Surearly Sensitive Information Processing Policy

Surearly Sensitive Information Processing Policy

This Policy sets forth the specific standards that Sugentech, Inc. (“the Company”) follows when handling sensitive information, such as postpartum depression test results and hormone test results, in compliance with applicable laws including the Personal Information Protection Act (Republic of Korea).
All processing of sensitive information is based on the user’s consent. In the event of any conflict, this Policy shall take precedence over the general Privacy Policy.
This Policy applies to the Surearly service.

1. Definition

“Sensitive Personal Information” refers to information concerning beliefs, health, sexual life, or other matters that may infringe upon an individual’s privacy. Under this Policy, it includes:
Postpartum depression test results
Sexual activity and contraceptive method
Hormone test results (biological data such as LH, FSH, hCG, E3G, P3G, etc.)
Other definitions shall follow the Company’s general Privacy Policy and applicable laws of each jurisdiction.

2. Legal Basis

Republic of Korea: Personal Information Protection Act, Article 23 (Restrictions on Processing of Sensitive Information)

3. Items of Sensitive Information Collected and Purpose of Use

Category
Items Retained and Purpose of Use
Postpartum Depression Test Results
To assess postpartum depression and provide users with personalized psychological and health management information
Sexual Activity and Contraceptive Method
To analyze the relationship between menstrual cycles and hormonal changes, improve the accuracy of fertility and pregnancy prediction, and provide personalized health management services
Hormone Test Results
- To analyze and predict menstrual cycles and hormone patterns - To provide ovulation and pregnancy tracking information - To deliver content and information suited to the user’s condition - To improve service quality and develop new features - To use for statistical or research purposes under strict pseudonymization/anonymization standards

4. Consent Procedure

4.1. Sensitive information is collected only through a separate consent process.
4.2. The following items will be provided to users at the time of consent:
Items of sensitive information to be collected
Purpose of collection and use
Retention and use period
Whether the information will be provided to third parties or transferred abroad (e.g., to AWS Korea) and related safety measures
The right to refuse consent and whether refusal may result in any limitation of service use
4.3. If consent is not provided, certain functions or services that require sensitive information may be limited.

5. Retention and Destruction

The retention and destruction of sensitive information follow the same standards as those specified in the general Privacy Policy.
Category
Items Retained
Retention Period
Internal Policy (Prevention of Service Misuse)
Records of fraudulent or unauthorized service use
3 years after membership withdrawal
Internal Policy (Prevention of Identity Theft)
Nickname
1 year after membership withdrawal
Internal Policy (Customer Support and Notification Emails)
Encrypted email address
1 year after membership withdrawal
Republic of Korea – Electronic Commerce Act
Records of consumer complaints and dispute resolution
3 years
Republic of Korea – Protection of Communications Secrets Act
Service access logs
3 months

6. Provision and Entrustment of Sensitive Information

6.1. The Company does not provide sensitive information to any third party without the user’s consent.
6.2. For service provision, sensitive information may be entrusted as follows:
Entrusted Party
Entrusted Task
Country of Transfer
Amazon Web Services (AWS)
Cloud server storage and management
Republic of Korea
Vespexx Co., Ltd.
Service operation and customer support
Republic of Korea

7. Security Measures for the Protection of Personal Information

Technical Measures: Data encryption, SSL encrypted communication, access control, and log monitoring
Administrative Measures: Designation and training of personal information handlers, minimization of access privileges
Physical Measures: Secure network segmentation and restricted server access
Authentication Measures: Use of PIN (“simple password”) and third-party authentication (Google, Apple, etc.)

8. User Rights

Users have the following rights regarding their sensitive information:
Request access or obtain copies of sensitive information
Request correction, addition, or deletion
Request suspension or restriction of processing or provision
Withdraw consent
How to exercise rights:
Through the in-app customer service center
By email: surearly@sugentech.com
By phone: 070-8889-5505
The Company will process such requests without delay and within the period prescribed by law. In the event of refusal, the reason will be clearly stated and notified.

9. Overseas Transfer of Sensitive Information

The Company stores overseas users’ sensitive information on AWS cloud servers located in the Republic of Korea.
Country of Transfer: Republic of Korea
Items Transferred: All collected sensitive information (including data generated during account registration and service use)
Time and Method of Transfer: Transmitted over the network during service use
Storage Location: AWS Seoul Region Data Center (ISO/IEC 27018 Certification)
Security Measures: Encrypted transmission and storage, restricted access, and regular security audits

10. Personal Information Protection Officer and Contact Person

Personal Information Protection Officer
Personal Information Manager
- Name: Sujin Koo - Position: Quality Assurance Manager - Email: surearly@sugentech.com
- Name: Kyungsoon Lee - Position: Quality Management Team Lead - Email: surearly@sugentech.com
For reports or consultations regarding personal information infringement, please contact the following organizations:
Personal Information Infringement Report Center: https://privacy.kisa.or.kr, 118
Supreme Prosecutors’ Office Cybercrime Investigation Department: https://www.spo.go.kr, 1301
National Police Agency Cyber Bureau: https://ecrm.police.go.kr, 182

11. Duty of Notification

If any additions, deletions, or modifications are made to this Policy, the Company will notify users through in-app announcements or other appropriate means at least 7 days prior to implementation.
For material changes, users will be notified at least 30 days in advance.