Privacy Policy
Ontact Health Co., Ltd. (hereinafter referred to as the "Company") establishes and discloses this Privacy Policy in accordance with Article 30 of the Personal Information Protection Act in order to protect the personal information of data subjects and to handle related complaints promptly and smoothly.
Article 1 (Purpose of Processing Personal Information)
The Company processes personal information for the following purposes. The personal information being processed will not be used for purposes other than those specified below, and if the purpose of use changes, necessary measures, such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act, will be implemented.
Receipt and Handling of Customer Inquiries: Verification of user inquiries, contact/notification for fact-finding investigations, and notification of processing results.
Service Improvement and Statistical Analysis: Enhancing service quality through website visitor count analysis, inflow channel analysis, and statistical analysis.
Article 2 (Items of Personal Information Processed)
The Company operates as a non-membership service and collects the following personal information items through written forms (web forms) in the course of service use.
Article 3 (Processing and Retention Period of Personal Information)
The Company processes and retains personal information within the personal information retention and use period required by laws and regulations, or the period agreed upon by the data subject at the time of collection.
The respective personal information processing and retention periods are as follows:
Records related to the receipt and handling of inquiries: Retained for six (6) months from the completion of the inquiry and consultation handling, and then destroyed.
However, if it is necessary to retain records under the provisions of relevant laws and regulations, such as records regarding consumer complaints or dispute resolution, the information will be retained for the period specified by the relevant laws (Records on consumer dispute resolution: 3 years).
Article 4 (Delegation of Personal Information Processing)
For the smooth processing of personal information, the Company delegates personal information processing tasks as follows:
Delegate (Data Processor): Amazon Web Services, Inc.
Details of Delegated Task: Utilization of cloud server infrastructure for data storage and processing based on service usage
Delegation Period: Until the completion of inquiry handling or until the retention period required under relevant laws and regulations expires
When concluding a delegation contract, the Company specifies matters concerning responsibilities, such as the prohibition of processing personal information for purposes other than the performance of delegated tasks, technical and managerial protective measures, restrictions on re-delegation, management and supervision of the delegate, and compensation for damages in documents such as contracts in accordance with Article 26 of the Personal Information Protection Act, and supervises whether the delegate handles personal information safely.
Article 5 (Provision of Personal Information to Third Parties)
The Company processes the personal information of data subjects only within the scope specified in Article 1 (Purpose of Processing Personal Information) and provides personal information to third parties only in cases falling under Articles 17 and 18 of the Personal Information Protection Act, such as with the consent of the data subject or under special provisions of the law. Currently, the Company does not provide personal information to third parties.
Article 6 (Procedure and Method of Personal Information Destruction)
The Company destroys personal information without delay when the personal information becomes unnecessary, such as upon the expiration of the retention period or the achievement of the processing purpose.
If personal information must continue to be preserved under other laws and regulations despite the expiration of the retention period agreed upon by the data subject or the achievement of the processing purpose, the personal information will be transferred to a separate database (DB) or stored in a different location.
The destruction procedure and method are as follows:
Destruction Procedure: The Company selects the personal information that has triggered a reason for destruction and destroys it upon approval by the Company's Chief Privacy Officer.
Destruction Method: Personal information recorded and stored in electronic file format is destroyed using technical methods that cannot reproduce the records (such as Low-Level Format), and personal information recorded and stored in paper documents is destroyed by shredding with a shredder or by incineration.
Article 7 (Rights and Obligations of Data Subjects and Methods of Exercise)
Data subjects may exercise their rights, such as requesting access to, correction of, deletion of, or suspension of processing of their personal information, against the Company at any time.
The exercise of rights can be made to the Company in writing or via email, and the Company will take action without delay.
The exercise of rights may be conducted through a representative, such as a legal representative of the data subject or an authorized agent. In this case, a power of attorney in accordance with Form No. 11 of the "Notification on Personal Information Processing Methods" must be submitted.
Requests for access to and suspension of processing of personal information may restrict the rights of the data subject under Article 35 (4) and Article 37 (2) of the Personal Information Protection Act. Requests for the deletion of personal information cannot be made if the personal information is specified as a collection target under other laws and regulations.
Article 8 (Measures to Ensure the Safety of Personal Information)
The Company takes the following measures to ensure the safety of personal information:
Managerial Measures: Establishment and implementation of internal management plans, conducting regular internal audits, minimizing and training personnel handling personal information, etc.
Technical Measures: Access authority management for personal information processing systems, installation of access control systems, encryption of unique identification information, installation of security programs, etc.
Physical Measures: Access control and operating locking devices for personal information storage locations such as the infrastructure/security team.
Article 9 (Installation, Operation, and Rejection of Automatic Collection Devices for Personal Information)
The Company uses 'cookies' that store and retrieve user information from time to time to provide individual customized services to users.
Cookies are a small amount of information that the server (HTTP) used to operate the website sends to the user's computer browser and may be stored on the hard disk inside the user's PC computer.
Purpose of Using Cookies: Cookies are used to provide optimized information to users by understanding the visit and usage patterns for each service and website visited by the user.
Installation, Operation, and Rejection of Cookies: Users have the right to choose whether to install cookies. Users can refuse to store cookies through option settings in Tools > Internet Options > Privacy menu at the top of the web browser. However, if you refuse to store cookies, you may experience difficulties in using some customized services.
Article 10 (Chief Privacy Officer and Designated Department)
For all inquiries, complaint handling, and damage remedy related to personal information protection that arise while using the Company's services, you may contact the Chief Privacy Officer and the designated departments below. The Company will answer and handle the inquiries of data subjects without delay.
Chief Information Security Officer (CISO)
Chief Privacy Officer (CPO)
Information Security Manager
Department in Charge of Information Security
Article 11 (Department for Receiving and Processing Requests for Access to Personal Information)
Data subjects may submit a request to access their personal information under Article 35 of the Personal Information Protection Act to the following department. The Company will make every effort to ensure that requests for access to personal information are processed swiftly.
Article 12 (Remedies for Infringement of Rights and Interests of Data Subjects)
Data subjects may apply for dispute resolution or consultation to the Personal Information Dispute Mediation Committee, the Privacy Infringement Report Center of the Korea Internet & Security Agency, etc., to receive remedies for personal information infringement. For other reports or consultations regarding personal information infringement, please contact the following institutions:
Personal Information Dispute Mediation Committee: (Without area code) 1833-6972 (www.kopico.go.kr)
Privacy Infringement Report Center (KISA): (Without area code) 118 (privacy.kisa.or.kr)
Supreme Prosecutors' Office: (Without area code) 1301 (www.spo.go.kr)
National Police Agency: (Without area code) 182 (ecrm.cyber.go.kr)
Article 13 (Amendment of the Privacy Policy)
This Privacy Policy shall apply from June 30, 2026.