KETOSCAN Privacy Policy
This Privacy Policy explains how Sentech Korea Inc. (“the Company”) processes the personal data of its users, including without limitation, the options that a user selects for the collection, use and disclosure of his or her certain data.
Controller and Contact Information
The service provider and controller of personal data is as follows:
Sentech Korea Corp. (“the Company”)
21-6, Jimok-ro 75beon-gil, Paju-si, Gyeonggi-do, 10880, Republic of Korea
The DPO of the Company is as follows:
Keun Hyung Park
Director
+82 31 8071 4400 / rndsupport@sentechkorea.com
• If you have questions about your account in general, how to contact customer service for assistance, questions specifically about this Privacy Notices, or our use of your personal data, cookies or similar technologies, please contact our Data Protection Officer(DPO, Keun Hyung Park, Director). If you contact us for assistance, we may need to authenticate your identity before fulfilling you request for your safety and ours.
Collection and Use of data
We receive and store data about users such as:
- To verify and authenticate of user identity and for user contact; user ID (email address) of the SNS account(Facebook, Google) the user linked to KETOSCAN application,
- To provide KETOSCAN services; name, telephone number, gender, height, weight, body fat, year of birth, diet and exercise comments, Information of KETOSCAN device
- To provide third-party application gearing services; Health kit datas – Fatsecret ( Weight, Calories, carbohydrate, protein, fat ), Google Fit ( Weight, Calories ), Apple Health ( Weight, Calories )
· Personal data produced or automatically collected by the Company: Besides the personal data directly provided by users, the Company can produce or automatically collect data related to KETOSCAN services which includes:
- To provide KETOSCAN services; Keton level data measured via KETOSCAN application.
- Log information such as IP address, mobile’s model and OS version, usage time, and user input.
Method of collection
The Company collects the personal data of users in the following manner (Article 6(1)(a)):
• Collection through mobile devices with the prior consent of the users
Disclosure of Personal Data
We may disclose users’ personal data for certain purposes and to third parties, as described below:
· Service Providers: We use other companies, agents or contractors ("Service Providers") to perform services on our behalf or to assist us with the provision of services to you. For example, we engage Service Providers to provide marketing, advertising, communications, infrastructure and IT services, to personalize and optimize our service, to provide customer service, to analyze and enhance data (including data about users' interactions with our service), and to process and administer consumer surveys. In the course of providing such services, these Service Providers may have access to your personal data or other information. We do not authorize them to use or disclose your personal data except in connection with providing their services.
· Partners: Users may have a relationship with one or more of our Partners, in which case we may share certain data with them in order to coordinate with them on providing the service to members and providing information about the availability of the service.
· Protection of The Company and others: The Company and its Service Providers may disclose and otherwise use your personal data and other information where we or they reasonably believe such disclosure is needed to (a) satisfy any applicable law, regulation, legal process, or governmental request, (b) enforce applicable terms of use, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address illegal or suspected illegal activities (including payment fraud), security or technical issues, or (d) protect against harm to the rights, property or safety of The Company, its users or the public, as required or permitted by law.
Necessity of personal data
The personal data provided by users is necessary for the service use contract between a user and the Company and the smooth delivery of the services therein. Users are restricted from using the Company’s services unless they give consent to the collection of essential personal data. However, users may refuse to provide optional personal data, and in such case, they will still be able to use the Company’s services except those that require the provision of optional personal data.
Transfer of Personal Data to Third Countries
The Company may transfer users’ personal data to companies located in other countries or other companies for any purpose specified in this Policy. It will take reasonable measures to the companies where the information is transmitted, retained or processed in order to protect the information.
In particular, the Company transfers all personal data provided by the users or automatically collected by the Company to the Republic of Korea, where the Company is situated in. The Republic of Korea have not received an adequacy decision from the European Commission, and the Privacy laws of the Republic of Korea do not stipulate all the rights of data subjects and principles of information processing as defined by the GDPR. However, the Company fully complies to the GDPR through this Privacy Policy, and users are entitled to all protections based on the GDPR.
Based on the above notice, the Company may transfer users’ personal data to the Republic of Korea after obtaining explicit consent for transfer of personal data to third countries (Article 49 Paragraph 1 (a)).
Users’ rights
Users or their legal representatives, as data subjects, can exercise the following rights regarding the collection, use and disclosure of personal data by the Company:
• Right of access by the data subject (Article 15);
• Right to rectification (Article 16)
• Right to erasure (‘right to be forgotten’) (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)
• Rights related to automated individual decision-making, including profiling (Article 22)
• Right to withdraw prior consent (Article 7(3))
In order to exercise any of the foregoing rights, make a written request to the Company (or the DPO, representative) using the data subject request form provided by the Company. In such case, the Company shall immediately make actions accordingly: provided, however, that the Company may reject such request if and to the extent there are reasonable grounds prescribed in law or equivalent thereto.
Upon the request from a data subject, the Company must take the following actions:
· To take actions regarding a request only after authenticating the identity of the data subject (or his or her legal representative);
· To ask if a subject requires the information to be provided in writing or whether he or she will accept it in an electronic form;
· To have a standard process for the company to effectively inspect all relevant systems and to communicate with other departments;
· To notify a data subject if there is no information that he or she has requested;
· To formulate reasonable criteria to determine whether to correct or disclose personal data if the personal data requested by a data subject includes the information of other individuals; provided however, such data can be disclosed if the other individuals explicitly give the consent thereto. The company should consider the impact of such disclosure and the possible breach of others’ personal data if no explicit consent is available, in which case, it should document the justification of such disclosure;
· To take actions in accordance with the request of a data subject in such a manner as he or she can understand, including the requirements under Article 15;
· To make no available the transfer system which can be traceable in case of providing a data subject with the information he or she has requested. Such information should be disclosed in a safe electronic means if individually agreed upon with the data subject; or
· To document the actions which have been taken for the request of a data subject.
Also users or their legal representatives have the right to lodge a complaint with a supervisory authority (Article 13(2) and 14(2)(e)).
Security
The Company takes the security of personal data seriously. It has the following security measures to prevent the unauthorized access to, or disclosure, use or change of the personal data (Article 32).
· To formulate countermeasures against hacking
- To install a system in the zone to which the external access is strictly restricted so as to prevent users' personal data from leakage or damage by hacking or computer viruses
· To establish and implement internal management plans
- To conduct regular internal audit (semiannual) to safely process personal data
- To keep minimal the number of employees processing personal data and educate them
· To install and operate access control systems
- To take necessary actions to restrict the access to the personal data, such as the grant, change or termination of the right to access the data base system of personal data processing
- To keep the documents, storage devices, etc. which include personal data in a safe place with a lock
- To designate a physical place of storing personal data to restrict the access by unauthorized persons and to establish and operate such access control procedure
- Enterprise-wide DLP solution installation and operation
· Take measures to prevent forgery or alteration of access records and store and collect log records through the installation of Endpoint Protector, a security program.
Children
The Company’s products and services are intended for use by individuals 14 years of age and older, and those under the age of 14 are not eligible to use any of our service. In principle, the Company does not collect any personal data from children. However, if the Company learns that any personal data of children has been collected through KETOSCAN application, it will comply with the following procedures for the protection of children’s personal data (Article 8):
· To verify if a child is subject to the guardian’s consent and such guardian is authorized, within the scope of reasonable efforts;
· To have the consent from a child’s parent or guardian to collect the child’s personal data or to provide the child with product information and the Company’s services directly;
· To notify parents or guardian of the Company's privacy policy for children, including the items, purpose and disclosure of collected personal data;
· To grant a child’s legal representative the right to access, correct or delete or temporally suspend the processing of, the child’s personal data or the right to withdraw the prior consent of the representative; and
· To limit the collection of personal data to the extent solely required for the participation in online activities
Profiling and automated decisions
The Company does not use users’ personal data to create individual or collective profiles (hereinafter referred to as “profiling”) for the purpose of profiling and making automated decisions.
Data Retention Policy
For the purpose of protecting users’ data, the Company complies with the principle of Data Minimisation where the processing of personal data should be appropriate and limited to the extent solely necessary for the purposes for which the data are processed (Article 5 Paragraph 1 (c)). To this end, the Company abides by the following retention policy:
· All personal data processed by the Company is subject to and protected by the Company’s Members’ retention policy.
· Personal data are retained for no longer than is necessary for the purposes for which the personal data are processed. The Company will immediately destroy the personal data once the user deletes his or her account on KETOSCAN application. However, the personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (Article 5 Paragraph 1 (e));
· The Company abides by the methods set forth in the ‘Security’ part of this Privacy Policy to delete physical and digital data;
· The Data Protection Officer designates the strict retention period regarding the storage of users’ personal data and does not retain the data more than the period which requires the data. The Company monitors the compliance regarding the data retention on a regular basis and deletes the data, if no longer necessary, in a safe manner (Recital Article 39);
· The company schedules regular review of stored data to determine whether the data is still required;
· The company immediately destroys especially sensitive data including sexual orientation, race, beliefs, health information, etc. and does not retain the data for no longer than is necessary;
· The company forthwith takes the actions set forth in the ‘User’s right’ part of this Privacy Policy if a user exercises his or her right guaranteed by GDPR as a data subject;
· The company is in compliance with relevant regulations such as GDPR, etc. in relation to the retention of users’ personal data;
· The company makes sure that all employees are aware of the data retention policy prescribed in this Privacy Policy and GDPR;
· The company sets this Privacy Policy by documenting a GDPR data retention policy. This Privacy Policy may need to be provided to regulators in the event of an audit or investigation of a complaint of a user or an employee; and
· This Privacy Policy may be used as proof that the company complies with the requirements of GDPR.
Privacy Policy related to the Company’s employees
The Company educates and monitors employees including the HR department that handle personal data of the Company’s employees not only to handle users’ personal data but also employees’ personal data in compliance with the GDPR (Article 39). The Company documents the records that manage all training-related contents for employees (date, time, list of subjects, list of attendees, contents of training, subject of training, role of DPO).
The company delivers this Privacy Policy to its employees, either in hard copy documents or electronically. Employees who process personal data have the right, for example, to request the employer to correct incorrect information regarding that personal data.
Modification of Privacy Policy
The Company has the right to amend or modify this Privacy Policy from time to time, in which case, the Company will make a public notice of it through KETOSCAN application (or through individual notice in writing by e-mail) and have the consent of the users if required by relevant law.
The latest update date: (2022. 03. 01.)