メインメニューのショートカット 本文へのショートカット

Privacy Policy

HealthHub Privacy Policy

HealthHub Co., Ltd. (hereinafter referred to as the "Company") collects, retains, and processes all personal information based on relevant laws or with the consent of the data subject.

This privacy policy is effective as of July 1, 2025.

The Company lawfully and safely processes personal information in accordance with the Personal Information Protection Act and related laws to protect the rights and freedoms of data subjects. In accordance with Article 30 of the Personal Information Protection Act, this privacy policy is established and disclosed to inform data subjects of the procedures and standards related to the processing and protection of personal information and to handle grievances swiftly and smoothly.

Please note: A separate privacy policy is established and disclosed for the HScan service.

Key Personal Information Processing Labeling

  • Collection of Personal Information
    See “Purpose of Personal Information Processing, Collected Items, and Retention and Usage Period” section
  • Purpose of Processing Personal Information
    To confirm membership intention and assess eligibility. To provide services.
  • Retention Period
    Until membership withdrawal or for the period prescribed by law.
  • Delegation of Personal Information Processing
    -
  • Measures to Ensure the Safety of Personal Information
    Establishment and implementation of internal management plans. Encryption of personal information. Access control for data storage rooms
  • Personal Information Inquiries and Complaints
    QC Team
    inquiry@healthhub.kr
    +82 (0)2-511-3601

Table of Contents

  1. 1. Purpose of Personal Information Processing, Collected Items, Retention and Usage Period
  2. 2. Handling of Personal Information of Children Under the Age of 14
  3. 3. Procedures and Methods for Destruction of Personal Information
  4. 4. Provision of Personal Information to Third Parties
  5. 5. Outsourcing of Personal Information Processing
  6. 6. Measures to Ensure the Security of Personal Information
  7. 7. Installation, Operation, and Rejection of Devices that Automatically Collect Personal Information
  8. 8. Rights and Obligations of Data Subjects and Their Legal Representatives, and How to Exercise Them
  9. 9. Personal Information Protection Officer and Responsible Department
  10. 10. Remedies for Infringement of Data Subject’s Rights
  11. 11. Changes to the Privacy Policy

Purpose of Personal Information Processing, Collected Items, Retention and Usage Period

The Company processes personal information for the following purposes. The personal information being processed will not be used for purposes other than those listed below. If the purpose of use is changed, the Company will take necessary measures such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act.
  1. ① Personal Information Items Processed with the Data Subject’s Consent
    1. - The Company processes the following personal information items with the data subject’s consent in accordance with Article 15(1)(1) of the Personal Information Protection Act:
    2. Category Purpose of Collection Items Collected Retention & Usage Period
      HealthHub and product website inquiries To respond to online inquiries Name, email, phone number, organization name, country 3 years
      (in accordance with Article 6 of the Act on Consumer Protection in Electronic Commerce)
      Customer service Response to product-related inquiries, identification of the complainant, verification and communication for fact-checking, notification of results ID (mobile phone number or email address), organization name 3 years
      (same as above)
      Medical institution information processing Membership registration, providing services to registered members, verifying identity and medical qualifications, preventing fraudulent use, personal identification Name, email, phone number, organization name, country, address, business registration certificate, specialist number, medical license number Until membership withdrawal
      Radiologist information processing Same as above Name, email, phone number, organization name, country, address, specialist number, medical license number Until membership withdrawal
      Service provision Service for product inquiry, sending contracts/invoices, payment and settlement ID (mobile phone number or email address), organization name, service usage records, access logs, cookies, IP address, bank account number 5 years
      (in accordance with Article 6 of the Act on Consumer Protection in Electronic Commerce)
      Boneage and HRefer - Processing of patient personal data (HScan has a separate privacy policy) Data analysis for service provision Radiographic images, date/time of image capture, patient name, date of birth, gender Until the period specified in the outsourcing agreement
  2. ② Cases Where Personal Information Is Retained Without Destruction Based on Other Laws
    1. 1) <Legal Basis and Articles for Retention Period of Personal Information>: <Retention Period>
    2. 2) In accordance with Article 6 of the Act on Consumer Protection in Electronic Commerce, records related to labeling/advertising, contract details and execution, etc
      • - Records related to labeling/advertising: 6 months
      • - Records related to contract or withdrawal of subscription: 5 years
      • - Records related to payment and supply of goods: 5 years
      • - Records related to consumer complaints or dispute resolution: 3 years

Handling of Personal Information of Children Under the Age of 14

① The Company processes the personal information of children under the age of 14 only when data has been consented to by the legal guardian of the child and collected through the relevant medical institution.

Procedures and Methods for Destruction of Personal Information

The Company destroys personal information without delay when the retention period has expired or when the processing purpose has been achieved.
  1. ① Establishment of Destruction Plan
    1. - The Company establishes a personal information destruction plan based on internal policies and relevant laws.
  2. ② Procedures and Timeline for Destruction
    1. - Information entered by users will be destroyed within 5 days after the retention period expires or the purpose of processing is achieved.
    2. - Destruction is carried out upon approval by the Personal Information Protection Officer.
  3. ③ Destruction Methods
    1. When destroying personal information processed by the Company, the following methods are used:
    2. - If in electronic file format: permanently deleted in an unrecoverable manner.
    3. - If in physical records, printed materials, written documents, or other record media: shredded or incinerated.
Even when the agreed-upon retention period has expired or the processing purpose has been achieved, if the information must be retained in accordance with other laws, the personal information will be stored separately in a different database (DB) or location.
※ For items and legal grounds for personal information retained under other laws, refer to the section “Purpose of Personal Information Processing, Collected Items, Retention and Usage Period.”

Provision of Personal Information to Third Parties

① The Company provides personal information to third parties only in cases that fall under Articles 17 and 18 of the Personal Information Protection Act, such as with the consent of the data subject or when required by special provisions of the law.

Outsourcing of Personal Information Processing

① The Company does not outsource any personal information processing tasks.

Measures to Ensure the Security of Personal Information

To ensure the security of personal information, the Company implements the following measures:
  1. ① Administrative Measures: Establishment and implementation of internal management rules; minimization and training of personnel who handle personal information
  2. ② Technical Measures: Encryption of personal information; access control to personal information processing systems; installation of access control systems; storage and integrity protection of access logs
  3. ③ Physical Measures: Access control to restricted areas within personal information systems
  4. ④ The Company strives to manage users’ personal information securely and takes additional protective measures beyond the requirements of the Personal Information Protection Act.
    1. - The Company has acquired international security certification (ISO 27001).

Installation, Operation, and Rejection of Devices that Automatically Collect Personal Information

<Installation and Operation of Automatic Personal Information Collection Devices>

  1. ① To provide customized services and convenience, the Company uses “cookies” that store and retrieve usage information.
  2. ② A cookie is a small piece of information that a website server (http) sends to the user’s browser. It may be stored on the user’s PC hard drive or mobile device.
    1. - Purpose of Cookie Use: Used to generate user access statistics and improve services.
  3. ③ Data subjects can configure browser options to allow or block cookies. However, refusing to store cookies may result in difficulties in using customized services.
    1. ▶ How to Allow/Block Cookies in Web Browsers
      • · Chrome: Browser Settings > Privacy and Security > Clear Browsing Data
      • · Edge: Browser Settings > Cookies and Site Permissions > Manage and Delete Cookies and Site Data
      • · Whale: Browser Settings > Privacy > Clear Browsing Data
    3. ▶ How to Allow/Block Cookies in Mobile Browsers
      • · Chrome (mobile): Mobile Browser Settings > Privacy and Security > Clear Browsing Data
      • · Safari: Device Settings > Safari > Advanced > Block All Cookies
      • · Samsung Internet: Mobile Browser Settings > Internet Usage History > Delete Internet Usage History

<Collection, Use, Provision, and Rejection of Behavioral Information>

  1. ① The Company collects and uses behavioral information using cookies to provide optimized and improved services without identifying individuals.
  2. ② Behavioral information is collected as follows:
    Legal Basis Items Collected Collection Method Purpose Retention Period
    Article 15(1)(1) of the Personal Information Protection Act Website visit history Automatically collected when user visits website Service improvement Destroyed 60 days after collection
  3. ③ The Company collects only the minimum behavioral information necessary for service improvement and does not collect sensitive information that may infringe on individual rights or privacy such as ideology, beliefs, educational background, or medical history.

Rights and Obligations of Data Subjects and Their Legal Representatives, and How to Exercise Them

  1. ① Data subjects may, at any time, exercise the following rights regarding their personal information processed by the Company: request access, correction, deletion, suspension of processing, withdrawal of consent, and request to object to or receive explanations for automated decision-making.
  2. ② In accordance with Article 41(1) of the Enforcement Decree of the Personal Information Protection Act, such rights may be exercised via written request, email, or fax (facsimile), and the Company will respond without delay.
    1. - Access/Correction: Contact the personal information processing department.
    2. - Withdrawal of Membership: Contact the personal information processing department.
    3. - Withdrawal of Consent/Automated Decisions: Contact the personal information processing department.
  3. ③ These rights may also be exercised through a legal representative or an authorized agent. In such cases, a power of attorney must be submitted. [Form No. 11 of the Notification on the Method of Processing Personal Information (No. 2023-12)] Power of Attorney
  4. ④ Requests for access or suspension of processing may be restricted pursuant to Article 35(4) and Article 37(2) of the Personal Information Protection Act.
  5. ⑤ Requests for correction or deletion may not be accepted if the personal information in question must be retained under another law.
  6. ⑥ When a data subject requests access, correction/deletion, or suspension of processing, the Company confirms whether the requester is the data subject or a legitimate representative.
  7. ⑦ Data subjects may make requests for access and related matters to the department below. The Company will make every effort to handle such requests promptly.
    1. ▶ Department for Requests Regarding Access to Personal Information
      • Department Name: QC Team
      • Contact : +82 (0)2-511-3601
      • Email : inquiry@healthhub.kr

Personal Information Protection Officer and Responsible Department

  1. ① The Company designates a person responsible for the overall management of personal information processing and for handling complaints and providing remedies related to personal information, as shown below:
  2. ② Data subjects may contact the Personal Information Protection Officer and the responsible department for all personal information protection inquiries, complaints, and remedies that arise while using the Company’s services. The Company will respond promptly to such inquiries.
    Category Personal Information Protection Officer Person in Charge
    Department Director of R&D / CTO QC Team
    Name Terry Byon (Byon Si-Seop) Jeon Byung-Chan
    Phone Number +82 (0)2-511-3601 +82 (0)2-511-3601
    Email terrybyon@healthhub.kr inquiry@healthhub.kr

Remedies for Infringement of Data Subject’s Rights

Data subjects may seek dispute resolution or consultation regarding personal information infringement by contacting the Personal Information Dispute Mediation Committee or the Korea Internet & Security Agency (KISA) Personal Information Infringement Report Center. For reports and inquiries regarding personal information infringement, please contact the following organizations:
  1. ① Personal Information Dispute Mediation Committee : (no area code in S. Korea)1833-6972 (www.privacy.go.kr)
  2. ② Personal Information Infringement Report Center (KISA) : (no area code in S. Korea)118 (privacy.kisa.or.kr)
  3. ③ Supreme Prosecutors’ Office : (no area code in S. Korea)1301 (www.spo.go.kr)
  4. ④ Cyber Bureau of the National Police Agency : (no area code in S. Korea)182 (ecrm.police.go.kr)
The Company strives to protect the data subjects right to self-determination regarding personal information and to provide support for consultation and relief in the event of an infringement.
  1. ▶ Customer Support and Reports Regarding Personal Information Protection
    • Department : QC Team
    • Contact : +82 (0)2-511-3601
    • Email : inquiry@healthhub.kr

Changes to the Privacy Policy

  1. ① This privacy policy is effective as of July 1, 2025.
  2. ② Previous versions of the privacy policy may be found at the following link:
    1. - February 29, 2024 – June 30, 2025 (click)