top of page
Terms of Service
Privacy Policy
web logo.png
Privacy Policy

Article 1 : Purpose

HereUp Co., Ltd. (hereinafter referred to as "the Company") establishes this Privacy Policy (hereinafter referred to as "this Policy") to protect the information (hereinafter referred to as "Personal Information") of customers (hereinafter referred to as "Users" or "Individuals") using the application services provided by the Company, such as "MediBook" (hereinafter referred to as "Company Services" or "MediBook"). This Policy is established to comply with relevant laws such as the Personal Information Protection Act and the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. (hereinafter referred to as "the Network Act"), and to promptly and smoothly address any concerns related to the protection of Users' Personal Information.

Article 2 : Principles of Personal Information Processing

According to Personal Information-related laws and this Policy, the Company may collect Users' Personal Information, and the collected Personal Information may be provided to third parties only with the consent of the individual. However, if legally required by regulations, the Company may provide Users' Personal Information to third parties without prior consent.

Article 3 : Disclosure of This Policy

  1. The Company discloses this Policy on the main page of the Company's website or through a linked page from the main page so that Users can easily access it at any time.

  2. When disclosing this Policy according to Paragraph 1, the Company will use font size, color, and other methods to ensure that Users can easily read the Policy.

Article 4 : Changes to This Policy

  1. This Policy may be revised due to changes in Personal Information-related laws, guidelines, notices, or changes in government or Company Services policies or content.

  2. When revising this Policy in accordance with Paragraph 1, the Company will notify Users using one or more of the following methods:

    1. Posting a notice on the main page of the Company's website or through a separate window.

    2. Providing notice to Users via written communication, facsimile, electronic mail, or similar methods.

  3. The Company will provide notice of changes as described in Paragraph 2 at least 7 days prior to the effective date of the revised Policy. However, if there are significant changes to Users' rights, notice will be given at least 30 days in advance.

Article 28 : Governing Law and Dispute Resolution

  1. In the event of a dispute between the Company and the member regarding the use of the service, the Company and the member will diligently seek to resolve the dispute through consultation.

  2. To the extent permitted by the relevant laws of each country where the service is provided, the laws of the Republic of Korea shall apply to this Agreement and the legal relationship between the Company and the member.

  3. If the dispute is not resolved through the consultation mentioned in Paragraph 1, either party may file a lawsuit in the competent court under the Civil Procedure Act of the Republic of Korea. However, if there are any binding jurisdictional provisions under the laws of the member’s chosen country of nationality, those provisions shall apply.

  4. This Agreement is written in Korean. In case of any discrepancies between the translated version of this Agreement and the Korean original, the Korean original shall prevail.

Article 5 : Information for Membership Registration

The Company collects the following information for Users to register for membership in the Company Services:

  1. Mandatory Information: Email address, password, name, email, country, date of birth, and mobile phone number.

  2. Optional Information: (Customer Membership Registration) Medical service reservation details, order payment information, etc.

Article 6 : Information for Identity Verification

The Company collects the following information for verifying the User’s identity:

  • Mandatory Information: Mobile phone number, email address, name, date of birth, gender, and country.

Article 7 : Information for Legal Guardian Consent

When obtaining consent from a legal guardian is necessary, the Company collects the following information for legal guardian consent:

  • Mandatory Information: Mobile phone number, email address, name, date of birth, gender, and country.

Article 8 : Information for Payment Services

The Company collects the following information to provide payment services:

  • Mandatory Information: Card number, expiration date, 6-digit date of birth (yy/mm/dd), bank name and account number, email.

Article 9 : Information for Issuing Cash Receipts

The Company collects the following information to issue cash receipts to Users:

  • Mandatory Information: Name of the recipient of the cash receipt, date of birth of the recipient, address of the recipient, mobile phone number, cash receipt card number, and email.

Article 10 : Information for Providing Company Services

To enable general user members ("Customers") to receive the Medibook services through the Company’s "Medibook" service, the Company collects the following information from user members:

  1. Mandatory Information: ID, email address, name, date of birth, and contact information.

  2. Optional Information: Reservation details when using the service, reservation consent form, ID card information, consultation information (such as chat and email conversations).

Article 11 : Information for Service Usage and Fraud Detection

The Company collects the following information for monitoring and analyzing service usage and fraudulent activities:

  1. Mandatory Information: Service usage records, cookies, access location information, and device information.

  2. Optional Information: Number of service inquiries by the customer.

Fraudulent Usage: This includes activities such as repeatedly re-registering after account deletion, canceling purchases after buying products, illegally obtaining economic benefits from discount coupons or event benefits provided by the Company, engaging in prohibited activities as specified in the terms of use, identity theft, and other illegal or unauthorized activities. The collected information may be used for statistical analysis and evaluation related to the use of the Company’s services.

Article 12 : Methods of Collecting Personal Information

The Company collects user personal information through the following methods:

  1. Users inputting their personal information on the Company’s website.

  2. Users inputting their personal information through the Company-provided website and other services.

  3. Users responding to emails sent by the Company.

  4. Users entering information during their use of the Company’s services, such as consultations at the customer center or activities on bulletin boards.

Article 13 : Use of Personal Information

The Company uses personal information in the following cases:

  1. For necessary operations of the Company, such as delivering announcements.

  2. For service improvement, including responding to user inquiries and handling complaints.

  3. To provide the Company’s services.

  4. For the development of new services.

  5. For marketing purposes, such as event and promotion announcements.

  6. For demographic analysis and analysis of service visits and usage records.

  7. To establish relationships between users based on personal interests and preferences.

  8. To prevent and take action against activities that disrupt the smooth operation of services, including restricting the use of members who violate laws or Company terms, and addressing fraudulent activities.

Article 14 : Provision of Personal Information with Prior Consent

① Despite the prohibition on providing personal information to third parties, the Company may provide personal information to third parties if the user has previously disclosed or consented to the following matters. In such cases, the Company will still provide personal information minimally within the scope of applicable laws.

a. When using Company services through Stripe and Wix, personal information may be provided to payment processing agencies to facilitate smooth service delivery for membership registration and service usage.

b. To fulfill e-commerce contracts with service (product) sellers (e.g., service provision, buyer verification, customer consultation), personal information such as business registration number, business name, representative name, business address, business type, business item, and email for invoice receipt may be provided.

c. For individuals, personal information including passport information, ID card information, name, phone number, and email may be provided.

② To ensure smooth provision of the Medibook service, Medibook may exchange and use information collected from Medibook users and medical institutions within the minimum necessary scope for the intended purpose.

③ The Company will notify users and seek consent through the same procedure if there are changes to or termination of the third-party provision relationships mentioned in the previous paragraph.

​​

Article 15 : Outsourcing of Personal Information Processing

The Company outsources the processing of personal information for the purposes of smooth service delivery and effective business operations as follows:

  1. Personal information is outsourced for the processing of credit card payments, account transfers, virtual account payments, and cash receipt issuance through a PG (Payment Gateway) service provider. This outsourcing is conducted during the period of membership termination or until the outsourcing contract ends.

Article 16 : Retention and Usage Period of Personal Information

① The Company retains and uses personal information for the period necessary to achieve the purpose of collecting and using the information.

② Notwithstanding the previous paragraph, the Company retains records of fraudulent use of services for up to 1 year from the time of membership termination to prevent fraudulent registration and usage.

Article 17 : Retention and Usage Period of Personal Information According to Laws

The Company retains and uses personal information in accordance with relevant laws as follows:

  1. Consumer Protection in Electronic Commerce Act:

    • Records related to contracts or withdrawal of offers: 5 years

    • Records related to payment and supply of goods: 5 years

    • Records related to consumer complaints or dispute resolution: 3 years

    • Records related to advertising and labeling: 6 months

  2. Communications Privacy Protection Act:

    • Website log records: 3 months

  3. Electronic Financial Transactions Act:

    • Records related to electronic financial transactions: 5 years

  4. Location Information Protection and Use Act:

    • Records of personal location information: 6 months

Article 18 : Principles of Personal Information Destruction

The Company will, in principle, destroy personal information without delay once the purpose of processing is achieved, or when the retention and usage period has expired, and the information is no longer necessary.

​​

Article 19 : Handling of Personal Information for Inactive Users

① The Company will, in principle, notify users in advance and either destroy or separately store personal information of users who have not used the Company's services for 1 year.

② For long-term inactive users, personal information will be securely stored separately, and the user will be notified via email at least 30 days before the separation and storage of the information.

③ Long-term inactive users who wish to continue using the services before their information is separated can do so by logging into the website (including the mobile app).

④ Long-term inactive users can restore their accounts by logging into the website, based on their consent.

⑤ The Company will destroy the separately stored personal information after 4 years without delay.

Article 20 : Personal Information Destruction Procedure

① Information entered by users for membership registration or other purposes will be moved to a separate database (or separate file cabinet for paper records) after the purpose of processing the personal information is achieved. This information will be stored for a certain period based on internal policies and related laws (refer to retention and usage period) and then destroyed.

② The Company will destroy personal information for which the destruction reason has arisen, following the approval procedure of the personal information protection officer.

Article 21 : Personal Information Destruction Method

The Company will use technical methods that make the records irretrievable to delete personal information stored in electronic file formats. For paper records, shredding or incineration will be used to destroy the information.

Article 22 : Measures for Sending Advertising Information

① The Company will obtain explicit prior consent from users before sending advertising information for commercial purposes via electronic transmission media. However, prior consent is not required in the following cases:

  1. If the Company collects contact details directly from the recipient through a transaction and wishes to send commercial advertising information related to the same type of goods or services within 6 months from the end of the transaction.

  2. If a telemarketer, as defined by the "Act on the Regulation of Visiting Sales, etc.," informs the recipient of the source of personal information and makes a telemarketing call.

② Despite the above, if the recipient expresses a wish to opt-out or withdraws prior consent, the Company will not send commercial advertising information and will notify the recipient of the processing result of the opt-out or withdrawal.

③ If the Company sends commercial advertising information via electronic transmission media between 9 PM and 8 AM the next day, it will obtain separate prior consent from the recipient, even if it is exempt under paragraph 1.

④ When sending commercial advertising information via electronic transmission media, the Company will explicitly state the following details in the advertising information:

  1. Information on how to opt-out or withdraw consent.

⑤ The Company will not take the following actions when sending commercial advertising information via electronic transmission media:

  1. Measures to evade or obstruct the recipient’s opt-out or consent withdrawal.

  2. Automated creation of contact details such as phone numbers or email addresses by combining numbers, symbols, or characters.

  3. Automatic registration of phone numbers or email addresses for the purpose of sending commercial advertising information.

  4. Various measures to hide the identity or origin of the advertising sender.

  5. Measures to deceive recipients into replying for the purpose of sending commercial advertising information.

Article 23 : Access to Personal Information and Withdrawal of Consent

① Users and their legal guardians can access or modify their registered personal information at any time and may request the withdrawal of consent for the collection of personal information.

② To withdraw consent for the collection of personal information, users and their legal guardians should contact the personal information protection officer or responsible person via written notice, telephone, or email. The Company will take action without delay.

Article 24 : Modification of Personal Information

① Users may request the correction of any errors in their personal information through the methods specified in the previous article.

② Until the correction of personal information is completed, the Company will not use or provide the incorrect personal information. If incorrect information has already been provided to a third party, the Company will promptly notify the third party of the correction to ensure the necessary amendments are made.

Article 25 : User's Obligations

① Users are responsible for keeping their personal information up to date. Any issues arising from inaccurate information entered by the user are the user's responsibility.

② If a user registers using another person’s personal information, they may lose their user status or face penalties under applicable personal information protection laws.

③ Users are responsible for maintaining the security of their email addresses, passwords, etc., and must not transfer or lend them to third parties.

Article 26 : Company's Management of Personal Information

The Company implements the following technical and managerial protective measures to ensure the security of personal information and to prevent loss, theft, leakage, alteration, or destruction:

Article 27 : Handling of Deleted Information

The Company processes personal information that has been terminated or deleted at the request of users or their legal guardians according to the "Retention and Use Period of Personal Information" specified by the Company. Such information will not be accessed or used for any other purposes.

Article 28 : Encryption of Passwords

User passwords are stored and managed using one-way encryption. Only the individual who knows the password can verify or change their personal information.

Article 29 : Measures Against Hacking

① The Company makes every effort to prevent the leakage or damage of users' personal information due to hacking, computer viruses, or other intrusions into information and communication networks.

② The Company uses the latest antivirus programs to prevent the leakage or damage of users' personal information and data.

③ The Company employs intrusion prevention systems to ensure the highest level of security and prepare for potential emergencies.

④ If the Company collects and retains sensitive personal information, it ensures secure transmission of personal information over networks through encrypted communication.

Article 30 : Minimization and Training of Personal Information Processing

The Company limits the number of personnel handling personal information to the minimum necessary and emphasizes compliance with laws and internal policies through training and managerial measures for those who process personal information.

Article 31 : Measures for Personal Information Leakage

When the Company becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakage"), it will promptly notify the affected users of all the following details and report to the Korea Communications Commission or the Korea Internet & Security Agency:

  1. The types of personal information that were leaked

  2. The timing of the leakage

  3. The actions users can take

  4. The response measures taken by the information and communication service providers

  5. The department and contact information where users can receive consultation and support

Article 32 : Exceptions to Measures for Personal Information Leakage

Despite the previous Article, if the Company has legitimate reasons such as being unable to contact the user, it may substitute the notification measures described in the previous Article by posting on the Company’s website for more than 30 days.

Article 33 : User's Choice Regarding Cookies

① Users have the right to choose whether to allow cookies. They can set their web browser to allow all cookies, prompt for confirmation each time a cookie is saved, or refuse all cookies.

② However, if cookies are refused, some of the Company’s services that require login may be difficult to use.

Article 34 : Method to Allow Cookies

To specify whether to allow cookies (for Internet Explorer), follow these steps:

  1. Select [Tools] from the menu, then choose [Internet Options].

  2. Click on the [Privacy] tab.

  3. Configure the settings under [Advanced].

Article 35 : Designation of Personal Information Protection Officer

① To protect users' personal information and handle complaints related to personal information, the Company has designated the following department and Personal Information Protection Officer:

  • Personal Information Protection Officer:

Addendum

Article 1 This policy will be effective from August 00, 2024.

bottom of page