Service Name: aroundpharm

Baropharm Co., Ltd. (the “Company”) establishes and discloses this Privacy Policy to protect the personal information of users (data subjects) in connection with the Company’s AroundPharm service, and to ensure that any inquiries or complaints regarding such information are handled promptly and efficiently.

Article 1 (Purpose of Processing Personal Information)

The Company processes users’ personal information for the following purposes. The personal information being processed shall not be used for purposes other than those specified below. In the event that the purpose of use is changed, the Company will obtain separate consent or take other measures required by law.

1. Membership Registration and Management of AroundPharm

   Personal information is processed for the purposes of confirming the user’s intention to register, identity verification for membership-based services, maintenance and management of membership status, enforcement of restrictions on members who violate the Terms of Service, limiting duplicate or excessive registrations, preventing and sanctioning fraudulent use of services, preventing unauthorized use, issuing notices and notifications, retaining records necessary for handling inquiries and dispute resolution, and confirming the user’s intention to withdraw membership.

2. Provision of Services and Development of New Services

   Personal information is processed for the purposes of developing new services and providing customized services, verifying service effectiveness, providing opportunities to participate in events and promotional activities, analyzing access frequency and service usage statistics, issuing and managing contracts and invoices, identity and age verification, preventing the collection of personal information from minors under 14 years of age, and preventing fraudulent use of services.

3. Customer Support and Complaint Handling

   Personal information is processed for the purposes of verifying the identity of complainants, reviewing and confirming complaints, contacting for fact-checking and notification, and notifying the results of complaint handling.

Article 2 (Items of Personal Information Processed)

1. The Company processes the following personal information items without requiring separate consent from the data subject, to the extent permitted by applicable laws and for the purposes specified in this Privacy Policy.

   Legal Basis	Purpose of Use	Items of Personal Information Collected	Retention and Use Period
   Personal Information Protection Act, Article 15(1)(4) (Performance of Contract) Act on the Consumer Protection in Electronic Commerce, Article 6 (Retention of Transaction Records, etc.)	Handling of Consumer Complaints and Dispute Resolution	Name, Phone Number	3 years
   Personal Information Protection Act, Article 15(1)2 (Where there are special provisions in other laws) Protection of Communications Secrets Act, Article 15-2 (Obligations of Telecommunications Service Providers to Cooperate)	Service usage management and retention of communication verification records	Service usage records and device information such as access logs, IP addresses, and cookies	3 months

2. The Company processes the following categories of personal information with the consent of the data subject, in accordance with Article 15(1)(1) and Article 22(1)(7) of the Personal Information Protection Act.

   Purpose of Use	Items of Personal Information Collected	Retention and Use Period
   Membership Registration and Management	E-mail address, CI (Connected Information), Name, Gender, Date of Birth, Mobile Phone Number	Until membership withdrawal or withdrawal of consent
   AroundPharm Service Use	(Optional): Address	Until membership withdrawal or withdrawal of consent
   Marketing Use and Provision of Promotional Information	(Optional): Participant name, email address, mobile phone number	Until membership withdrawal or withdrawal of consent
   Event participation, prize entry, and prize delivery	(Optional) Participant name, email address, mobile phone number, address	Immediately destroyed upon completion of the event.

3. The Company processes the following location information with the consent of the data subject, in accordance with Article 15(1) of the Act on the Protection and Use of Location Information.

   Purpose of Use	Items of Personal Information Collected	Retention and Use Period
   Use of “Nearby Pharmacy Search” Service	(Optional) User’s personal location information	The information is used on a one-time or temporary basis and is not stored on the Company’s servers.

4. The Company automatically records and retains data verifying the collection, use, and provision of location information in accordance with Article 16(2) of the Act on the Protection and Use of Location Information. Such records are retained for a period of six (6) months.

5. The Company does not process the personal information of individuals under the age of fourteen (14), even with the consent of their legal representative.

6. In accordance with the “Guidelines for Personal Information Processing and Protection in Emergency Situations” jointly issued by relevant government ministries, the Company may provide personal information to relevant authorities without the consent of the data subject in cases of emergencies such as disasters, infectious disease outbreaks, imminent threats to life or physical safety, or imminent risk of significant property damage.

Article 3 [Methods of Collection of Personal Information]

1. The Company collects personal information through the following methods:

   • When the user agrees to the processing of personal information during membership registration or service use, and directly enters or uploads the information.
   • Upon obtaining the user’s consent, by accessing and verifying information through the Health Insurance Review & Assessment Service system during the user’s identity verification process.
   • When necessary for the performance of the Company’s obligations under this Agreement.
   • When the user contacts the Company for inquiries or assistance through various channels such as web pages, email, fax, or telephone during customer service interactions.
   • When personal information is provided by external companies or organizations partnered with the Company (provided that such external entities have obtained the user’s consent for the provision of the personal information).
   • When the user participates in events or promotions conducted by the Company.

2. During the use of the Company’s services, information may be automatically collected through log analysis, cookies, and similar technologies.

Article 4 [Installation, Operation, and Rejection of Automatic Data Collection Tools]

1. The Company installs and operates “sessions” and “cookies” that store and retrieve user information on a frequent basis in order to provide personalized services to users.

   • Meaning of Sessions and Cookies: “Session” refers to information stored on the Company’s server during the user's access period for the purpose of providing services. “Cookie” refers to a small text file transmitted by the server operating the website to the user’s browser, which may be stored on the user’s computer hard drive.
   • Purpose of Using Sessions and Cookies: The Company uses sessions and cookies to analyze user access frequency, visit time, and service usage patterns, in order to provide personalized services and improve service satisfaction. Additionally, sessions and cookies may be used for participation in events and targeted marketing.
   • How to Disable Cookies: Users may choose whether to allow cookies. By adjusting the browser settings, the user may allow all cookies, require confirmation each time a cookie is stored, or refuse all cookies. However, if cookies are disabled, personalized services may not function properly.

   <How to Allow/Block Cookies>

   • Web Browser
     • Chrome: Select ‘⋮’ in the top-right corner > New incognito window (Shortcut: Ctrl+Shift+N)
     • Edge: Select ‘…’ in the top-right corner > New InPrivate window (Shortcut: Ctrl+Shift+N)
   • Mobile Browser
     • Chrome: Select ‘⋮’ in the top-right corner > New incognito tab
     • Safari: Device Settings > Safari > Advanced > Block All Cookies
     • Samsung Internet: Select bottom “Tabs” icon > Enable Secret Mode > Start

Article 5 [Provision of Personal (Location) Information to Third Parties]

1. The Company processes users’ personal information only within the scope stated in Article 1, and provides such information to third parties only when the user has given consent or when permitted by applicable laws and regulations.

2. For the smooth provision of services, the Company may provide personal information to third parties within the minimum necessary scope, with the consent of the data subject, pursuant to Article 17(1)(1) of the Personal Information Protection Act.

   Recipient	Purpose of Use	Personal Data Provided	Retention Period
   Affiliated Pharmacy	To arrange medication consultation reservations and in-person visit reservations	Name, Mobile Phone Number, Gender, Age	Until the member withdraws from the service
   Pharm-Friend	To provide medication guidance and follow-up counseling based on medication records	Name, Mobile Phone Number, Date of Birth	Until the Pharm-Friend registration is canceled

3. The Company shall not use the Member’s personal location information for any purpose other than providing the Service without the Member’s consent, nor shall it provide such information to any third party.

4. The Company shall not use a member’s personal location information for any purpose other than the provision of services, nor shall it provide such information to any third party without the member’s consent. If the Company provides services that involve providing a personal location information subject’s personal location information to a third party, the Company shall notify the subject in advance of the recipient and the purpose of provision, and shall obtain their consent.

5. When the Company provides personal location information to a third party designated by the personal location information subject, the Company shall immediately notify the subject, through the communication terminal device from which such information was collected, of the recipient, the date and time of provision, and the purpose of provision each time.

6. However, in the following cases, notification shall be made to a communication terminal device or e-mail address specifically designated in advance by the personal location information subject:

   1. Where the communication terminal device from which personal location information is collected does not have the capability to receive text, voice, or video messages.
   2. Where the personal location information subject has requested in advance that notification be made to a communication terminal device or e-mail address other than the device from which the personal location information was collected.

Article 6 [Outsourcing of Personal Information Processing]

The Company outsources certain personal information processing tasks necessary for the provision of services to external service providers as listed below.

When entering into an outsourcing agreement, the Company specifies in writing (including contracts and other documents) the prohibition of processing personal information for purposes other than the outsourced service, the implementation of technical and administrative protective measures, restrictions on sub-outsourcing, supervision and management of the subcontractor, liability, including compensation for damages, and other necessary matters.

The Company also supervises the subcontractor to ensure that personal information is processed safely and in compliance with applicable laws and regulations.

Article 7 [Retention and Processing Period of Personal Information]

1. The Company retains and processes personal information within the period permitted by applicable laws and regulations or within the retention and use period agreed to by the user at the time of collection.

   If any personal information provided by the user is confirmed to be inaccurate during the service provision process, the Company may immediately delete such information in order to prevent infringement of third-party rights and maintain the accuracy and currency of the data.

2. The processing and retention periods for personal information collected by the Company are as follows:

   • Membership Registration and Management:

     Until the member withdraws from the service. However, in the following cases, retention shall continue until the relevant reason is resolved:

     1. Where investigations or inquiries related to legal violations are ongoing: until such investigations or inquiries are completed.
     2. When obligations or claims related to the use of services remain outstanding: until such settlement is completed.
     3. When legal disputes between the user and the Company are ongoing: until the final resolution of the dispute.

   • Service Provision and Development of New Services:

     Until the service is fully provided. However, if retention is required under applicable laws, personal information shall be retained until the statutory retention period expires.

3. Notwithstanding the above, the Company retains information separately and uses it only for the retention purpose where laws require:

   Retained Data Item	Legal Basis	Retention Period
   Records related to labeling and advertisements	Article 6 of the Act on Consumer Protection in Electronic Commerce, etc.	6 months
   Records regarding contracts, withdrawal of subscription, and provision of services	Article 6 of the Act on Consumer Protection in Electronic Commerce, etc.	5 years
   Records regarding consumer complaints or dispute resolution	Article 6 of the Act on Consumer Protection in Electronic Commerce, etc	3 years
   Service access logs, log data, and location tracking data	Article 15-2 of the Protection of Communications Secrets Act	3 months
   Account books and evidential documents for all transactions required under tax law	Article 85-3 of the Framework Act on National Taxes	5 years

Article 8 [Procedures and Methods for Destruction of Personal (Location) Information]

1. The Company shall promptly destroy personal information without delay when the retention period has expired or when the purpose of processing has been fulfilled and the personal information is no longer necessary. However, personal information may be stored for a certain period in accordance with internal policies, Article 7 (Retention and Processing Period of Personal Information), and other relevant laws requiring information preservation.

2. The procedures and methods for destroying personal information are as follows:

   • Destruction Procedure: The Company selects personal information for which the grounds for destruction have occurred and destroys such information upon approval of the Personal Information Protection Officer.
   • Destruction Methods:
     1. Personal information recorded or stored on paper: shredded or incinerated.
     2. Personal information stored in electronic file format: permanently deleted using technical methods such as Low-Level Format to prevent recovery.

3. The Company uses personal location information on a one-time or temporary basis and does not store it on Company servers.

Article 9 [Rights and Obligations of Users and Methods of Exercise]

1. Users may, at any time, exercise the following rights related to the protection of personal information against the Company:

   • Request for Access and Correction of Personal Information

     1. Users may access or correct their registered personal information at any time.
     2. To request access or correction, users may directly view or modify the information via “My Page > Edit Profile,” or submit a request via written document, telephone (+82-2-2039-8535), or email (help@baropharm.co.kr). The Company will take prompt measures after verifying the identity of the requester.
     3. The Company shall respond to access or correction requests within the statutory period. If it is unable to respond within that period due to legitimate reasons, the Company shall notify the user of the reason and may extend the processing period; the Company shall respond without delay once the reason is resolved.
     4. Users may exercise their rights through their legal representative or a delegated agent. In such cases, the user shall submit a power of attorney in accordance with the prescribed form (Form No. 11) under the “Public Notice on Personal Information Processing Methods (No. 2023-12).”
     5. The Company shall verify whether the requester is the data subject or a duly authorized representative when a request for access, correction, deletion, or suspension of processing is made.

   • Withdrawal of Consent, Deletion, and Suspension of Processing

     1. Users may withdraw their consent to the collection, use, and provision of personal information, or request deletion or suspension of processing at any time.
     2. To withdraw consent, delete information, or request suspension, users may directly proceed via “My Page > SMS Consent,” “My Page > Email Consent,” or “My Page > Withdraw Membership,” or submit a request via Customer Center, Kakao Channel, email (help@baropharm.co.kr), or fax. The Company will act promptly after identity verification.

2. The Company may restrict or reject requests for access or suspension of processing under the following circumstances, and will notify the user without delay:

   • Grounds for restricting/rejecting access

     1. Where access is prohibited or restricted by law.
     2. Where there is a risk of harming another person's life or body, or of unfairly infringing upon another person’s property or other rights.

   • Grounds for rejecting suspension of processing

     1. Where processing is required to comply with a legal obligation.
     2. Where suspension may cause harm to another person’s life, body, property, or other rights.
     3. Where suspension would make it impossible to provide contracted services, and the user has not clearly expressed intent to terminate the contract.

3. When a user requests correction or deletion due to errors in personal information, the Company shall not use or provide such personal information until correction or deletion is completed.

4. Users shall not infringe upon the personal information or privacy of the Company, themselves, or any third parties in violation of applicable laws such as the Personal Information Protection Act and the Act on Promotion of Information and Communications Network Utilization and Information Protection.

Article 10 [Measures to Ensure the Security of Personal Information]

The Company takes the following measures to ensure the security of users’ personal information:

1. Administrative Measures: Establishment and implementation of internal management plans; periodic training of employees.
2. Technical Measures: Management of access rights to personal information processing systems; encryption of passwords; installation of security programs.
3. Physical Measures: Access control to server rooms, database storage rooms, and other areas where unauthorized access is restricted.

Article 11 [Personal Information Protection Officer and Responsible Department]

The Company appoints a Personal Information Protection Officer and relevant departments responsible for overseeing tasks related to the processing of personal information, including receiving and handling requests for access, complaints, and inquiries from users. Users may contact the Personal Information Protection Officer or the designated department for any privacy-related matters arising during the use of the Company’s services. The Company will make every reasonable effort to respond promptly and satisfactorily.

Article 12 (Remedies for Infringement of Rights)

1. Users may apply for dispute resolution or consultation with the Personal Information Dispute Mediation Committee, the Personal Information Infringement Report Center operated by the Korea Internet & Security Agency, or other relevant organizations to seek remedies for personal information infringements. For reporting or consultation regarding personal information infringement, please contact the following agencies:

   • Personal Information Infringement Report Center: 118 (privacy.kisa.or.kr)
   • Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)
   • Supreme Prosecutors’ Office Cyber Crime Report: 1301 (www.spo.go.kr)
   • National Police Agency Cyber Bureau: 182 (ecrm.cyber.go.kr)

2. The Company endeavors to protect users' data rights and to assist with complaint handling and damage relief. For inquiries or assistance, please contact the department below: Customer Support for Personal Information Issues

   • Department: Customer Support Center
   • Contact Number: +82-2-2039-8535
   • Email : help@baropharm.co.kr

3. Individuals who have suffered infringement due to dispositions or omissions by a public institution regarding a request under Articles 35, 36, 37, and 37-2 of the Personal Information Protection Act may request an administrative appeal under the Administrative Appeals Act.

   • Central Administrative Appeals Commission: 110 (www.simpan.go.kr)

Article 13 (Amendments to the Privacy Policy)

1. This Privacy Policy shall take effect as of February 18, 2024.
2. In the event that the Company amends this Privacy Policy, the Company will disclose the effective date and details of the amendments on a continuous basis, and will also provide a comparison between the previous and amended versions so that Users may easily review the changes.

This Agreement is originally written in Korean, and any translated versions are provided solely for the convenience and understanding of users. In the event of any discrepancy between the Korean version and a translated version, the Korean version shall prevail.