Privacy and Cookie Policy
The following articles in this Privacy and Cookie Policy describes how we at TALOS Corp. uses, processes, protects, and manages personal information collected from data subjects for the purpose of calculating risk scores for diseases and generating assessment reports.
TALOS Corp. (the “Company”) adheres to the regulations set forth by laws such as the “Promotion of Information and Communications Network Utilization and Information Protection, Etc. Act” and the “Personal Information Protection Act.” The Company is committed to protecting the rights and interests of its users by establishing a privacy policy in accordance with relevant laws.
1. Personal Information Items
Collection and Use of Personal Information
- The personal information collected through this website is directly received and managed by the Company, which is also responsible for its future management.
Items Collected
The data collected include the name of the health screening institution, the date of the screening, the name of the examinee, and 22 health screening data items.
Mandatory Information: Age, Gender, Height, Weight, Systolic Blood Pressure, Diastolic Blood Pressure.
Waist Circumference, Blood Sugar, Total Cholesterol, Triglycerides, HDL, LDL, Hemoglobin, Creatinine, AST, ALT, GGT, Family History of Stroke, Family History of Heart Disease, Family History of Hypertension, Family History of Diabetes, Smoking Status.
Customer Support
Mandatory Information: Customer representative’s name, company name, business registration number, email, phone number.
Method of Collection
Online (via the web software platform: anrisk.taloscorp.io)
2. Purpose of Processing Personal Information
The Company processes personal information for the following purposes below. The personal information being processed will not be used for any purposes other than those listed below, and should the purpose of use change, the Company will implement necessary measures such as obtaining separate consent in accordance with relevant laws
To analyze health screening data, deliver reports (in PDF format), and compressed files containing the calculated risk scores for diseases to the users (institutions requesting an analysis).
To confirm customer support inquiries, to communicate to the customer regarding the support needed, and to send notifications regarding the outcome.
3. Duration of Processing and Retaining Personal Information
It is our principle to destroy the user’s personal information without delay once the purpose of its collection and use has been achieved. More specifically, the following information will be retained for the period specified below for the respective reasons:
Uploaded Excel Files
These are automatically destroyed and made unrecoverable immediately after the necessary health screening data has been transferred for analysis.
Compressed Assessment Report Files
Once the reports have been generated and have been delivered to the users (institutions requesting an analysis) as compressed files, the files are destroyed and made unrecoverable immediately upon the user’s request. Even without a special request from the user, they are unrecoverable after 7 days of the report generation date.
Customer Support
Information related to customer support is retained for one year from the date on which customer support was provided.
4. Provision of Personal Information to Third Parties
The Company processes personal information data only within the scope specified in Article 2, “Purpose of Processing Personal Information” and does not provide personal information to third parties.
5. Use and Provision of the Scope Reasonably Related to the Purpose of Collection
The Company may use or provide personal information to a third party without the user’s consent, when the following criteria are taken into consideration within the scope reasonably related to the original purpose of collection:
Whether there is a relevance to the original purpose of collection: The Company will determine this based on whether the additional purpose of use/provision are in alignment with the nature or tendencies of the original purpose of collection.
Whether there is a possibility of additional use or provision of personal information considering the context in which it was collected, or the processing practices. The Company will consider factors, such as the relationship between the data processor and the user, the level and speed of technological advancement, and established general circumstances (practices) over a considerable period of time.
Whether it infringes unjustly on the interests of users. The Company will consider whether the user’s interests are substantively infringed upon in relation to the additional purpose of use and whether such infringement is unjust or not.
Whether necessary measures, such as anonymization or encryption, have been taken to ensure security. The Company will consider whether appropriate security measures have been taken, while considering the possibility of infringement.
6. Delegation of Personal Information Processing
The Company does not delegate the processing of users’ personal information to any third party.
7. Rights and Obligations of Data Subjects and Method of Practice
Data subjects can exercise the following rights related to personal information protection at any time against the Company:
Request to view personal information.
Request correction in case of errors, etc.
Request for data destruction.
Personal information stored in the form of an electronic file is destroyed using a technical method that cannot recover deleted files. The company does not produce printouts using personal information.
The exercise of rights according to Article 1 “Personal Information Items” can be done through written documents, email, FAX, etc., according to Form No. 8 of the Enforcement Rules of the Personal Information Protection Act. As a result, the Company will take action without delay. If a data subject requests correction or data destruction due to errors in personal information, the Company will not use or provide the personal information until the correction or destruction is completed.
The exercise of rights according to Article 1 “Personal Information Items” can be made through a legal representative or an agent authorized by the data subject. In this case, a power of attorney that follows Form No. 11 of the Enforcement Rules of the Personal Information Protection Act must be submitted.
8. Destruction of Personal Information
The Company will destroy the personal information without delay when it becomes unnecessary, such as when the retention period has expired or the purpose of processing has been achieved.
The procedure and method of destruction are as follows:
Destruction Procedure: The principle is to destroy information immediately upon achieving the processing purpose. In exceptional cases, it is stored according to internal policies for a certain period (7 days) before destruction. This personal information will not be used for any other purpose unless required by the law.
Destruction Method: Personal information stored in an electronic file format will be deleted using technical methods that make records unrecoverable. The Company does not produce printouts using personal information.
9. Measures to Ensure the Safety of Personal Information
The Company takes the following measures to ensure the security of personal information:
Administrative Measures
- Establishment and implementation of internal management plans for the protection of personal information.
Technical Measures
- Management of access rights to systems that process personal information, installation of control systems to manage access rights, encryption of unique identification information, encryption of compressed files, including assessment reports, which are transmitted to institutions requesting an analysis, application of SSL certificates, and other necessary measures in accordance with relevant laws.
Physical Measures
- Control of access to computer rooms, data storage rooms, manufacturing rooms, etc.
10. Technical and Administrative Protection Measures for Personal Information
The Company is taking the following technical and administrative measures to ensure that users’ personal information is not lost, stolen, leaked, altered, or damaged in the process of processing.
Countermeasures Against Hacking, etc.
The Company is doing its utmost to prevent the leakage or damage of personal information due to hacking or computer viruses, such as removing or deactivating unnecessary services, or providing information on countermeasures that should be taken upon the detection of security threats. The latest antivirus programs are used to prevent users’ personal information and data from being leaked or damaged (this is done by recording system logs for data monitoring). The Confidentiality and integrity of personal medical information transmitted over the network are ensured, and encrypted communication (using verified cryptographic algorithms with a security strength of 112 bits or more for data transmission and storage) is used to safely transmit personal (medical) information over the network. Furthermore, the Company equips all possible technical devices to secure the system (minimizing the breach of physical communication ports) and is using an intrusion prevention system to control unauthorized access from outside.
Personal Information Processor Training
The Company emphasizes compliance with the personal information processing policy through regular training of those who process personal information.
11. Installation/Operation of Automatic Personal Information Collection Devices and Matters Concerning Denial
Cookies
The Company uses ‘cookies’ to store and retrieve users’ information to provide personalized and customized services. A cookie is a very small text file sent by the server used to operate the website on the user’s browser and is stored on the user’s computer hard disk. When a user visits a website again, the website server reads the contents of the cookie stored on the user’s hard disk to maintain the user’s settings and provide customized services. Cookies do not automatically/actively collect information that identifies individuals, and users can refuse or delete the storage of such cookies at any time.
Purpose of the Company’s Use of Cookies
Cookies are used to provide convenience for users who need customer support.
Installation/Operation of Cookies and Refusal
Users have the option to install cookies. Thus, users can allow all cookies, manually confirm every time a cookie is stored, or refuse the storage of all cookies by going to the settings option in their web browser. If the storage of cookies is refused, it may be difficult to use some services. The guide to manage cookies for each browser are as follows:
12. Guide on Withdrawal of Consent to Use Personal Information
Users can view and modify their personal information registered on the Company’s website through the institution that is requesting an analysis. Users can also request data destruction via e-mail to the administrator.
Users can withdraw their consent to the collection, use, and provision of personal information at any time. Withdrawal of consent can be requested at any time via e-mail to the administrator.
The Company has a designated personal information protection officer to protect users’ personal information and to handle complaints related to personal information.
13. Personal Information Protection Officer
The Company has an designated personal information protection officer to oversee and be responsible for the processing of personal information and to handle complaints and damage relief related to personal information of the data subjects.
Personal Information Protection Officer
Affiliation: TALOS Corp.
Name: Tackeun Kim
Phone: 0507-1386-4600
Email: [email protected]
Personal Information Protection Manager
Affiliation: TALOS Corp.
Name: Chan Yang Park
Phone: 0507-1386-4600
Email: [email protected]
14. Practices for the Relief of the Infringement of Rights and Interests
The data subject can inquire about damage relief and consultation regarding personal information infringement at the following institutions:
Personal Information Infringement Report Center (Operated by Korea Internet & Security Agency)
privacy.kisa.or.kr / (No area code) 118
Cyber Crime Investigation Unit, Supreme Prosecutors’ Office
www.spo.go.kr / 02-3480-3573
Cyber Terrorism Response Center, Korean National Police Agency
www.netan.go.kr / 1566-0112
15. Changes and Notification of Privacy Policy
This Privacy Policy was established on November 22, 2021. In the event of additions, deletions, or modifications of the contents in accordance to the changes in laws, policies, or security technology, the Company will notify the reasons for the changes and its contents at least 7 days prior to the implementation of the changed personal information processing policy through the Company’s homepage.
Notice and implementation date: November 22, 2021
Revision: October 3, 2022
Revision: February 24, 2023