Privacy Policy

The Company collects the minimum personal information necessary for service provision.

1. Upon membership registration and account creation

Required: Name, email address, mobile number, country, region of residence, language preference, login credentials (ID/password or social account identifier)

Optional: Gender, date of birth, medical departments of interest, guardian information (for nursing/senior care reservations)

2. Non-member (anonymous) use

The Company provides anonymous session access for AI consultation without requiring membership registration.

Magic link (SMS invitation) access: Session token, referral source (hospital/partner/ad campaign), partial name and phone number (only if voluntarily provided during consultation)

OTP verification: Phone number hash (SHA-256), verification status

Anonymous session data is automatically deleted 7 days after last activity.

3. When using reservation, consultation, and payment services

Reservation information: Hospital name, medical department, procedure name, appointment date/time, patient notes

Consultation history: AI text chat conversations, AI voice consultation logs (audio is transcribed then deleted), CRM consultation records

Payment information: Payment method type, amount, currency, payment status, transaction reference number

※ Sensitive payment data such as credit card numbers and bank account numbers are processed by our payment processor (PortOne and affiliated PG companies) and are never stored on Company servers.

4. Additional data from hospital members

Business registration number, medical institution license number, representative information, settlement bank account

Medical staff information (name, specialty, credentials — entered by the hospital)

5. Additional data from partners (agencies)

Business information (individual/corporate), KYC documents, settlement account, international transfer details (for Wise integration)

6. Automatically collected information

IP address, access logs, device information (OS, browser, device identifier), screen resolution

Cookies and similar technologies (see Article 10)

Advertising attribution: UTM parameters, campaign codes, partner referral codes, referrer URLs

The Company collects and uses personal information only for the following purposes:

1. User identification, identity verification, and account management

2. Hospital search, comparison, reservation, and schedule management

3. AI-powered multilingual consultation (text and voice) in 14 languages

4. Payment processing, escrow protection, and settlement

5. CRM services (consultation management, lead management, outreach messaging)

6. Customer inquiry response, dispute resolution, and mediation

7. Service quality improvement and usage statistics (de-identified/aggregated)

8. Advertising performance measurement, attribution analysis, and partner commission settlement

9. Communication services (notifications via SMS, email, Kakao Alimtalk, app push)

10. Legal compliance, terms of service enforcement, and fraud detection

For EU/EEA residents, the Company processes personal information on the following lawful bases:

Contract performance (Art. 6(1)(b)): Reservations, payments, escrow, account provision, consultation services

Consent (Art. 6(1)(a)): Marketing communications, optional data collection, cookie preferences

Legal obligation (Art. 6(1)(c)): Tax, accounting, consumer protection, medical law compliance

Legitimate interests (Art. 6(1)(f)): Service security, fraud prevention, quality improvement (balanced against your fundamental rights)

The Company destroys personal information without delay once the purpose of collection has been fulfilled. However, where retention is required by applicable law, data is retained as follows:

The Company does not provide personal information to third parties in principle. Exceptions include:

1. To the reserved medical institution

Items: Name, contact details, reservation information, consultation summary

Purpose: Appointment fulfillment, patient intake, and consultation

Retention: As required by medical law after the purpose is fulfilled

2. To partners (agencies)

Condition: Only for patients referred through that partner, and only where a partnership with the hospital exists

Items: Reservation status, procedure name, payment amount (for settlement). Patient name and contact details are NOT shared.

Purpose: Attribution verification and commission settlement

3. As required by law

Legal process by investigative authorities, court orders, lawful requests from tax or regulatory authorities

4. Where the user has given prior consent

The Company delegates personal information processing to the following service providers:

The Company enters into Data Processing Agreements (DPA) with all processors and supervises them to ensure personal information is not used beyond the scope of delegation.

The Company may process personal information outside the Republic of Korea for global service provision.

Countries: United States (AI processing, email), EU (vector search, international transfers), Canada (search re-ranking)

Purpose: AI consultation processing, data storage, search services, international settlement

Safeguards: Transport encryption (TLS 1.2+), data-at-rest encryption, access controls, transfers based on EU Standard Contractual Clauses (SCC) or adequacy decisions

Data transferred: Consultation text (AI), email addresses (mail delivery), search queries (vector search), settlement information (international transfers)

1. The Company provides AI-powered automated consultation, hospital recommendations, booking assistance, and translation features.

2. AI services are for informational purposes only and **do not provide medical practice, diagnosis, prescription, or treatment recommendations.**

3. All AI responses automatically include the disclaimer: "This response is for general informational purposes only. Please consult a medical professional for medical judgment and diagnosis."

4. AI consultation data may be used for service quality improvement, but only in aggregated and de-identified form.

5. Users have the right to request an explanation of automated processing, request connection to a human agent, or refuse automated processing.

You may exercise the following rights at any time:

Right of access to your personal information

Right to rectification and erasure

Right to restriction of processing

Right to data portability (for GDPR-eligible users)

Right to withdraw consent

Right to object to automated processing

Right to object to profiling

How to exercise: "Settings > Privacy" within the Service, AI chatbot inquiry, or email to privacy@k-doc.ai

Response time: Within 10 days of receipt (within 30 days for GDPR-eligible requests)

※ Upon account withdrawal, a 30-day grace period applies. Rejoining within this period restores prior data. After the grace period, all personal information is irreversibly destroyed.

The Company uses cookies and similar technologies for service operation and user experience improvement.

1. Essential cookies (required for service operation)

Session management, login state persistence, CSRF protection, magic link session cookies

2. Analytics cookies (for service improvement)

Page visit statistics, feature usage pattern analysis

3. Marketing cookies (for attribution)

Partner referral codes, UTM campaign parameters, advertising channel tracking

Retention: First-party cookies up to 180 days, third-party cookies up to 30 days

You may refuse cookies through browser settings, but blocking essential cookies may limit service functionality.

1. Data: Name, email, mobile number, medical departments of interest, service usage history (de-identified)

2. Purpose: Event/promotion notices, hospital discount information, medical tourism guides

3. Channels: Email, SMS, Kakao Alimtalk, app push notifications

4. Retention: Until consent is withdrawn

※ Refusal does not affect use of essential services (reservations, payments, AI consultation).

※ Consent may be withdrawn at any time through service settings or unsubscribe links in messages.

The Company implements the following measures to ensure the security of personal information:

Technical: Transport encryption (TLS 1.3), data-at-rest encryption (AES-256), access controls (Row-Level Security), access log management, security software maintenance

Administrative: Minimization of personnel with access, regular training, internal management plans

Physical: Server room access control (SOC 2-certified cloud provider data centers)

Payment security: Card information processed through PCI-DSS certified payment processors, never stored on Company servers

In the event of a personal information breach, the Company will:

Report to the Korea Personal Information Protection Commission and applicable supervisory authority (GDPR DPA where applicable) within 72 hours of discovery

Notify affected users of the breach details, affected data, and remedial measures without delay (via email and service notice)

Implement immediate technical measures to prevent secondary harm

The Company's services are intended for users aged 14 and above (16 in the EU). Personal information of children below these ages is collected only with the consent of a legal guardian, who may withdraw consent at any time.

The Company designates the following officer responsible for overall personal information protection:

Chief Privacy Officer (CPO): Nam Ki-Young

Position: CEO

Email: privacy@k-doc.ai

For inquiries, access/rectification/erasure requests, or complaints regarding personal information, please contact the above. We will respond without delay.

Additional reporting and consultation:

Korea Personal Information Protection Commission (www.pipc.go.kr / 1833-6972)

Korea Internet & Security Agency (privacy.kisa.or.kr / 118)

This Policy may be amended due to changes in law, service, or Company policies.

Amendments will be announced at least 7 days before the effective date via service notices and email. Changes unfavorable to users will be announced at least 30 days in advance.

Effective date: April 14, 2026

Previous version effective date: February 5, 2026