WHS Privacy Policy

Wellness House Seoul (WHS)

AAC Co., Ltd. (the "Company") complies with the Personal Information Protection Act and other applicable laws and regulations, and prioritizes the protection of users' personal information.

This Privacy Policy governs the collection, use, retention, disclosure, and other processing of personal information in connection with users' use of the Wellness House Seoul (WHS) platform service (the "Service").

Article 1 (Items and Methods of Personal Information Collection)

1. Personal Information Collected by the Company

The Company collects the following personal information necessary for providing the Service:

a. Membership Registration and Account Management

• Email address
• Mobile phone number
• Name
• Date of birth
• Country
• Gender

b. Information Automatically Collected During Service Use

• Access logs
• Usage records
• Device information (OS, browser information, etc.)
• Cookies, IP addresses, and similar automatically generated information (Users may refuse cookies through browser settings.)

The Company does not collect, store, or process sensitive personal information, including medical information, health information, medical records, or treatment records.

2. Methods of Collection

• Information directly provided by users during registration and service use
• Information automatically generated during service use (logs, cookies, etc.)

3. Principle of Data Minimization

The Company collects only the minimum personal information necessary for Service provision and does not use such information beyond the stated purposes.

Article 2 (Purposes and Legal Basis of Personal Information Processing)

1. Purposes of Use

The Company processes personal information for the following purposes:

1. Member identification and authentication
2. Account creation, management, and login functionality
3. Service provision, error resolution, and usage history management
4. Customer support, notices, and inquiry handling
5. Service improvement, stability, and statistical analysis in non-identifiable form

Personal information collected by the Company is not used for medical treatment, procedures, or health management purposes.

2. Legal Basis for Processing

The Company processes personal information primarily based on user consent and, where applicable, contractual necessity, legal obligations, or legitimate interests (service operation and improvement).

3. Right to Withdraw Consent

Users may refuse consent to collection and use. However, refusal of consent for essential items may limit Service functionality.

Article 3 (Retention and Use Period)

1. The Company retains personal information only for as long as necessary to fulfill the purposes of collection.
2. Upon membership withdrawal request, relevant personal information shall be destroyed promptly, except where retention is required by law.
3. Statutory retention examples:
   • Contract records: 5 years
   • Consumer complaints/disputes: 3 years
   • Access logs: 3 months
4. Personal information exceeding retention periods or whose purpose is fulfilled shall be destroyed pursuant to Article 7.

Article 4 (Disclosure of Personal Information to Third Parties)

1. The Company does not disclose users' personal information to third parties without consent, except as required by law.
2. With separate user consent, the Company may disclose:
   • Recipient: Individual Service Providers
   • Items: Account identification information (ID, internal identifiers only)
   • Purpose: Service integration and login convenience
   • Period: Until purpose is fulfilled or consent is withdrawn
3. Medical information and sensitive personal information are never disclosed by the Company to third parties.
4. Users may refuse third-party disclosure. Such refusal may limit access to certain linked services but will not affect basic WHS account functionality.

Article 5 (Processing by Third-Party Service Providers)

1. The Company may engage third-party service providers for certain processing activities necessary for Service operation.
2. Such engagements comply with the Personal Information Protection Act through formal agreements, with ongoing supervision to ensure secure processing.
3. Details of engaged providers and processing scope are published via Service notices or this Privacy Policy.

Article 6 (User Rights and Exercise Methods)

1. Users may exercise the following rights at any time:
   1. Access to personal information
   2. Correction or deletion
   3. Processing suspension
   4. Objection to automated decision-making (including profiling)
2. Rights may be exercised via:
   • In-Service functions (My Page > Personal Information)
   • Customer support (cs@whs.com)
   • Designated phone support
3. The Company responds promptly per legal requirements and provides reasons if requests cannot be fulfilled.
4. Legal guardians of children under 14 may exercise these rights on their behalf.

Article 7 (Destruction of Personal Information)

1. Personal information is destroyed promptly upon expiration of retention periods or fulfillment of processing purposes.
2. Destruction Process: Information is segregated per internal policy and applicable law, then destroyed upon retention expiry.
3. Destruction Methods:
   • Electronic files: Irrecoverable technical deletion
   • Physical documents: Shredding or incineration

Article 8 (Security Measures)

The Company implements comprehensive technical, administrative, and physical security measures:

1. Access Controls: Role-based minimum access with regular audits
2. Encryption: Sensitive data encryption in transit and at rest
3. Security Systems: Firewalls, intrusion detection, malware prevention
4. Audit Trails: Access logging and tamper protection
5. Physical Security: Server room access controls and surveillance
6. Training: Regular employee privacy training

Article 9 (Children's Privacy)

1. The Company does not knowingly collect personal information from children under 14.
2. Where required, legal guardian consent procedures with identity verification are implemented.

Article 10 (Data Protection Officer)

Personal Information Protection Officer

• Name: [Name]
• Department: [Department]
• Contact: [Email], [Phone]

For privacy inquiries, complaints, or remedies, please contact the above.

External Reporting Options:

• Personal Information Infringement Response Center ( privacy.kisa.or.kr / 118)
• Personal Information Dispute Mediation Committee ( www.kopico.go.kr / +82-1833-6972)
• Supreme Prosecutors' Office Cyber Investigation Division (1301)
• National Police Agency Cyber Bureau (182)

Article 11 (Policy Changes)

1. This Policy may be amended due to legal, policy, or Service changes.
2. Material amendments receive 7 days' prior notice via Service (30 days for unfavorable changes).

Effective Date: January 22, 2026