OSANG HEALTHCARE Co., Ltd. (hereinafter referred to as the "Company") complies with relevant privacy protection regulations, including the Act on Promotion of Information and Communications Network Utilization and Information Protection, the Personal Information Protection Act, and the Act on the Use and Protection of Credit Information. The Company is committed to protecting the rights and interests of users in accordance with relevant laws and regulations. If modifications to this Privacy Policy are necessary due to changes in relevant laws, regulations, or the Company's internal regulation and/or policies, users will be notified via announcements on this website (or through other means such as written notices or emails etc.).

Purpose of Processing Personal Data, Data Collection Items, and Methods

The Company’s website processes personal data items on its website for the following purposes. The collected data will not be used for any purposes other than those stated below.

Users have the right not to consent to the collection and provision of their personal data. However, since the data is necessary for the purposes stated above, failure to provide the data may result in the inability to confirm facts or notify process results related to those purposes. Therefore, if a user does not consent to the provision of personal data, related services or support may be restricted.

Retention and Destruction of Personal Data

The Company retains personal data for the following periods. Once the retention period expires and the purpose for which the data was collected is fulfilled, the data will be destroyed without delay. However, if retention is required by law or if there are ongoing investigations or inquiries due to legal violations, the data will be retained until the conclusion of such procedures. The details of personal data processing and retention periods are as follows:

Once the purpose of data processing has been fulfilled, the personal data will be destroyed promptly. In exceptional cases, the data may be stored for a certain period according to internal policies before destruction. The personal data will not be used for other purposes other than those specified, unless required by law.

Personal data stored in electronic files will be deleted using irreversible technical methods. Printed personal data will be shredded or incinerated.

Outsourcing and Providing Personal Data to Third Parties

The Company processes personal data only for the purposes specified in this Privacy Policy. However, with prior consent from the user or in compliance with legal requests from law enforcement agencies in accordance with legal process, the Company may provide personal data to third parties. Currently, the Company does not outsource the processing of personal data related to its website. If the Company decides to outsource personal data processing or provide personal data to third parties in the future, users will be notified of the recipients, the personal data provided, the reason of provision, and the provision period via email or written notice and users' individual consent will be obtained, and if they do not consent, their personal data will not be provided to third parties.

Technical and Administrative Measures for Protecting Personal Data

The Company takes technical and administrative measures to ensure the security of users' personal information and to prevent its loss, theft, leakage, alteration, or damage during processing. An internal management plan has been established and implemented to ensure the secure handling of personal information.

The Company uses intrusion prevention systems to control unauthorized external access and strives to adopt all possible technical measures to enhance system security.

Access records to personal information processing systems are retained and managed, with security features in place to prevent forgery or alteration.

Users' personal information is protected by passwords. Files and transmission data are encrypted or protected using file-locking functions, and critical data is secured through additional security measures.

The Company uses antivirus programs to prevent damage caused by computer viruses. These programs are regularly updated, and immediate updates are provided to counteract newly emerging viruses, protecting personal information from breaches. A security device (SSL) employing encryption algorithms has been adopted to securely transmit personal information over networks. Each server is equipped with intrusion prevention systems and vulnerability analysis tools to maintain robust security against external intrusions.

Personal information is stored separately from general data through dedicated servers, and access control procedures are established and operated to prevent unauthorized entry.

Continuous training is provided to staff responsible for handling personal information, emphasizing adherence to the Company’s privacy policies. Access to users' personal information is strictly limited to personnel directly engaged in marketing activities, the Data Protection Officer and designated staff, and individuals whose duties require unavoidable access to personal information. Regular internal and external training sessions are conducted for employees handling personal information, covering new security technologies and privacy protection obligations. Upon joining the Company, all employees who sign an information security pledge to prevent information leakage, and internal procedures are in place to monitor compliance with privacy policies. The transfer of responsibilities involving personal information is strictly managed to maintain security, and accountability for personal information incidents is clearly defined during both before joining the company and after joining the company. Computer rooms and data storage areas are designated as special protection zones with restricted access.

User Rights and How to Exercise Them

1. Users may exercise the following rights regarding their personal data:

1. Request to view personal information
2. Request correction of errors
3. Request deletion
4. Request suspension of processing
5. Request withdrawal of consent

2. Users can exercise these rights by contacting the Company via written request, email, phone, or in person etc. After confirming the identity of the user, the Company will take action and support without delay. 3. If a user requests correction or deletion of personal data, the Company will not use or provide the data until the correction or deletion is complete. 4. Users must not violate laws by infringing on the privacy of others or by processing personal data inappropriately.

However, withdrawal of consent, suspension of processing, or correction and deletion of personal information may not be permitted in the following cases: - When access is prohibited or restricted by law - When there is a risk of harm to another person's life or body, or a risk of unjustly infringing on another person's property or other interests

Matters Regarding the Rights, Obligations, and Methods of Exercise for Data Owner(Holder) and Their Legal Representatives

1. Users may exercise their rights at any time to request access to, correction, deletion, suspension of processing, withdrawal of consent regarding their personal information, or to refuse or request an explanation regarding automated decision-making.
※ In the case of a child under the age of 14, requests regarding the access, etc., of personal information must be made directly by the legal representative. For minors aged 14 or older, the data owner(holder) may exercise their rights personally or through their legal representative.
2. Rights can be exercised by submitting a written request, by email, by fax, or by other means in accordance with Article 41(1) of the Enforcement Decree of the Personal Information Protection Act. The company will promptly take action regarding such requests.
3. Rights may also be exercised through a representative, such as the data owner(holder)’s legal representative or a delegated person. In such cases, a power of attorney must be submitted in accordance with Form No. 11 of the "Notification on the Personal Information Processing Method (No. 2025-5)."
4. The right to request access to and suspension of processing of personal information may be restricted pursuant to Article 35(4) and Article 37(2) of the Personal Information Protection Act.
5. If another law explicitly designates the relevant personal information as a subject of collection, deletion of such information cannot be requested.
6. If the data owner(holder) has given prior consent to automated decision-making, or if it has been pre-notified through a contract or explicitly stipulated by law, the right to refuse automated decision-making will not be recognized; only requests for explanation and review will be permitted.
- Furthermore, if there is a legitimate reason, such as the risk of unjustly infringing upon the life, body, property, or other interests of another person, requests to refuse or explain automated decision-making may be denied.
7. When exercising rights such as access, correction, deletion, suspension of processing, or refusal/explanation of automated decisions, the identity of the requesting party or their legitimate representative will be verified.

Installation/Operation of Automatic Collection Devices (Cookies)

1. Cookies
The Company uses cookies to store and retrieve user information from time to time in order to provide personalized and customized services. A cookie is a small text file that a server used to operate the website sends to the user’s browser and is stored on the user's computer hard drive. When the user visits the website again, the server reads the contents of the cookie stored on the user’s hard drive to maintain user preferences and provide customized services. Cookies do not automatically or actively collect information that identifies individuals, and users can choose to refuse or delete cookies at any time. 2. Purpose of Using Cookies
Cookies are used for purposes such as displaying pop-ups on the main screen and collecting statistical data (e.g., number of visits, most frequently visited pages).
3. Users have the right to choose whether to install cookies.
Therefore, users can set options in their web browser to allow all cookies, to be notified whenever cookies are stored, or to refuse the storage of all cookies. However, if the user refuses to store cookies, some services may not function properly.

Personal Data Protection Officer and Contact Information

For inquiries regarding personal data processing, the Company has designated the following Personal Data Protection Officer and customer service department:
Responsibility and Department in charge of Personal Information Protection
- Personal Data Protection Officer: Kim Sang-Yeop, Director
- Department : IT Department
- Phone : +82-31-460-0371
- Email : sykim1@osanghc.com
Customer Service Department
- Department : C/S Department
- Phone : +82-80-300-8114
- Email : ohc_cs@osanghc.com
Remedy for Infringement of Authority
For issues related to privacy infringement, users may contact the following government bodies:
ㆍPersonal Data Dispute Resolution Committee : +82-1833-6972(www.kopico.go.kr)
ㆍPersonal Data Infringement Report Center : 118(privacy.kisa.or.kr)
ㆍCyber Crime Investigation Team, Supreme Prosecutors’ Office : 1301(www.spo.go.kr)
ㆍCyber Safety Division, Korean National Police Agency : 182(ecrm.cyber.go.kr)

Changes to the Privacy Policy

The Company will continuously post any changes to this Privacy Policy on its website.

This policy will be effective from April 30, 2025.