PRIVACY POLICY

Privacy Policy of EOFlow Co., Ltd.


EOFlow Co., Ltd. complies with the personal information protection regulations in accordance with the applicable laws and regulations including, but not limited to, the Personal Information Protection Act of Korea, and is committed to protect the rights and interests of the information Privacy Policy.
The Company also have firm commitment to respect your privacy and the right to Personal Data under EU General Data Protection Regulation (“GDPR”): (i) if the processing of Personal Data is related to the activities of the Company’s subsidiaries, affiliates, branches, representative offices and other establishments in the EEA or (ii) if you are in the European Economic Area (“EEA”) and if GDPR applies.
[Indication of key personal data processing (Labeling]

1. Purpose of personal information processing and legal basis
 
The Company process your personal and sensitive information for the following purposes. The personal information collected and processed is not used for purposes other than the purpose indicated in this Privacy Policy, and if the purpose of use is changed, appropriate measures pursuant to applicable laws will be implemented.
A) EOFlow service membership registration and management via the Narsha App
The Company processes personal information for the purpose of checking the intention of a person to sign up as a member, verifying the identity of a member before providing membership services, managing membership status, verifying the identity of a member according to enforcement of the limited identification system, preventing illegal use of services, checking that a consent of the legal representative is properly granted when processing personal information of children under the age of 14, making various notices and notifications, handling complaints, etc. The legal basis of the processing carried out by the Company for these purposes is the execution of the service membership registration and management requested by you; therefore, the collection of the personal data is necessary, as any refusal to provide such data does not allow the Company to manage and provide the services requested.
B) Providing EOFlow services
The Company processes personal data, including sensitive data (see par. 2, lett . B) for the purpose of providing the EOFlow services (including customized services) and contents, verifying the identity of a user as a member, and providing other accompanying.
 
2. Personal information and sensitive information to be processed
 
The Company collects and processes only the minimum personal information necessary for the use of the service when signing up for membership.
A) EOFlow service membership registration and management
    * Required: Email address, name, ID/password, gender, date of birth
    * Additionally required for children under the age of 14: Written authorization, name and contact information of the legal representative
B) Use of EOFlow service
    * Required: Email address, country of residence, name, ID/password, gender, date of birth, 
    * Optional: medical emergency card information (hospital name, primary doctor, contact information), Profile image
    * Sensitive information: Diabetes type, height, weight, blood glucose, bolus, Basal/Temp basal injection, carbohydrate, exercise information
In addition, the following information may be generated and collected during the process of signing up or logging in. 
    * Device unique number (terminal ID or UUID), OS information, device model name, language and country setting, IP, etc.

 
3. Period of retention and use of personal and sensitive information
 
The Company processes and retain the personal and sensitive data collected by means of the EOFlow services within the period of retention and use of personal information in accordance with laws and regulations or within the period of personal information retention and use agreed upon when collecting personal information from the information subject.
Each period of personal information processing and retention is as follows.
A) EOFlow service membership registration and management: Until membership withdrawal from EOFlow service. However, also following the membership withdrawal, the data could be retained for the additional necessary period for any of the following reasons.
① If an investigation in violation of related laws is in progress, until the end of the investigation
② If there is an ongoing creditor/debtor relationship related to the use of EOFlow service, until the settlement of the creditor/debtor relationship
 
4. Entrustment of Processing of Personal Information (Including transmission of personal information overseas)
 
For providing services and enhancing user convenience, the Company may transmit or manage user information overseas as follows or manage the information abroad. The details of the personal information transmitted overseas are as follows.

 
The information of the receiving company Destination country Items of personal information transmitted Purpose of the receiving party, the period of retention and use, and the date and method of transmission
Amazon Web Service Inc.
[aws-korea-privacy@amazon.com]
Republic of Korea Personal information and log information collected while using the service Purpose: Data storage, service operation or the like for providing the EOFlow service
Period: During the user's service subscription period
Transmission date and method: Transmitted as needed through the information and communication network in the process of providing the servic
EOFlow, Inc.
[eo-usa-privacy@eoflow.com]
United States of America Personal information and log information collected while using the service Purpose: For operation and maintenance of the system
Period: During the user's service subscription period
Transmission date and method: Transmitted as needed through the information and communication network in the process of providing the service 
 
5. Matters concerning personal information to be provided to a third party
 
Company processes information subjects’ personal information strictly in accordance with the specified scope of the purpose of processing such information stated this Privacy Policy, and may not provide such personal information to third parties unless explicitly permitted under the applicable legislations as explained below.
A) Company provides information subjects’ personal information pursuant to the prior consent from the information subject as follows: 
The information of the receiving company Destination country Items to be provided Purpose of the receiving party, retention and use period and transmission date and method
Guardian/ Primary care Physician Country of establishment of the Guardian/ Primary care Physician Any personal information collected through Narsha app Purpose: Monitoring the physical condition of the data subject, if requested by the data subject
Period: Upon membership or consent withdrawal, provided that certain information will be retained for the retention period specified in relevant laws
Transmission date and method: Transmitted as needed through system integration

B) If there are special regulations in other laws, etc.
The information of the receiving company Destination country Items to be provided Purpose of the receiving party, retention and use period and transmission date and method
The Ministry of Food and Drug Safety Republic of Korea Name, Gender, Date of Birth, Age (at the time of the reporting), side effects occurred and etc. Purpose: Carrying out reporting obligations in regards to safety management, such as reporting of side effects
Period: In accordance with the provisions of the relevant laws and regulations
Transmission date and method: Transmitted as needed through the information and communication network in the process of providing the service etc.
Other than above, if EOFlow is required to comply with foreign legislations regarding the third party transfer of information, EOFlow will duly comply with such obligations.

6. Destruction of personal information

In principle, after the purpose of processing personal information is achieved (see par. 3 above), the company destroy it without delay and in the following ways so that the personal information cannot be recovered and reproduced.
A) Destruction procedure
For the collected personal information, after the purpose of collecting and using personal information has been achieved or the retention period has elapsed, the personal information will be destroyed without delay.
However, information that must be kept in accordance with this policy and related laws will be stored for the period stipulated by the laws and then destroyed.
B) Method of destruction
Records, prints, and documents: Shredded with a shredder or incinerated
Electronic file format: Deleted using a technical method that makes it impossible to restore the record.

7. Rights of the information subject and the legal representative and how to exercise the rights
 
The information subject and the legal representative can any time exercise, where applicable, the rights provided by the relevant law in order to obtain:
(i) the confirmation as to the existence of data concerning them, even if not recorded yet, and the communication of the same data in an intelligible form;
(ii) the indication of the origin of the data, purposes and modalities of the processing, subjects and categories of subjects to which the data may be communicated or which may get to know the data in their capacity as representatives in the State’s territory, as data processors, or persons in charge of the processing;
(iii) the updating, rectification or, where interested therein, integration of the data;
(iv) the erasure, transformation into anonymous form, or blocking of data that have been processed unlawfully.
The data subjects, moreover, shall have the right to object, in whole or in part, on legitimate grounds, to the processing of their personal data.
Finally, if applicable, the data subject and the legal representative have the right to rectification, right to erasure, right to restriction of processing, right to data portability as well as the right to lodge a complaint with the Italian Data Protection Authority in relation to the processing described into the present Privacy Policy.
The rights listed above may be exercised directly by contacting the Company’s personal information protection manager and personnel at the contacts indicated in par. 9 below. 
For requests for viewing, correction/deletion or suspension of processing of personal information that are made by phone or e-mail to the personal information protection manager of the Company, the Company will take action without delay after going through the identity verification process.
If the information subject requests correction of errors in personal information, the personal information will not be processed until the correction is completed. In addition, if it has already been provided to a third party, the result of the correction will be notified to the third party without delay with the necessary measures for the third party to comply with the result of the correction.
The legal representative of the information subject under the age of 14 may request for viewing, correction, or consent withdrawal with regards to the personal information of the information subject under the age of 14.

 
8. Measures to ensure safety of personal information
 
The Company is taking the following technical, administrative, and physical measures necessary to ensure safety.
A) Establishment and implementation of personal information protection guidelines
The Company is taking measures to protect the personal information of the information subject with internal guidelines for the protection of the company's personal information in place.
B) Minimum number of personal information handlers and education
The Company conducts business with the access rights to the personal information of the information granted to as few number of people as possible and conducts regular training on personal information protection.
C) Restriction of access to personal information
The Company takes necessary measures to control access to personal information by granting, changing, or canceling access rights to the personal information processing system.
D) Storage of access records and prevention of forgery
The Company keeps/manages records of access to the personal information processing system for at least two (2) year, and takes measures to prevent forgery, theft, and loss of access records.
E) Installation of security program
The Company uses an antivirus program to take measures to prevent damage, and the vaccine program is updated regularly to prevent damage caused by viruses.
 
9. Contact information of personal information protection manager and personnel

To protect the personal information of the information subject and handle complaints related to personal information, the Company appoint the relevant department and the personal information protection manger as follows.
Category Personal Information Protection Manager Personal Information Protection Personnel
Name Kim Kyung-soo Ahn In-soo
Department Quality Division IT Security Team
Email privacy@eoflow.com
※ The personal information protection manager department is in charge of processing requests of access to personal information.

If you need to report or to be advised about other personal information infringement, please contact the following organizations.
- Center for Reporting Infringement of Personal Information (operated by Korea Internet & Security Agency)
- Responsibilities: Receiving reports with respect to the infringement of personal information and applications for consultation 
  Website address: privacy.kisa.or.kr
  Telephone No.: (without exchange number) 118
  Address: Korea Internet & Security Agency, 9, Jinheung-gil, Naju-si, Jeollanam-do, Korea 
- Personal Information Dispute Mediation Committee 
  Responsibilities: Receiving Applications for personal information dispute mediation and collective dispute mediation (civil solution)
  Website address: www.kopico.go.kr
  Telephone No.:  1833-6972
Address: 12F, Seoul Government Complex, 209, Sejong-daero, Jongno-gu, Seoul, Korea 
- Supreme Prosecutors' Office Cyber Investigation Division (without exchange number) 1301, cid@spo.go.kr (www.spo.go.kr)
- National Police Agency Cyber Security Bureau (without exchange number) 182 (ecrm.cyber.go.kr)

10. Duty of notice

If there is any change such as addition, deletion, or modification of the contents in this Privacy Policy, it will be notified in advance in the website or by a notice.
Effective Date: September 01. 2022

 

< 2022-09-16 Back>

We use cookies. By continuing to use our site you accept our cookie policy. Find out more about our privacy policy here

PRIVACY POLICY