Privacy Policy

UNOVINS Co., Ltd.doing business as “UnoVins” (hereinafter referred to as the “Company”) complies with applicable personal information protection regulations under relevant laws that information and communications service providers are required to observe, including the Act on Promotion of Information and Communications Network Utilization and Information Protection, the Personal Information Protection Act, and the Communications Secrecy Protection Act, in operating the UNO Healthcare Service and its related services (hereinafter referred to as the “Service”).

Through this Privacy Policy, the “Company” informs users of the purposes and methods by which personal information provided by members is used, and the measures taken to protect personal information. In the event this Privacy Policy is amended, the “Company” shall notify users of the reasons for and details of such amendments through the website, text messages, and other means.

The Company protects personal information as follows.

Article 1 Collection, Use, Retention, Destruction of Personal Information

Members

1. Purposes of collection and use

(1) Membership registration and authentication, provision of the Service, verification and prevention of “fraudulent use,” and customer support

(2) Payment, cancellation, and refunds

(3) Delivery

(4) Marketing and analytics

2. Profile information

(1) Personal information

・ Name, email address, password, CI, DI, gender, age group, occupational category, physical and biometric information (height, weight, etc.), health information, lifestyle habits, and questionnaire information

(2) Sensitive information

・ Facial identity information, biometric signals (pulse wave, height, weight, etc.)

(3) Unique identification information

ㆍ PC: PC MAC address, PC specifications, browser information, and other program version information used when accessing the Service

ㆍ Mobile devices (mobile phones, tablets, etc.): device type, OS information, device-specific unique identifiers (UDID, UUID, ADID/IDFA, IMEI, etc.), mobile carrier

ㆍ Other information: Service usage (suspension) records, website/mobile application access date and logs, cookies, and IP address

(4) Payment information

ㆍ Card issuer name, card number, expiration date, card password, date of birth

(5) Delivery information

ㆍ Delivery address, postal code, recipient name

(6) Marketing and analytics information

ㆍ IDFA, ADID

3. Retention and use period

(1) Membership registration and authentication, provision of the Service, verification and prevention of fraudulent use, and customer support

ㆍ Deleted one (1) month after a request for membership withdrawal

(2) Payment, cancellation/refunds, and delivery

ㆍ Retained for five (5) years (pursuant to the Act on Consumer Protection in Electronic Commerce, etc.)

(3) Marketing and analytics

ㆍ Learning data excluding personal information is retained permanently for analysis and statistical purposes

※ “Fraudulent use” refers to acts such as repeatedly re-registering after membership withdrawal or repeatedly subscribing and canceling in order to unlawfully or improperly obtain economic benefits such as coupons or event benefits provided by the “Company,” acts prohibited under the Terms of Service, identity theft, and other illegal or improper acts.

※ All of the above information may be used for customized information provision and statistical/analytical purposes in connection with Service usage.

Event Participants

1. Method of Collection

(1) Event entry

ㆍ Submission of event winner information via SNS, communities, bulletin boards, etc.

(2) Event winning

ㆍ Collected from winners via text message, email, or telephone

2. Items Collected

(1) Event entry

ㆍ Name, email address, mobile phone number

(2) Event winning

ㆍ For delivered goods: recipient name, contact information, address, postal code

ㆍ For coupons: name, email address, mobile phone number

3. Purpose of use

(1) Event entry: selection of winners

(2) Event winners: delivery of prizes

4. Retention and Destruction

ㆍ Collected information is destroyed within thirty (30) days after the end of the event

Dormant Members

  1. Long-term inactive members are those who have no Service usage records for one (1) year after their last use of the Service.
  2. The personal information of such members is safely stored separately, and notification is sent via text message or email at least thirty (30) days prior to the date of separate storage.
  3. If a long-term inactive member wishes to continue using the Service before being separately transferred to the inactive user database, the member must log in to the site.
  4. Upon request, users may reuse their accounts.

Personal Information Collected and Retention Periods Pursuant to Laws

  1. Records related to payment and supply of goods, etc.: five (5) years (Act on Consumer Protection in Electronic Commerce, etc.)
  2. Records related to contracts or withdrawal of subscription, etc.: five (5) years (Act on Consumer Protection in Electronic Commerce, etc.)
  3. Records related to electronic financial transactions: five (5) years (Act on Consumer Protection in Electronic Commerce, etc.)
  4. Records related to consumer complaints or dispute resolution: three (3) years (Act on Consumer Protection in Electronic Commerce, etc.)
  5. Records related to advertisements and labeling: six (6) months (Act on Consumer Protection in Electronic Commerce, etc.)
  6. Website visit records: three (3) months (Communications Secrecy Protection Act)

Article 2 Provision of Personal Information to Third Parties

  1. Personal information retained for the provision of the Service or compliance with legal obligations may be provided to third parties within the scope of the original purpose of collection.
  2. The “Company” does not use or provide members’ personal information beyond the scope specified in this Privacy Policy. However, exceptions apply in the following cases:
    (1) Where the data subject has given prior consent to third-party provision
    (2) Where necessary for payment settlement related to Service provision
    (3) Where there is a written request from relevant authorities for investigation or trial purposes pursuant to applicable laws
    (4) Where provided in a form that does not identify specific individuals for statistical compilation, academic research, or market research
    (5) Where requested in accordance with procedures prescribed by other relevant laws, including the Act on Real Name Financial Transactions and Confidentiality, the Act on the Use and Protection of Credit Information, the Framework Act on Telecommunications, the Telecommunications Business Act, tax laws, consumer protection laws, and the Criminal Procedure Act

Article 3 Entrustment of Personal Information Processing

  1. For smooth service provision and efficient business operations, the “Company” entrusts the processing of personal information as follows.
  2. The “Company” continuously manages and supervises entrusted parties to ensure that entrusted personal information is processed safely, and requires entrusted parties to immediately destroy personal information upon completion of the entrusted tasks.

1. Domestic Entrusted Processing of Personal Information

DK Techin Co., Ltd.: Notification delivery (Kakao message delivery)

Massacure Company Co., Ltd.: Provision and operation of facial recognition–based user authentication functions (until one (1) month after membership withdrawal or termination of the entrustment agreement)

※ Massacure Company Co., Ltd. provides technical infrastructure and analysis systems for facial recognition functionality. Facial images are not stored; only facial feature data generated for user authentication is retained for the above period and then irreversibly destroyed. The entrusted party does not use collected facial data for purposes other than user authentication nor re-provide it to third parties.

2. Overseas Entrusted Processing of Personal Information

Amazon Web Services (AWS): Server provision (infrastructure for Service operation)

Article 4 Procedures and Methods for Destruction of Personal Information

In principle, the “Company” destroys personal information immediately once the purpose for which it was collected has been achieved. The procedures, timing, and methods of destruction are as follows.

1. Destruction procedure

Personal information whose purpose of collection and use has been fulfilled is transferred to a separate database (or separate filing cabinet for paper documents) and safely stored in accordance with internal policies and relevant laws, and is destroyed without delay upon expiration of the retention period. Such information is not used for purposes other than those consented to by users or permitted by law.

2. Destruction method

(1) Electronic files are deleted using technical methods that render records irrecoverable.

(2) Personal information printed on paper is destroyed by shredding or incineration.

Article 5 Rights of Members and Methods of Exercise

  1. Users of the “Company’s” Services (or legal guardians for users under the age of 14) may exercise the following rights as data subjects.
  2. Members may request access to, correction of, withdrawal of consent for, deletion of, or viewing of their personal information at any time. However, refusal to consent to personal information processing may limit use of all or part of the Service.
  3. Requests for viewing, correction, or amendment may be processed via the personal information management menu on the website or through one-on-one inquiries. If incorrect personal information has already been provided to a third party for legitimate reasons, the “Company” shall promptly notify the third party of the correction results.
  4. Data subjects may request access to personal information pursuant to Article 35 of the Personal Information Protection Act by contacting the department below. Korea Physical Information Co., Ltd. will endeavor to process such requests promptly.

    Department for Personal Information Access Requests

    ㆍ Department : Healthcare Business Division

    ㆍ Contact : +82-70-4776-3304

    ㆍ Email : unocare@unovins.com

  5. Withdrawal of consent and deletion requests may be submitted through one-on-one inquiries. However, withdrawal or deletion may limit use of all or part of the Service, and withdrawal may be restricted for information collected pursuant to other laws.
  6. Membership withdrawal may be requested via ‘Settings > My Information Management > Withdraw,’ and automatic withdrawal is processed one (1) month after the request.
  7. Customer consultations and inquiries via the customer center may be recorded, with separate notice provided by the consultant.

Article 6 Personal Information Protection Officer and Contact Information

The “Company” designates the following Personal Information Protection Officer to oversee personal information processing and handle complaints and remedies related to personal information.

Personal Information Protection Officer

ㆍ Name : Jaeyong Lee

ㆍ Contact : unocare@unovins.com

Department Handling Personal Information Complaints

ㆍ Department : Healthcare Business Division

ㆍ Contact : +82-70-4776-3304

ㆍ Email : unocare@unovins.com

  1. All inquiries, complaints, and requests for remedies related to personal information protection arising from use of the Services may be directed to the Personal Information Protection Officer or customer support center, and the “Company” will respond without delay.
  2. Data subjects may apply for dispute resolution or consultation with the Personal Information Dispute Mediation Committee or the Korea Internet & Security Agency Personal Information Infringement Report Center. For other reports or consultations, please contact the institutions below:
    • Personal Information Infringement Report Center: 118 (without area code) / privacy.kisa.or.kr
    • Supreme Prosecutors’ Office Cyber Crime Investigation Division: 1301 / www.spo.go.kr
    • National Police Agency Cyber Bureau: 182 / www.cyber.go.kr
    • Personal Information Dispute Mediation Committee: 1833-6972 / www.kopico.go.kr
  3. Any person whose rights or interests have been infringed due to an act or omission by the head of a public institution in response to requests under Articles 35 (Access), 36 (Correction and Deletion), or 37 (Suspension of Processing) of the Personal Information Protection Act may file an administrative appeal in accordance with the Administrative Appeals Act.

Article 7 Information Security Efforts of the Company

The “Company” strives to protect users’ personal information and implements the following technical and administrative measures to ensure safety against loss, theft, leakage, alteration, or damage.

1. Regular Internal Audits

Regular internal audits (once per quarter) are conducted to ensure stability in personal information handling.

2. Encryption of Personal Information

Personal information is encrypted and securely stored and managed in accordance with relevant laws and internal policies.

3. Measures Against Hacking

The “Company” makes best efforts to prevent leakage or damage of personal information due to hacking or computer viruses.

4. Minimization and Training of Personnel

Access to personal information is limited to designated personnel, with separate passwords assigned and periodically updated. Regular training is conducted to emphasize compliance with this Privacy Policy.

5. Operation of Dedicated Personal Information Protection Organization

The “Company” operates an internal personal information protection organization to monitor compliance and promptly correct any identified issues. However, the “Company” bears no responsibility for issues arising from users’ negligence or Internet-related problems resulting in leakage of IDs, passwords, or other personal information.

Article 8 Obligation to Notify

Policies on changes to this Privacy Policy are as follows:

This Privacy Policy takes effect as of the effective date. Any additions, deletions, or amendments due to changes in laws or policies will be announced through Service notices and via text message or email at least seven (7) days prior to implementation. In cases involving significant changes affecting users’ rights, such as collection, use, or third-party provision of personal information, notice will be provided at least thirty (30) days in advance.

Article 9 Miscellaneous

This Privacy Policy does not apply to the collection of personal information by websites of other companies linked through the Services. Users should review the privacy policies of newly visited websites.

Addendum

Announcement Date : December 3, 2025

Effective Date : December 3, 2025