addition to the safeguards described in Article 8 (Information Security Safeguards), the Company implements the following additional measures to ensure the security of pseudonymized information:

1. Pseudonymized information is stored separately from any additional information (e.g., re-identification keys) that could potentially enable re-identification. If such additional information is no longer necessary, it is securely deleted.
2. Access rights to pseudonymized information and to any corresponding key or supplemental information are segregated and restricted to authorized personnel only.
3. The Company maintains records of its pseudonymization processing activities, including:
   • The purpose of processing pseudonymized information;
   • The categories of Personal Information that have been pseudonymized;
   • The scope and details of how the pseudonymized information has been used;
   • The identity of any third parties to whom pseudonymized information has been disclosed; and
   • Any other matters required by applicable regulatory authorities for the proper management of pseudonymized information.
4. If the risk of re-identification increases, the Company will immediately suspend processing and securely dispose of the relevant pseudonymized information.
5. Pseudonymized information will be securely deleted without undue delay upon expiration of the applicable retention period.

 

 

Article 10. Cookies and Similar Technologies

The Company uses cookies and similar tracking technologies to collect and store certain information about users and to retrieve such information as needed.

 

A cookie is a small text file that is placed on a user’s computer or mobile device by a web server when the user accesses a website. Cookies are transmitted back to the Company’s servers when the user revisits the website and are used to support website functionality, enhance user experience, and analyze site usage.

 

Users have the option to control the use of cookies. Most web browsers allow users to manage cookie preferences through their browser settings, including the ability to accept all cookies, reject all cookies, or receive a notification when a cookie is set. Please note that disabling cookies may affect the availability or functionality of certain features of the website.

Browser	How to Block Cookies
Chrome	Select the three-dot menu (⋮) in the upper-right corner → New Incognito Window (or New Incognito Tab)
Microsoft Edge	Select the three-dot menu (…) in the upper-right corner → New InPrivate Window
Safari(iOS)	Settings → Safari → Advanced → Block All Cookies
Samsung Internet	Tap the Tabs icon at the bottom → Turn on Secret mode → Start

 

 

Article 11. Rights of Individuals and Legal Representatives; How to Exercise Those Rights

Individuals may exercise the following rights with respect to their Personal Information, subject to applicable law:

1. Individuals may request access to, correction of, or deletion of their Personal Information, request restriction of processing, and withdraw previously provided consent at any time, to the extent permitted by applicable law.
2. Requests relating to Personal Information of a child under the age of 14 must be made by the child’s parent or legal guardian. A minor aged 14 or older may exercise their rights directly or through a legal guardian, as permitted by applicable law.
3. Requests may be submitted to the Company in writing, by email, or by fax. The Company will respond within ten (10) days of receipt of a verifiable request, unless a longer period is permitted by law.
   Requests to withdraw consent may also be made using the same method with which consent was originally provided.
   • Address: 9F, 479 Gangnam-daero, Seocho-gu, Seoul
   • Email: privacy@vuno.co
   • Fax: +82-2-515-6647
4. Where an individual requests correction or deletion of inaccurate or incomplete Personal Information, the Company will not use or disclose the relevant information until the correction or deletion process has been completed.
5. Where an individual or authorized representative exercises the rights described above, the Company will take reasonable steps to verify the identity and authority of the requester before processing the request.

 

 

Article 12. Installation and Operation of Fixed Video Surveillance Systems (CCTV)

The Company installs and operates fixed video surveillance systems (CCTV) as described below:

1. Legal Basis and Purpose of Installation
   • Video surveillance systems are installed and operated for purposes including facility security and fire prevention, crime prevention and investigation, ensuring transparency in logistics operations, and responding to customer complaints.
2. Location, Number of Cameras, Coverage Area, and Storage Location
   • The Company installs and operates fixed video surveillance systems as follows:

Location of Installation	Number of Cameras Installed	Area Monitored	Location of Footage Storage
Sinnonhyeon Tower B2F	8	entrance, warehouse area, server room	Server room
Sinnonhyeon Tower 8F	1	entrance	Server room
Sinnonhyeon Tower 9F	1	entrance	Server room
Sinnonhyeon Tower 10F	1	entrance	Server room
Sinnonhyeon Tower 11F	1	entrance	Server room
Hativ Warehouse	7	entrance, warehouse area	Server room

 

3. Responsible Personnel and Access Authorization
   • The Company designates a responsible manager, the relevant department, and authorized personnel who are permitted to access recorded video information.

Category	Department	Title
Responsible Manager	General Affairs Team	Team Manager
Authorized Personnel	Corporate Management Division	Head of Division
	IT Security Infrastructure Team	Team Manager
	Human Resources Team	Team Manager
Authorized Personnel(Warehouse)	Hativ Team	Logistics and Packaging Staff

 

4. Recording Hours, Retention Period, and Handling Method
   • Recording Hours: 24 hours per day
   • Retention Period: 180 days
   • Handling Method: The Company maintains records of any use of recorded video information for purposes other than the original purpose, any disclosure to third parties, deletion, or access requests. Upon expiration of the retention period, recorded footage is permanently deleted using methods that prevent recovery or restoration.
5. Method and Location for Accessing Video Information
   • Method: Requests must be submitted to the designated manager (Tel: +82-2-515-6646).
   • Location: VUNO office.
6. Requests by Individuals for Access to Recorded Footage
   • Individuals may request access to, confirmation of the existence of, or deletion of their recorded video information by contacting the designated manager.
   • Such requests are limited to footage in which the individual appears, or where access is clearly necessary to protect the requester’s life, body, or property.
7. Safeguards for Protection of Video Information
   • The Company implements administrative, technical, and physical safeguards to protect recorded video information, including:
   • Establishing internal management plans;
   • Access controls and restriction of access rights;
   • Secure storage and transmission technologies;
   • Maintenance of processing logs and measures to prevent tampering; and
   • Secure storage facilities and locking devices.
8. Additional Operational Restrictions
   • The Company does not operate video surveillance systems in publicly accessible areas for purposes not permitted by law, and does not install or operate such systems in areas where there is a significant risk of infringing upon individuals’ reasonable expectation of privacy.
   • The Company does not arbitrarily manipulate surveillance equipment or enable audio recording functionality.

 

 

Article 13. Additional Efforts to Protect Personal Information

1. The Company is committed to safeguarding the Personal Information of individuals and makes commercially reasonable efforts to ensure its security. In addition to implementing the safeguards required under applicable data protection laws, the Company takes additional measures to strengthen its privacy and information security practices.
2. The Company has obtained recognized privacy and information security certifications, as applicable, to demonstrate its commitment to maintaining industry-standard data protection controls.

  

Category	ISO/IEC 27001:2022	ISO/IEC 27701:2019
Scope of Certification	The provision of Medical Services including the development and supply of solutions and SaaS	The provision of Medical Services including the development and supply of solutions and SaaS as both PII Controller and PII Processor
Certification Period	November 24, 2025 – November 23, 2028	November 24, 2025 – November 23, 2028

 

3. The Company has established internal procedures governing access to and management of Personal Information and ensures that its employees are appropriately trained and informed regarding these procedures.
4. The Company further promotes a culture of privacy and data protection through ongoing initiatives, including simulated phishing exercises, information security awareness campaigns, internal privacy committee meetings, and other activities designed to enhance secure data processing practices and organizational accountability.

 

 

Article 14. Chief Privacy Officer

The Company has designated a Chief Privacy Officer who is responsible for overseeing the Company’s Personal Information processing activities and for handling inquiries, complaints, and requests for redress relating to privacy and data protection matters.

• • Name: Jonghoon Park
  • Title: Chief Information Security Officer (CISO) / Chief Privacy Officer (CPO)
  • Email: privacy@vuno.co
  • Phone: +82-2-515-6646

 

 

Article 15. Remedies for Infringement of Privacy Rights

If you have any complaints or concerns regarding the protection of your Personal Information arising from your use of the Company’s services, you may contact the Company’s designated privacy response department:

• • Department: IT Security Infrastructure Team
  • Email: privacy@vuno.co

If you require additional assistance or wish to report a privacy-related concern, you may contact the following authorities:

Agency Name	Website	Contact Number
Personal Information Dispute Mediation Committee	www.kopico.go.kr	+82-1833-6972
Personal Information Infringement Report Center	privacy.kisa.or.kr	118(Korea only)
Supreme Prosecutors’ Office Cyber Investigation Division	www.spo.go.kr	1301(Korea only)
National Police Agency Cyber Bureau	ecrm.police.go.kr	182(Korea only)

 

 

Article 16. Changes to This Privacy Policy

1. This Privacy Policy is effective as of the Effective Date stated above. The Company may update or modify this Privacy Policy from time to time to reflect changes in applicable laws, regulations, or the Company’s data processing practices. If material changes are made, the Company will provide notice at least seven (7) days prior to the effective date of such changes through a notice posted on its website or other appropriate communication channels.
2. The revision history of this Privacy Policy is as follows:

• Revised: July 20, 2023
• Revised: December 28, 2023
• Revised: February 12, 2024
• Revised: December 9, 2024
• Revised: March 23, 2026

 

 

Article 16. Changes to This Privacy Policy

1. This Privacy Policy is effective as of the Effective Date stated above. The Company may update or modify this Privacy Policy from time to time to reflect changes in applicable laws, regulations, or the Company’s data processing practices. If material changes are made, the Company will provide notice at least seven (7) days prior to the effective date of such changes through a notice posted on its website or other appropriate communication channels.
2. The revision history of this Privacy Policy is as follows:

• Revised: July 20, 2023
• Revised: December 28, 2023
• Revised: February 12, 2024
• Revised: December 9, 2024
• Revised: March 23, 2026