OsteoSys (hereinafter, “the Company”) complies with personal information protection regulations; and does its best to protect user rights by establishing privacy policies for its bone mineral density and body composition analysis system, its website, and OsteoSys Mobile Application (collectively, “Web Services”).
*web-site: www.osteosys.com, www.osteosys.com/en
It is not mandatory for users to provide their personal information and the user has the right to withhold their consent to the collection of their personal information. However, by opting not to provide personal information, certain features may not be available to users, the user’s experience may be negatively affected, and users may not be able to receive support services from the Company.
1. Types of Personal Information Collected and Methods of Collection
A. Types of Personal Information Collected
Firstly, the Company collects the following personal information through ‘Input mobile no.’, ‘Input ID’, ‘Input height’, ‘Input Gender’ or ‘Input age’ during bone density and body composition analysis. This facilitates provision of various services such as member sign-up and efficient customer care.
Secondly, during use of OsteoSys Web services or during operation of the business, the following types of information may be generated and collected automatically.
– IP address, cookie, date visited, service usage log, error log
Thirdly, information may be collected only from users of additional services, customized services, or services to which the users have given consent to additional personal information collection during the process of participating in promotional events.
B. Methods of Collecting Personal Information
The Company collects personal information using the following methods.
<All OsteoSys Models>
– Personal information is collected using ‘Input mobile no.’, ‘Input ID’, ‘Input height’, ‘Input Gender’ or ‘Input age’ during OsteoSys test.h
– Personal information is collected during the sign-up process in OsteoSys Web
2. Collection of Personal Information and Purpose of Use
The Company collects personal information from users for the following purposes:
A. Provision of Service
Provision of content, provision of specific customized services, delivery of goods or sending of bills, etc., identity authentication, purchasing and payment processing, collection of fees
B. Member Management
Identity authentication for use of membership-based services or limited identity authentication programs, personal identification, prevention of unauthorized use or abuse by defective members, confirmation of sign-up intent, restriction of sign-up or sign-up attempts, recordkeeping for dispute resolution, handling of complaints and delivery of notices
C. Use for Development of New Services and Marketing/Advertisements
Development of new services and provision of customized services, provision of services based on statistical characteristics, validation of services, provision of information on promotional events and provision of opportunity to participate, assessing access frequency, statistics on service usage by members
D. General Purposes
Monitoring and recording communications (such as telephone conversations and e-mail) for the purpose of improving the quality of the Company’s services, to send users newsletters when users have subscribed for the Company’s newsletter, to comply with the Company’s regulatory and corporate governance obligations, gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests, operational reasons such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information, investigating complaints and allegations of criminal offenses, providing customer service, and to give effect to the commercial transactions between the Company and the users.
3. Sharing and Provision of Personal Information
The Company uses personal information of users within the scope notified in “2. Collection of Personal Information and Purpose of Use” does not use any personal information beyond the above mentioned scope, or disclose any personal information of users to third parties without prior consent of the user. However, the exceptions apply under the following circumstances:
– the user has given prior consent to such disclosure;
– there is a request from an investigational agency pursuant to provisions of laws or through procedures and methods stipulated in laws for investigational purposes; or
– there is a request for personal information from a government agency for providing various services.
The Company may also disclose personal information of users to:
– other Companies within the OsteoSys group;
– service providers, institutions, or commercial organizations that are collaborating with the Company;
– a third party who acquires the Company or substantially all of the Company’s assets, in which case the personal data shall be one of the acquired assets; and
– other software providers users may request to give users access to users’ OsteoSys device data.
4. Consigned Handling of Personal Information
The Company may consign entry of personal information to personal information processing officers at sites where the program is used. Such officers shall receive adequate training to ensure that the personal information stored is not lost, stolen, leaked, altered, or damaged.
5. Retention and Usage Periods of Personal Information
By general rule, personal information of users is destroyed once its purpose of collection and usage is achieved. However, the following information may be retained for the periods stated for given reasons.
A. Reasons for Retention of Information Based on Company’s Internal Policy
– Recordkeeping of information abuse
* Reason for retention: Prevention of abuse
* Period of retention: 1 year
B. Reasons for Retention of Information Pursuant to Relevant Laws
When retention is required by provisions of relevant laws such as the Commercial Act and the Act on the Consumer Protection in Electronic Commerce, etc., the Company retains member information for a specific period, as stipulated in relevant laws. In such a case, the Company uses the information retained only for the purpose of such retention for the following retention periods.
– Recordkeeping on website access
* Reasons for retention: Protection of Communications Secrets Act
* Period of retention: 3 months
– Records on identity authentication
* Reasons for retention: Act on Promotion of Information and Communications Network Utilization and Information
– Protection, etc.
* Period of retention: 6 months
– Records on consumer complaints and dispute resolution
* Reasons for retention: Act on the Consumer Protection in Electronic Commerce, etc.
* Period of retention: 3 years
6. Procedure and Methods of Destruction of Personal Information
By general rule, personal information of users is destroyed once its purpose of collection and usage is achieved. Procedures and methods used by the Company to destroy personal information are as follows.
A. Procedure of Destruction
* Once the purpose of the information is achieved, information entered by the user for member sign-up, etc. is moved to a separate database (separate cabinet in case of information on paper), stored for a specific period in accordance with internal policy and reasons for information protection pursuant to other relevant laws, and destroyed.
* Such personal information is not used for purposes, other than as stipulated in purpose of retention, unless required by law.
B. Method of Destruction
* Personal information printed on paper is destroyed by using a shredder or by incineration.
* Personal information stored in electronic file formats is erased beyond recovery using technical means.
7. Rights of Users and Legal Attorneys and Methods of Exercising the Rights
The user or their legal attorney may, at any time, view and edit registered personal information of the user or the child concerned under the age of 16* and may request for cancelation of membership.
The user may click ‘Edit Personal Information’ (or ‘Edit User Information’, etc.) to view and edit personal information of the user or the child concerned under the age of 16; and may click ‘Cancel Membership’ to cancel membership (withdraw consent). Once the user completes the identity authentication process, they will be able to view and edit the information or cancel membership on their own.
* The child who require parental consent from EU membership ;
– under the age of 13 : Belgium, Denmark, Estonia, Finland, Latvia, Malta, Portugal, Sweden,
– under the age of 14 : Austria, Bulgaria, Cyprus, Italy, Lithuania, Spain
– under the age of 15 : Czech, France
– under the age of 16 : Croatia, Germany, Greece, Hungary, Ireland, Luxembourg, Holland, Poland, Romania, Slovakia, Slovenia
* The child who require parental consent from California ;
– under the age of 18
* The child who require parental consent from China ;
– under the age of 14
* The above is as of October 2019 and may change afterwards.
Alternatively, the user may contact the Company in writing, by phone, or email for immediate action. Once the user has made a request for correction of errors in personal information, such information shall not be used or provided until the corrections are made. Also, if incorrect personal information is already provided to a third party, the Company shall immediately notify the third party of the correction processing results so that the necessary corrections are made. The Company processes personal information of users which has been canceled, deleted by request of the user, or legal attorney in accordance with provisions of “5. Retention and Usage Periods of Personal Information” ensures that the personal information is not viewed or used for other purposes.
8. Matters Concerning Installation/Operation of Automatic Personal Information Collection
Mechanism and Refusal Thereof In order to provide personalized and customized services, the Company uses ‘cookies’ to save and frequently load the user’s information. A cookie is a very small text file sent from the server, which is used to run the website, to the user’s web browser. The cookie is stored on the hard disk of the user’s computer.
A. Purpose of Using Cookies
* Cookies are used for analyzing the user’s visit and usage patterns, etc. of various services offered on lookOsteoSys.com and other websites, to facilitate the provision of information, optimized for each user.
B. Declination to Installation/Operation of Cookies
* The user has the right over the installation of cookies. Therefore, the user can accept all cookies, require prompt each time a cookie is saved, or reject all cookies by setting options on their web browser.
* Configuring cookie installation settings (on Internet Explorer)
① On the [Tools] menu, select [Internet options].
② Click the [Privacy] tab.
③ Adjust the [Settings].
9. Technical/Administrative Measures for Protection of Personal Information
In handling personal information of users, the Company employs the following technical/administrative measures to secure safety of personal information against displacement, theft, leaks, unwanted alterations or damage.
A. Encryption of Personal Information
The user’s password, stored and managed in encrypted forms, is only known to the user. Therefore, the password of a user can only be viewed and changed by the user who knows the password. Additionally, mobile numbers, dates of birth, etc. are encrypted to prevent information leaks and amendments to personal information.
B. Measures against Hacking, etc.
The Company does its best to prevent leaks and damage of personal information of the user via hackers, computer virus, etc. The Company regularly backs up the data to minimize damage of personal information, uses latest anti-virus software to prevent leaks and damage of personal information and data of users; and uses encrypted communications, etc. for safe transmission of personal information on networks. The Company also uses an intrusion prevention system to limit unauthorized access from outsiders and makes an effort to employ all possible technical mechanisms to ensure security of the system.
C. Persons Handling Personal Information
D. Operation of Dedicated Organization for Personal Information Protection
However, the Company shall not be liable for any issues caused by personal information leaks such as mobile numbers and passwords due to the user’s negligence or other Internet-related problems.
10. Data Protection Officers
You may report all privacy complaints that arise while using the Company’s services to the Company. The Company shall respond to the user’s reports promptly and adequately.
Osteosys Head Office
Guro-Gu, Seoul, South Korea
Xuhui Dist., Shanghai, China
11. Duty of notification
If ever a legal attorney requests insight into, alteration or removal of the personal data of the subject as mentioned under “7. Rights of Users and Legal Attorneys and Methods of Exercising the Rights”, the Company shall notify the subject in writing before complying to this request. The company shall report to the supervisory authority within 72 hours from the time it becomes aware of the infringement of personal information in the event of an infringement that may pose a risk to the rights and freedoms of individuals. The data subject must be notified of the infringement without under delay.
However, if there is a low possibility that the infringement of personal information poses a risk to the individual’s freedom and rights, the notification may not be made. If the report to the supervisory body is not made within 72 hours, the reason for the delay must be reported together.