Privacy Policy
Huniverse Global Co., Ltd. ("we", "us", or "our") is committed to protecting your privacy
and the confidentiality of your data.
This Privacy Policy explains how personal data is collected, used, stored, shared, and
protected in compliance with the EU General Data Protection Regulation (GDPR, Regulation
(EU) 2016/679) and other applicable data protection laws.
This Privacy Policy explains how we collect, use, store, share, and protect personal data
when users access or use our services, websites, and platforms (collectively, the
"Services").
- Personal data is processed in compliance with the GDPR and applicable EU data
protection laws
- The service provider acts as the Data Controller for professional user account
data and service administration
- You do not collect or harvest any personal data of any user of the Site or the
Service.
- Where patient data is processed on behalf of healthcare providers, the service
provider acts as a Data Processor
- Only the minimum personal data necessary is processed for clearly defined
purposes
- Patient data, audio data, and text data are not used to train general-purpose or
large language models
- No solely automated decision-making producing legal or similarly significant
effects is carried out
1. Data Controller & EU Representative
For EEA users, we comply with the EU General Data Protection Regulation (GDPR). Huniverse
Global acts as the Data Controller under GDPR.
Data Controller:
Company Name: Huniverse Global Co., Ltd.
Registered Address: 9th floor, 25 Wangsan-ro, Dongdaemun-gu, Seoul, Republic of South
Korea
Email: contact@medipencil.com
EEA residents may contact the EU Representative regarding GDPR-related inquiries.
2. Purpose and Legal Basis for Processing Personal
Data
We process personal information for the following purposes. The personal information being
processed will not be used for any other purposes. Personal data is collected and
processed only to the extent necessary for each specific purpose, in accordance with the
principles of data minimization and purpose limitation.
- User account creation, authentication, and service delivery
- Customer support and service-related communications
- Security monitoring, fraud prevention, and audit logging
- Compliance with healthcare, tax, and regulatory obligations
- Marketing communications and event invitations
- Processing of health data on behalf of healthcare providers
- Research and product improvement using anonymized data
Where processing is based on legitimate interests, these include: (i) maintaining the
security, integrity, and availability of our services and IT infrastructure; (ii)
preventing fraud, abuse, and unauthorized access; (iii) ensuring service quality and
functionality through usage analytics; and (iv) complying with our internal risk
management and audit obligations.
The service portal processes the following personal information items without the consent
of the data subject:
- Member service operation and identity verification
a. Legal basis: Contract Performance
b. Collected and used information: ID, password, email address, contact
information, hospital phone number, department, position
- Handling complaints and consultation regarding service use
a. Legal basis: Contract Performance
b. Collected and used items: ID, name, phone number, contact information,
email,
affiliation
- Automatically collected service usage information
a. Legal Basis: Legal Obligation
b. Collection and use items: Log records, download records, access IP,
service
usage records, device information, records of fraudulent use, used to
analyse
users' access environment for service improvement.
The service portal processes the following personal information items with the consent of
the data subject:
- Participation in events and prize applications
a. Collected and used information: name, address, contact information,
email address
- Processing personal information for marketing purposes, event and advertising
information delivery
a. Collected and used information: name, address, contact information,
department, email address, and areas of interest
- Human subject research for new drug development
a. Legal Basis: Research
b. Collection and use items: date of birth, gender, diagnosis symbol,
diagnosis name
- Where applicable, we may process health-related data, which constitutes special
category data under Article 9 GDPR. Such processing occurs only with explicit
consent or under the following legal basis:
a. Legal Basis: Scientific or medical research purposes, using anonymized
or pseudonymized data.
As part of our efforts to improve products, ensure security, update, and develop features,
we may use anonymized or pseudonymized data to develop and train AI models.
- No identifiable personal data is used for AI model training. Such processing is
based on legitimate interests for service improvement and scientific research
purposes where special category data (e.g., health data) is involved, ensuring
data minimization, irreversibility of anonymization, and re-identification
risk assessments.
- No solely automated decision-making producing legal or similarly significant
effects is carried out.
Data collection forms and workflows are reviewed regularly to ensure that only adequate,
relevant, and necessary data is processed. Optional fields are clearly marked and are
never required for access to core services.
3. Children’s Personal Data
Huniverse Global does not knowingly provide services to children under the age of 16.
4. Data Retention Periods
Personal data is retained only for as long as necessary to fulfill the stated purposes or
to comply with legal obligations in accordance with GDPR. When personal information
becomes unnecessary, such as when the retention period expires or the processing purpose
is achieved, the personal information will be destroyed without delay.
The processing and retention periods for each type of personal information are as follows.
| Data Category |
Retention Period |
Purpose |
| Account and membership data |
Until account deletion + 30 days for processing |
Service provision and account management |
| Customer support records |
1 year from resolution |
Compliance with consumer protection laws |
| Marketing communications data |
Until consent is withdrawn + 30 days for processing |
Marketing purposes |
| Security and access logs |
12 months |
Security, fraud prevention |
| Billing and payment records |
10 years |
Tax and accounting law compliance |
| Clinical research data |
Duration of research study + required retention period per research
protocol |
Scientific research purposes |
| Encrypted authentication values (CI) |
1 year |
Customer service verification |
| Records of rights infringement reports |
5 years |
Legal compliance |
However, in the following cases, if an investigation or inquiry is in progress due to a
violation of relevant laws and regulations, the information will be stored until the
investigation or inquiry is concluded and then destroyed.
5. Data Storage Location and International Transfers
Personal data is stored in secure data centres located in the Republic of
Korea.
The European Commission has recognized South Korea as providing an adequate level of data
protection under Article 45 GDPR (Adequacy Decision C(2021) 9271). Therefore, data
transfers from the EEA to South Korea are permitted without additional safeguards.
For service provision, maintenance, troubleshooting, and technical support, authorized
engineers at our headquarters in the Republic of Korea may access your account information
(excluding patient and health data). Such access constitutes an international data
transfer covered by the Adequacy Decision, with role-based access controls, audit logging,
and strict necessity limitations.
Individuals located in the European Economic Area, have the following rights
with regard to their personal data:
- The right to access, update or delete the information we have on you. Whenever
made possible, you can access, update or request deletion of your personal
data directly within your account settings section. If you are unable to
perform these actions yourself, please contact us to assist you.
- Request correction of the personal data that we hold about you. You have the
right to have any incomplete or inaccurate information we hold about you
corrected.
- Object to processing of your personal data. This right exists where we are
relying on a legitimate interest as the legal basis for our processing and
there is something about your particular situation, which makes you want to
object to our processing of your personal data on this ground. You also have
the right to object where we are processing your personal data for direct
marketing purposes.
- Request erasure of your personal data. You have the right to ask us to delete or
remove personal data when there is no good reason for us to continue
processing it.
- Request the transfer of your personal data. We will provide to you, or to a
third-party you have chosen, your personal data in a structured, commonly
used, machine-readable format. Please note that this right only applies to
automated information which you initially provided consent for us to use or
where we used the information to perform a contract with you.
- Withdraw your consent. You have the right to withdraw your consent on using your
personal data. If you withdraw your consent, we may not be able to provide you
with access to certain specific functionalities of the service.
7. Sharing of Personal Data and Processors
Personal data is not shared with third parties without a valid legal basis.
Where personal data is processed on behalf of healthcare providers, the service provider
acts as a data processor, and healthcare providers remain the data controllers for patient
data. We may need to share personal data with the following third parties:
- Service providers acting as processors, such as Cloud infrastructure and hosting
providers
- Other suppliers who may provide services such as IT and system administration
- Email and notification service providers
- Payment service providers (PCI-DSS compliant, where applicable)
All processors are subject to GDPR-compliant Data Processing Agreements (DPAs) and are
authorized to process personal data solely for the purposes of service provision.
8. Cookies and Consent Management
We use cookies and similar tracking technologies to improve your experience, analyse
usage, and provide personalized services. Your consent is required before we place
non-essential cookies on your device.
- Essential cookies are necessary for service functionality.
- Non-essential cookies (analytics, marketing) are used only with user
consent.
EEA users may manage cookie preferences at any time via the cookie banner or settings
panel. Consent logs are maintained for compliance purposes.
9. Security Measures and Data Breach Notification
Appropriate technical and organizational measures are implemented to protect personal
data, including:
- Strong authentication and role-based access control
- Encryption of data in transit and at rest
- Audit logging and monitoring of system access
- Regular security assessments and penetration testing
- Automated data deletion and retention controls
- Ongoing employee training on data protection and information security
In the event of a personal data breach that is likely to result in a risk to the rights
and freedoms of individuals:
- The competent supervisory authority will be notified within 72 hours
- Affected individuals will be informed without undue delay, where required
10. Data Protection Officer
We have appointed a Data Protection Officer (DPO) who you can contact if you have any
questions about how we process your personal data or if you wish to exercise the rights
you have over your personal data.
You can contact our DPO at dpo@medipencil.com.
11. Remedies for infringement of the rights of data
subjects
If you are based in the EEA, you have the right to lodge a complaint with your local Data
Protection Authority (DPA).
12. Updates and Notifications
We may update this Privacy Policy from time to time. When significant changes are made, we
will notify users through our website, email, or platform notification at least 30 days
prior to the changes becoming effective.
We value your information and is committed to ensuring you can use our services with
greater peace of mind.
- Announcement Date: March 31, 2026
- Effective Date: March 31, 2026