Privacy Policy
Effective: January 1, 2026
Chaeeum Korean Medicine Hospital (hereinafter referred to as 'the Hospital') establishes and discloses the following personal information processing guidelines to protect the personal information of data subjects and to promptly and smoothly handle related grievances in accordance with Article 30 of the Personal Information Protection Act.
Article 1 (Purpose of Processing Personal Information)
The Hospital processes personal information for the following purposes. Personal information being processed shall not be used for purposes other than the following, and if the purpose of use changes, the Hospital will take necessary measures such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act.
1. Website membership registration and management
Personal information is processed for purposes including confirming membership intent, identity verification for membership services, maintaining and managing membership status, preventing unauthorized use of services, various notices and notifications, and grievance handling.
2. Medical service provision
Personal information is processed for purposes including appointment scheduling, medical record management, prescription issuance, medical billing and payment, health insurance claims, personalized medical services, and identity verification.
3. Grievance handling
Personal information is processed for purposes including verifying the identity of complainants, confirming complaint details, contacting and notifying for fact-finding, and notifying processing results.
Article 2 (Processing and Retention Period of Personal Information)
① The Hospital processes and retains personal information within the period of personal information retention and use as prescribed by law or within the period agreed upon when collecting personal information from data subjects. ② The processing and retention period for each type of personal information is as follows.
1. Website membership registration and management
Until withdrawal from the website. However, in the following cases, until the end of the relevant reason: 1) If investigation or inquiry is in progress due to violation of relevant laws: until the end of such investigation or inquiry 2) If claims and obligations remain from website use: until settlement of such claims and obligations
2. Medical service records
Retention periods pursuant to Article 22 of the Medical Service Act and Article 15 of its Enforcement Rules: - Patient registry: 5 years - Medical records: 10 years - Prescriptions: 2 years - Surgical records: 10 years - Examination findings: 5 years - Radiographic images and reports: 5 years - Nursing records: 5 years - Copies of diagnostic certificates: 3 years
3. E-commerce related records
Retention periods under the Act on Consumer Protection in Electronic Commerce: - Records on display/advertising: 6 months - Records on contracts, withdrawal, payment, supply of goods: 5 years - Records on consumer complaints or dispute resolution: 3 years
4. Communication records
Communication fact verification data retention under Article 41 of the Protection of Communications Secrets Act: - Subscriber telecommunications date/time, start/end time, counterpart number, usage, base station location data: 1 year - Computer communication, internet log records, access tracking data: 3 months
Article 3 (Provision of Personal Information to Third Parties)
① The Hospital processes personal information of data subjects only within the scope specified in Article 1 (Purpose of Processing Personal Information), and provides personal information to third parties only in cases falling under Articles 17 and 18 of the Personal Information Protection Act, such as consent of the data subject or special provisions of law. ② The Hospital provides personal information to third parties as follows for health insurance medical expense claims.
Health Insurance Medical Expense Claims
- Recipients: National Health Insurance Service (NHIS), Health Insurance Review and Assessment Service (HIRA) - Purpose: Health insurance medical expense claims and review - Items provided: Name, resident registration number, medical treatment details, prescription details, medical expense details - Retention and use period: Retention period pursuant to the National Health Insurance Act
Article 4 (Entrustment of Personal Information Processing)
① The Hospital entrusts personal information processing as follows to ensure smooth service provision.
Personal Information Processing Entrustment
- Entrusted company: KCP - Entrusted tasks: Mobile phone identity verification service - Entrusted items: Name, date of birth, gender, mobile phone number, CI/DI - Retention and use period: Destroyed immediately upon membership withdrawal
Article 5 (Rights of Users and Legal Representatives and How to Exercise Them)
① Data subjects may exercise the following rights related to personal information protection against the Hospital at any time: 1. Request to access personal information 2. Request for correction if there are errors 3. Request for deletion 4. Request to suspend processing ② Rights under Paragraph 1 may be exercised against the Hospital through writing, telephone, email, fax, etc., and the Hospital will take action without delay. ③ If a data subject requests correction or deletion of errors in personal information, the Hospital will not use or provide the personal information until the correction or deletion is completed. ④ Rights under Paragraph 1 may be exercised through a legal representative or authorized agent. In this case, a power of attorney in the form prescribed in Attached Form No. 11 of the Enforcement Rules of the Personal Information Protection Act must be submitted. ⑤ Data subjects shall not infringe upon the personal information and privacy of themselves or others being processed by the Hospital in violation of the Personal Information Protection Act and other relevant laws.
Article 6 (Personal Information Items Processed)
The Hospital processes the following personal information items.
1. Membership registration via social login
Collected items: Email, nickname, email address, profile photo Collection method: Google, Kakao, Naver, Apple social login
2. Identity verification (for medical record access authorization)
Collected items: Legal name, personal identification code (CI/DI), mobile phone number, gender, date of birth Collection method: Mobile phone identity verification (PASS)
3. Medical service provision
Required items: Name, resident registration number (alien registration number), address, phone number (including mobile), health insurance eligibility information, medical records, prescription information, test results, diagnostic information Sensitive information: Health information (medical records, diagnostic results, examination findings, surgical records, etc.) Collection method: Directly provided by the individual, generated during the course of medical treatment ※ Sensitive information is processed with separate consent from data subjects or pursuant to legal provisions in accordance with Article 23 of the Personal Information Protection Act.
4. Automatically collected items during internet service use
IP address, cookies, service usage records, visit records, etc.
5. Legal basis for processing resident registration numbers
The Hospital processes resident registration numbers based on the following laws. - Article 22 of the Medical Service Act (Medical Records, etc.) and Article 15 of its Enforcement Rules: Requires recording patient name, resident registration number, etc. when creating medical records - Article 48 of the National Health Insurance Act (Claims and Payment of Medical Expense Benefits): Resident registration number required for medical expense benefit claims - Article 14 of the Enforcement Rules of the Medical Service Act (Patient Registry): Requires recording name, resident registration number, etc. in the patient registry
Article 7 (Destruction of Personal Information)
① The Hospital destroys personal information without delay when it becomes unnecessary due to expiration of retention period, achievement of processing purpose, etc. ② If personal information must be preserved under other laws despite the expiration of the agreed retention period or achievement of processing purpose, the personal information is transferred to a separate database (DB) or stored in a different location. ③ The procedures and methods for destroying personal information are as follows.
1. Destruction procedure
The Hospital selects personal information for which destruction reasons have occurred and destroys it with the approval of the personal information protection officer.
2. Destruction method
Personal information recorded and stored in electronic file format is destroyed using methods such as Low Level Format that make records unrecoverable, and personal information recorded and stored in paper documents is destroyed by shredding or incineration.
Article 8 (Measures to Ensure Safety of Personal Information)
The Hospital takes the following measures to ensure the safety of personal information: 1. Administrative measures: Establishment and implementation of internal management plans, regular employee training, etc. 2. Technical measures: Management of access rights to personal information processing systems, installation of access control systems, encryption of unique identification information, installation of security programs 3. Physical measures: Access control for computer rooms, data storage rooms, etc.
Article 9 (Installation, Operation and Rejection of Automatic Personal Information Collection Devices)
① The Hospital uses 'cookies' that store and retrieve usage information to provide individualized customized services to users. ② Cookies are small pieces of information sent by the server (http) operating the website to the user's computer browser and may be stored on the user's hard disk. a. Purpose of cookies: Used to identify visit and usage patterns, security access status, etc. for each service and website visited by users, to provide optimized information. b. Installation, operation and rejection of cookies: You can refuse cookie storage through your web browser settings. c. If you refuse cookie storage, you may experience difficulty using customized services.
Article 10 (Personal Information Protection Officer)
① The Hospital designates the following personal information protection officer to be responsible for overall personal information processing and to handle complaints and remedies related to personal information processing. ▶ Personal Information Protection Officer Name: Jaeho Jeong Organization: Chaeeum Korean Medicine Hospital Position: CTO Email: cto@chaeeum.com ② Data subjects may inquire about all matters related to personal information protection, complaint handling, and damage relief arising from using the Hospital's services to the personal information protection officer. The Hospital will respond to and handle inquiries from data subjects without delay.
Article 11 (Request for Access to Personal Information)
Data subjects may request access to personal information pursuant to Article 35 of the Personal Information Protection Act to the department below. The Hospital will endeavor to process personal information access requests from data subjects promptly. ▶ Department for Access Requests Department: Medical Affairs Office Phone: 1533-0607 Access requests will be processed by the Personal Information Protection Officer.
Article 12 (Methods of Remedying Rights Infringement)
Data subjects may inquire about damage relief and consultation for personal information infringement at the following organizations. ▶ Personal Information Infringement Report Center (Operated by Korea Internet & Security Agency) - Responsibilities: Personal information infringement reporting, consultation - Website: privacy.kisa.or.kr - Phone: (no area code) 118 - Address: 3F, 9 Jinheung-gil, Naju-si, Jeollanam-do (58324) ▶ Personal Information Dispute Mediation Committee - Responsibilities: Personal information dispute mediation, collective dispute mediation (civil resolution) - Website: www.kopico.go.kr - Phone: (no area code) 1833-6972 - Address: 4F, Government Seoul Building, 209 Sejong-daero, Jongno-gu, Seoul (03171) ▶ Supreme Prosecutors' Office Cyber Investigation Division: 02-3480-3573 (cybercid.spo.go.kr) ▶ National Police Agency Cyber Investigation Bureau: 182 (cyberbureau.police.go.kr)
Article 13 (Enforcement and Amendment of Privacy Policy)
This Privacy Policy is effective from January 1, 2026.