Kind Doctor Inc.
February 5, 2026
Kind Doctor Inc. (the "Company") complies with the Republic of Korea's Personal Information Protection Act, the Act on Promotion of Information and Communications Network Utilization and Information Protection, the EU General Data Protection Regulation (GDPR), and other applicable privacy laws in the United States and elsewhere. This Privacy Policy (the "Policy") is established and published to protect the personal information of global users.
This Policy applies to all services provided through the Kind Doctor platform (web, mobile app, API included) operated by the Company.
1. Personal information collected
① Upon membership registration and account creation
Required: Name, email address, mobile number, country, region of residence, language, login information (ID, password or SNS account identifier).
Optional: Gender, date of birth, medical departments of interest, guardian information (for nursing hospital/senior reservations).
② When using reservation, consultation, and payment services
Reservation information (hospital name, department, appointment date/time), consultation history (text, AI chatbot conversations, AI voice consultation logs), payment information (payment method, amount, status).
※ Sensitive payment data such as credit card numbers and account numbers are processed through global payment gateways (PG); the Company does not store such data.
③ Automatically collected information
IP address, access logs, cookies, device information (OS, browser, device identifier), advertising attribution (UTM, campaign code, referral code).
The Company collects and uses personal information only for the following purposes:
1. User identification and account management
2. Hospital search, reservation, and schedule management
3. AI chatbot and AI voice-based automated response services
4. Contract performance (reservations, payments, notifications)
5. Customer inquiries and dispute resolution
6. Service quality improvement and statistical analysis
7. Advertising performance analysis and personalized recommendations (based on de-identified/aggregated data)
8. Prevention of violations of laws and terms of use
For EU residents, the Company processes personal information on the following lawful bases:
1. Contract performance: reservations, payments, account provision
2. Consent: marketing communications, optional information
3. Legal obligation: tax, accounting, consumer protection
4. Legitimate interests: service security, quality improvement (without overriding your rights)
| Category | Retention period |
|---|---|
| Account information | Until withdrawal |
| Reservation/consultation records | 5 years |
| Payment/settlement records | 5 years |
| Access logs | 3 months |
※ Data may be retained longer where required by applicable law.
The Company does not provide personal information to third parties in principle. Disclosure may occur only in the following cases:
Medical institutions where the user has made a reservation
Where required by law
Where the user has given prior consent
Items disclosed: Name, contact details, reservation information. Purpose: Medical reservation and consultation. Retention: As required by law after the purpose is fulfilled.
| Delegate type | Description |
|---|---|
| Cloud providers | Server and database operation |
| Payment gateways (PG) | Global payment processing |
| Messaging providers | SMS, email, push notifications |
| AI service providers | AI consultation and voice processing |
The Company enters into GDPR-compliant Data Processing Agreements (DPA) with delegates.
The Company may process personal information outside the Republic of Korea for global service provision.
Countries: United States, EU, and other countries where cloud servers are located
Purpose: Data storage, AI processing, service operation
Safeguards: Data encryption, access controls, Standard Contractual Clauses (SCC), GDPR-level contractual protections
1. The Company provides AI-based automated response and recommendation features.
2. Such AI services do not constitute medical practice or medical judgment.
3. Final diagnosis, treatment, and medical decisions are the responsibility of medical institutions.
4. Users may request an explanation of or object to automated processing.
You have the right to:
Access, rectification, erasure, restriction of processing, data portability (GDPR), withdrawal of consent, and to object to automated processing.
Requests may be made at any time via customer service or email.
1. Data: Name, email, mobile number, medical departments of interest, service usage (de-identified)
2. Purpose: Events, promotions, personalized service information
3. Channels: Email, SMS, messaging, app push
4. Retention: Until consent is withdrawn
※ Refusal does not affect use of essential services.
Privacy Officer: Nam Ki-Young
Title: Chief Privacy Officer (CPO)
Email: privacy@k-doc.ai
This Policy may be amended due to legal or service changes; notice will be given in advance when possible.
Effective date: April 28, 2026
| Permission | Purpose | If denied |
|---|---|---|
| Camera | Attach photos to reviews and consultations | Text-only input available |
| Photo Library | Use saved photos for reviews and consultations | Photo attachment unavailable |
| Microphone | AI voice consultation (audio not stored) | Text consultation only |
| Location (When-In-Use) | Search nearby hospitals and directions | Manual address/region search |
| Biometric (Face ID / Fingerprint) | Secure payment authorization and login | Password-based login |
| Push Notifications | Reservation and consultation alerts | In-app notifications only |
| Advertising Identifier (iOS ATT) | Personalized medical info and ad measurement | Generic recommendations only |
The Company uses the following permissions in the Kind Doctor mobile app (iOS·Android). Permissions are requested only when you actively use the relevant feature, and refusal does not restrict access to core services.
※ Location permission is used only while the app is active; no background tracking.
※ Voice input through the microphone is discarded immediately after generating an AI response and is not stored on servers.
※ The iOS Advertising Identifier (ATT) can be denied; all core features remain fully functional even when denied.
| Processor | Delegated scope | Location | Notes |
|---|---|---|---|
| 카인드닥터 내부 AI 인프라 | AI response generation (message text) | United States | Compliant with Kind Doctor internal security policy |
| Cohere Inc. | Search result reranking (query text) | United States · Canada | |
| Solapi (Nurigo Inc.) | SMS / KakaoTalk Alimtalk delivery | Korea | Domestic processing |
| Resend, Inc. | Email delivery | United States | |
| PortOne (Korea PortOne Inc.) | Payment-information processing for merchant medical institutions (SDK integration); the Company does not hold or settle payment funds — funds are settled by the PG directly to the merchant medical institution's account | Korea | PCI-DSS compliant |
| Korea Payment Networks Inc. (KPN) | Domestic card payment processing | Korea | PCI-DSS compliant |
| KakaoPay Corp. | KakaoPay easy payment processing | Korea | Domestic processing |
| Viva Republica, Inc. (Toss Pay) | Toss Pay easy payment processing | Korea | Domestic processing |
| Eximbay Inc. | Foreign currency payments (Alipay, WeChat, UnionPay) | Korea·Hong Kong | PCI-DSS compliant |
| PayPal Holdings, Inc. | Overseas card and PayPal balance payments | United States | PCI-DSS compliant |
| Wise Payments Limited | International payouts | United Kingdom | FCA-regulated |
| Qdrant (self-hosted) | AI vector search storage | Korea (self-hosted) | No international transfer |
| Supabase (self-hosted) | Database and authentication | Korea (self-hosted) | No international transfer |
The Company delegates personal information processing to the following processors for service operation. Some processors are located overseas; by agreeing to this Policy, you also consent to international data transfer (Personal Information Protection Act §17-2).
※ Any change of processors will be reflected in this Policy with prior notice.
※ Payment information (card numbers, etc.) is processed directly by PortOne; the Company does not store payment details.