Dairoot Privacy Policy
Dairoot (hereinafter referred to as the "Company") considers the protection of personal information very important and is doing its best to ensure that the personal information provided to the Company by users while using the patient portal app service (hereinafter referred to as the "Service") is protected.
The Company has established and complies with a personal information processing policy based on relevant laws and regulations such as the Communications Privacy Protection Act, the Telecommunications Business Act, the Personal Information Protection Act, and the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc., which information and communications service providers must comply with. This privacy policy may be changed from time to time due to changes in government laws and guidelines or changes in the Company's internal policies.
1. Collection of Personal Information and Methods
A. Information Collected During Registration
- Required information: ID, password, name, email, phone number, date of birth, gender, hospital information
- Optional information: Profile image, SNS contact information (such as KakaoTalk, Line, WhatsApp, etc.)
B. Information Collected During Health Questionnaire Completion
- Weight-related information: Lowest/highest weight since adulthood, recent weight changes, target weight, scale ownership, family weight status
- Diet-related information: Diet methods experienced, recent diet timing, reasons for dieting, preferred diet methods
- Lifestyle information: Occupation, exercise frequency, main exercise type, coffee/water/alcohol intake, caffeine response, sleep time and quality, eating habits, frequently consumed foods
- Health status information: Health supplements/medications being taken, diagnosed conditions, surgery experience, colonoscopy experience, digestive status, physical condition information
- Women's health information: Pregnancy/breastfeeding status, menstrual cycle, post-menstrual swelling
C. Information Collected During Service Use
- Health record information: Weight records, diet records, medication records, condition records
- Prescription information: Prescription date, prescribed medications, dosage instructions, precautions
- Usage records: Connection time, login information, service usage records, session information, IP address
- Device information: Device model, OS version, app version, mobile advertising identifier
D. Collection Methods
- In-app registration and survey forms
- Information directly entered by users during service use
- Information through automatic collection devices (cookies, mobile advertising identifiers, etc.)
- Information transmitted from connected medical institutions (when medical institutions are linked)
2. Purpose of Collecting and Using Personal Information
| Information Categories | Purpose of Use |
|---|---|
| ID, password, name, email, phone number, date of birth, gender, hospital information |
- Member identification and authentication - Confirmation of registration intent and account management - Service-related notifications and communication - Information linkage and service provision with hospitals |
| Profile image, SNS contact information |
- User profile settings - Notification and announcement delivery - Providing communication features within the service |
| Weight-related information, diet-related information, lifestyle information, health status information, women's health information |
- Providing health and diet management services - Recommending personalized health management programs - Providing health status analysis and statistical data - Supporting medical services when linked with medical institutions |
| Health record information, prescription information |
- Providing health management services - Providing prescription and medication management services - Providing personalized health reminder services |
| Usage records, device information |
- Service usage analysis and improvement - Prevention of fraudulent use and error response - Identifying access frequency and service usage statistics |
3. Retention and Use Period of Personal Information
The Company will, in principle, destroy personal information without delay after the purpose of collecting and using personal information has been achieved. However, the following information will be retained for the periods stated below for the following reasons:
A. Retention According to Relevant Laws
- Act on Consumer Protection in Electronic Commerce: Records related to contracts or subscription withdrawals (5 years), records on payment and supply of goods (5 years), records on consumer complaints or dispute resolution (3 years)
- Electronic Financial Transactions Act: Records of electronic financial transactions (5 years)
- Communication Privacy Protection Act: Login records (3 months)
- Medical Service Act: Records related to prescriptions (2 years)
B. Retention Based on Internal Policies
- Member registration and service usage records: Up to 30 days after membership withdrawal
- Health information and service usage details: Immediately deleted upon membership withdrawal (excluding anonymized information used for statistical purposes)
C. Processing Method upon Membership Withdrawal
When a member requests withdrawal, their personal information is immediately deleted, and only information that needs to be retained according to relevant laws is stored separately. Personal information that is separately stored will be destroyed without delay after the period specified by law has elapsed.
4. Procedures and Methods for Destroying Personal Information
In principle, the Company destroys the relevant information without delay after the purpose of collecting and using personal information has been achieved. The procedures and methods for destruction are as follows:
A. Destruction Procedure
- Information entered for member registration, etc., is stored for a certain period according to internal policies and relevant laws after the purpose has been achieved, and then destroyed.
- Personal information that must be preserved according to law is stored separately for the period specified by law and then destroyed.
B. Destruction Method
- Personal information stored electronically: Deleted using technical methods that cannot reproduce the records
- Personal information printed on paper: Destroyed by shredding or incineration
5. Provision of Personal Information to Third Parties
The Company does not, in principle, provide users' personal information to external parties. However, the following cases are exceptions:
- Provision of information to medical institutions that the user has set up to link when using the service (when necessary for patient care and health management)
- When required by law or when requested by investigative agencies according to procedures and methods prescribed by law for investigation purposes
- When it is necessary for statistical compilation, academic research, or market research and is provided in a form that cannot identify specific individuals
When providing personal information to third parties, the Company will inform users in advance about who the third party is, what information is needed and why, and how long and how it will be managed, and obtain consent.
6. Measures to Ensure the Security of Personal Information
The Company takes the following measures to ensure the security of personal information:
A. Administrative Measures
- Designation of personnel responsible for personal information management and regular employee training
- Establishment and implementation of internal management plans related to personal information handling
- Conducting regular self-audits
B. Technical Measures
- Application of encryption technology for personal information storage and transmission
- Installation and regular updating of security programs to protect against hacking or computer viruses
- Blocking unauthorized access from outside through the installation of access control systems
- Management of access rights to personal information processing systems
C. Physical Measures
- Access control to personal information storage locations such as computer rooms and data storage rooms
- Control of the export and import of documents and storage media containing personal information
7. Installation, Operation, and Refusal of Automatic Personal Information Collection Devices
The Company may use automatic collection devices such as cookies to improve app usability and provide customized services.
A. Installation and Operation of Automatic Collection Devices
- Cookies: Small text files sent by servers operating websites to users' devices and stored on users' devices.
- Mobile advertising identifier: A unique identifier provided by the OS for mobile advertising activities (such as ADID for Android, IDFA for iOS).
B. Purpose of Installation
- Service usage record and statistical analysis for service improvement
- Providing customized content through user behavior analysis
- Maintaining login status
C. Refusal Method
Users can refuse the installation and operation of automatic collection devices.
- Cookies: Can be refused through web browser settings menu.
- Mobile advertising identifier: Can be limited through the settings menu of the mobile device.
However, if automatic collection devices are refused, there may be difficulties in using the service.
8. Personal Information Protection Officer
The Company has designated a personal information protection officer to take overall responsibility for handling personal information processing and to handle complaints and remedies for data subjects related to personal information processing as follows:
| Personal Information Protection Officer | Kim Tae-hyun |
|---|---|
| Position | Personal Information Protection Officer |
| Contact | 02-2678-0220, tree@ampletree.co.kr |
You can contact the personal information protection officer regarding inquiries, complaints, and remedies related to personal information protection. The Company will respond and handle data subjects' inquiries without delay.
9. Rights of Data Subjects, including the Right to View, Correct, Delete, and Suspend Processing of Personal Information
Data subjects can exercise the following rights regarding their personal information processed by Dairoot:
- Right to request access to personal information: You can request access to personal information held by the Company.
- Right to request correction of errors: You can request correction if there are errors in your personal information.
- Right to request deletion: You can request deletion of your personal information.
- Right to request suspension of processing: You can request suspension of processing of your personal information.
The above rights can be exercised against the Company through written document, telephone, email, fax, etc., and the Company will take action without delay.
If a data subject requests correction or deletion of errors in personal information, the Company will not use or provide that personal information until the correction or deletion is completed.
Rights can also be exercised through a legal representative or a person who has been delegated authority. In this case, you must submit a power of attorney according to Form No. 11 of the Enforcement Rules of the Personal Information Protection Act.
10. Changes to the Privacy Policy
This Privacy Policy is effective from March 10, 2025.
Previous versions of the Privacy Policy can be found in the in-app notices.
If there are additional changes according to laws and policies, we will notify you through notices 7 days before the implementation of the changes.
11. Technical and Managerial Protection Measures for Personal Information
The Company has implemented the following technical and managerial measures to ensure the security of personal information so that it is not lost, stolen, leaked, altered, or damaged when processing users' personal information:
A. Password Encryption
Member passwords are encrypted, stored, and managed so that only the user knows them, and important data is protected through separate security functions such as encrypting files and data or using file locking functions.
B. Measures Against Hacking
The Company is doing its best to prevent members' personal information from being leaked or damaged by hacking or computer viruses.
Data is regularly backed up to prepare for damage to personal information, and the latest antivirus programs are used to prevent users' personal information or data from being leaked or damaged.
The Company enables secure transmission of personal information over networks through encrypted communication, and controls unauthorized access from outside using access blocking systems.
C. Minimization and Training of Personal Information Processing Staff
Staff who process personal information are designated to a minimum, and regular training on personal information protection obligations and security is conducted.
12. Contact Information Regarding the Privacy Policy
If you have any questions regarding the Privacy Policy, please contact the Personal Information Protection Officer at the following contact information:
Email: tree@ampletree.co.kr
Phone: 02-2678-0220
Address: 1st Floor, 92 Dangsan-ro, Yeongdeungpo-gu, Seoul, Republic of Korea
If you need to report or consult about other personal information infringements, please contact the following agencies:
- Personal Information Infringement Report Center (privacy.kisa.or.kr / without area code 118)
- Personal Information Dispute Mediation Committee (www.kopico.go.kr / 1833-6972)
- Supreme Prosecutors' Office Cyber Investigation Division (www.spo.go.kr / without area code 1301)
- National Police Agency Cyber Security Bureau (cyberbureau.police.go.kr / without area code 182)