Terms of ServicePrivacy PolicyLocation-Based Services Terms

Privacy Policy

Preface

Onesoftdigm Corporation (the "Company") complies with relevant laws such as the Personal Information Protection Act in providing the health management solution Fitrus and its related services (the "Service") and is committed to protecting the personal information of information subjects.

Through this Privacy Policy, the Company informs Members of the purposes and methods for which the personal information they provide is used, as well as the measures being taken to protect that personal information.

Table of Key Personal Information Processing Matters
Collection of Personal InformationEmail, date of birth, physical measurement (height, weight, etc.), sensitive information (health data), terminal information, etc.
Purpose of ProcessingMembership registration and management, provision of non-medical health analysis services, service improvement, etc.
Retention PeriodUntil membership withdrawal (provided that if there is an obligation to preserve information under relevant laws, until the end of such period)
Provision to Third PartiesNot applicable (except as required by relevant laws)
Entrustment of ProcessingNAVER Cloud Corp.
Grievance Handlingsupport@onesoftdigm.com

Article 1(Purpose of Processing Personal Information)

The Company collects only the minimum amount of personal information necessary to provide the Service for the following purposes. Collected information will not be used for purposes other than those specified, nor will it be disclosed to third parties without the user's consent.

Table of Personal Information Processing by Service Provision Purpose
CategoryPurpose of Processing
Membership Registration and ManagementIdentification and confirmation of intent to join based on service use, restriction of registration for children under 14, management of membership status and confirmation of intent to withdraw, restriction of use for members violating terms of service and prevention of unauthorized use, securing communication channels for various notices and notifications
Service ProvisionMaintaining normal operation and quality of the app, Fitrus device integration and data transmission/reception, provision of customized services
Non-medical Health AnalysisPhysical monitoring through analysis of collected health data, provision of personalized guides based on data analysis
Service Improvement and StatisticsQuality optimization through new service development and analysis of service usage records, identification of access frequency and verification of service effectiveness based on demographic characteristics, preparation of statistics through pseudonymization, scientific research, and preservation of records for public interest
Marketing and AdvertisingGuidance on event and promotion information, delivery of prizes, provision of customized services and posting of advertisements based on Member's interests and usage patterns
Customer Inquiry ResponseIdentification of users and receipt/processing of civil complaints, preservation of records for grievance handling and dispute mediation, notification of results

Article 2(Items and Methods of Collecting Personal Information)

Items of Personal Information Collected

The Company collects and processes the following personal information items for Service users.

  1. Membership Registration and Management
    1. Required: Email address, password, nickname, confirmation of being age 14 or older, social service account information (for social login)
    2. Optional: Gender, date of birth, height, weight
  2. Basic Service and Non-medical Health Analysis
    1. Required: Gender, date of birth, height, weight
    2. Optional: Step count, sleep information, heart rate, blood pressure, blood oxygen, blood sugar, body composition, stress, body temperature, etc.
  3. Service Use and Quality Improvement
    1. Terminal model name, OS version, manufacturer, unique device identification number, country, language, carrier information, package name, app version, last login date and time, etc.
    2. IP address, cookies, service usage records (errors during use, use of functions such as in-app selections, time spent on pages, etc.), error logs, crash logs and service stability analysis information, visit date and time, bad usage records, app instance identifier, etc.
    3. Fitrus device model name, firmware version, status information, battery status, etc.
  4. Customer Consultation and Grievance Handling: Email address, inquiry content and attachments, device information and app version generated during consultation, etc.
  5. Marketing and Events: Email address, consent to receive marketing information, etc.
  6. Users who perform simple membership registration through social services are subject to the privacy policies of Naver, Kakao, Google, and Apple logins.

Methods of Collecting Personal Information

The Company collects personal information for Service users as follows.

  1. Direct Input by Member: Information entered directly by the Member within the Service.
  2. Device Integration: Information collected through Fitrus device integration.
  3. Automatically Generated Information: Information automatically generated and collected by the system during the service use process.

Collection of Sensitive Information

  1. The Company classifies health data as sensitive information under the Personal Information Protection Act and manages it accordingly, obtaining separate explicit consent at the time of collection.
  2. According to Android OS policy, location permission consent may be requested for Bluetooth (BLE) integration with Fitrus devices. However, the Company does not store or track the Member's real-time geographical location (GPS coordinates) on its servers.
  3. The Company restricts membership registration for children under 14 to protect their personal information.

Article 3(Processing and Retention Period of Personal Information)

The Company processes and retains personal information within the personal information processing and retention period according to laws or the period consented to by the Member at the time of collection. Items for which a separate retention period is not specified are kept until membership withdrawal or until the purpose of collection and use is achieved.

General Retention Period for Service Provision

Table of Personal Information Retention Reasons and Periods by Service Provision Purpose
CategoryReason for RetentionRetention Period
Membership Registration and ManagementUser identification, maintenance and management of membership status, delivery of various notices, etc.Until membership withdrawal
Services Including Non-medical Health AnalysisHealth analysis and personalized guides, provision of device integration services, etc.Until membership withdrawal
Customer Consultation and Grievance HandlingProcessing of civil complaints and dispute resolution90 days after the end of response
Marketing and AdvertisingManagement of marketing information reception consent recordsUntil withdrawal of consent or membership withdrawal

Exceptional Retention Periods Based on Relevant Laws

The Company destroys personal information without delay after the purpose of collection and use of personal information is achieved. However, the following cases are exceptions.

  1. Utilization of Pseudonymized Information The Company may retain and use personal information, including sensitive information collected, by pseudonymizing it so that specific individuals cannot be identified, for purposes such as preparation of statistics, scientific research, and preservation of records for public interest until such purposes are achieved.

  2. Preservation Based on Internal Company Policy

    Table of Unauthorized Use Record Preservation Based on Internal Policy
    Item RetainedReason for RetentionRetention Period
    Unauthorized use recordPrevention of unauthorized registration and use, cooperation with investigations by judicial authorities1 year from the date of withdrawal

  3. Preservation Based on Relevant Laws If it is necessary to preserve information according to the provisions of relevant laws such as the Commercial Act and the Act on the Consumer Protection in Electronic Commerce, the Company stores member information for a certain period set by the relevant laws. In this case, the Company uses the stored information only for the purpose of its storage, and the retention periods are as follows.

    Table of Personal Information Preservation Periods Based on Relevant Laws
    Legal BasisItem RetainedRetention Period
    Protection of Communications Secrets ActPersonal information related to service use, such as user's internet log records and data tracking the user's access location3 months
    Act on the Consumer Protection in Electronic CommercePersonal information related to service use, such as records on contracts or withdrawal of offers, payment of charges, and supply of goods5 years
    Electronic Financial Transactions ActRecords on electronic financial transactions5 years
    Act on the Consumer Protection in Electronic CommerceRecords on processing of consumer complaints or disputes, etc.3 years
    Framework Act on National TaxesBooks and evidentiary documents related to all transactions5 years
    Act on the Consumer Protection in Electronic CommerceRecords on labels and advertisements6 months
    Protection of Communications Secrets ActOther communication fact confirmation data12 months

Article 4(Provision of Personal Information to Third Parties and Entrustment of Processing)

Entrustment of Personal Information Processing

  1. The Company entrusts personal information processing as follows for smooth service provision and safe handling of personal information.

    Table of Personal Information Processing Entrustment Status
    Entrusted PartyEntrusted WorkRetention Period
    NAVER Cloud Corp.Provision of cloud infrastructure, server operating environment, and data storageUntil termination of entrustment agreement

  2. When concluding entrustment agreements, the Company specifies in contracts matters such as prohibition of processing personal information beyond the scope of entrusted work, technical and administrative protective measures, restrictions on re-entrustment, supervision of the entrusted party, and liability for damages, and supervises whether the entrusted party processes personal information safely.

  3. If the content of entrusted work or the entrusted party changes, it will be disclosed through this Privacy Policy without delay.

Principles of Provision to Third Parties

The Company processes the user's personal information only within the scope specified in Article 1 and does not provide it to third parties beyond the original scope without the Member's prior consent.

Cases of Provision with User Consent

If necessary for the use of the Service, the Company may provide personal information to third parties as follows after obtaining separate consent from the user in accordance with the Personal Information Protection Act. Users have the right to refuse consent for provision to third parties, and even if they refuse consent, there are no restrictions on the use of basic app services.

Cases of Provision without Consent as Exceptions

In principle, the Company does not provide personal information to outside parties without the Member's consent, but it may provide it as an exception in cases where there are special provisions in the law or when an emergency occurs as follows.

  1. Provision through the use of pseudonymized information

    The Company may provide personal information, including sensitive information collected, for internal analysis or to institutions permitted under relevant laws by pseudonymizing it so that specific individuals cannot be identified, for purposes such as preparation of statistics, scientific research, and preservation of records for public interest.

  2. Provision based on relevant laws

    Table of Grounds for Provision of Personal Information to Third Parties Based on Relevant Laws
    Legal BasisReason for Provision
    Personal Information Protection ActIn case of emergency situations such as disasters, infectious diseases, imminent danger to life or body, or loss of property
    Criminal Procedure Act, Protection of Communications Secrets ActResponding to requests based on warrants for seizure, search, and inspection, or requests for communication fact confirmation data
    Civil Procedure ActCompliance with a court's submission order

Article 5(Restriction on Registration of Children Under 14)

The Company restricts the use of the Service and membership registration for children under the age of 14 for whom the consent of a legal representative is required to process personal information.

Article 6(Procedures and Methods for Destruction of Personal Information)

In principle, the Company destroys personal information without delay after the purpose of collection and use of personal information is achieved. The specific procedures and methods for destruction are as follows.

Destruction Procedures

  1. Information entered by users for membership registration, etc., is destroyed without delay after the purpose is achieved (membership withdrawal, etc.).
  2. If it must be stored for a certain period according to relevant laws under Article 3, the information is moved to a separate database or stored in a different location in accordance with the method set by the laws, and then destroyed after being stored for a certain period.
  3. Personal information stored separately is not used for purposes other than the purpose of retention except as required by law and is destroyed after approval by the Chief Privacy Officer.
  4. If personal information has been provided to a third party, the third party is also instructed to destroy the information without delay.

Destruction Methods

  1. Electronic file format: Permanently deleted using technical methods that cannot reproduce records, making recovery or reproduction impossible.
  2. Paper output: Destroyed by shredding with a shredder or by incineration.

Article 7(Rights of Users and Legal Representatives and How to Exercise Them)

Exercise of User Rights

Users may exercise rights related to protection, such as requests for personal information access, correction, deletion, suspension of processing, and requests for explanations regarding automated decisions, toward the Company at any time.

Methods and Procedures for Exercising Rights

  1. Use of in-app settings: Direct inquiry and modification are possible through the settings menu within the app, and withdrawal of consent or membership withdrawal can be requested. However, use of part or all of the Service may be difficult.
  2. Use of customer support channels: If you contact the Chief Privacy Officer and the department in charge via writing, phone, or email, we will take action without delay.
  3. Exercise through a representative: Rights may be exercised through a representative, such as a person delegated by the user. In this case, a power of attorney according to the Notice on Personal Information Processing Methods must be submitted.

Processing of Requests for Correction and Deletion

  1. If a user requests correction of an error in personal information, the Company does not use or provide the personal information to a third party until the correction is completed.
  2. If incorrect personal information has already been provided to a third party, the result of the correction process is notified to the third party without delay so that correction is made.

Restriction of Exercise of Rights and Restriction of Children's Registration

  1. Restriction of children's registration: In principle, the Company does not collect personal information of children under 14 and does not allow membership registration. If it is confirmed that a child has registered by stealing an age, the Company immediately stops the account and destroys related information.
  2. Legal restrictions: Exercise of the user's rights, such as requests for access and suspension of processing, may be restricted according to relevant laws such as the 'Personal Information Protection Act'.
  3. Identification: When receiving a request for rights, the Company verifies whether the person making the request is the person themselves or a legitimate representative.

Obligations of the User

Users must prevent accidents by entering their personal information accurately and keeping it up to date. They must take care to prevent account information from being leaked, and the user themselves is responsible for accidents occurring from stealing or infringing on other people's personal information.

Article 8(Matters Concerning Installation, Operation, and Refusal of Automatic Personal Information Collection Devices)

Operation of Automatic Personal Information Collection Devices

The Company uses "cookies" and "advertising identifiers (ADID/IDFA)" to store and frequently retrieve usage information to provide individual customized services and increase service use convenience for users.

Table of Definitions and Purposes of Use for Cookies and Advertising Identifiers
CategoryDefinition and Purpose
CookieA small amount of information stored in the user's browser when accessing a website, used to provide automatic login and a customized web environment.
Advertising Identifier (ADID/IDFA)A non-identifiable identifier issued by the OS for usage analysis of advertisements and to provide customized services suitable for mobile app users' interests.

Methods for Blocking and Refusing Automatic Collection Devices

Users may refuse the installation of automatic collection devices or delete them at any time. However, if you refuse the installation of cookies, you may experience difficulties in using some services.

  1. Web Browser (Cookie settings)
    1. Chrome: Settings > Privacy and Security > Clear Browsing Data or Cookie settings
    2. Safari: Settings > Preferences > Privacy > Block all cookies
    3. Edge: Settings > Privacy, search, and services > Manage cookies and site permissions
  2. Mobile Terminal (Advertising identifier settings)
    1. Android: Settings > Security and Privacy > Privacy > Other Privacy Settings > Ads > Delete Advertising ID
    2. iOS: Settings > Privacy & Security > Tracking > "Allow Apps to Request to Track" OFF
    3. Menu names or paths may differ slightly depending on the OS version.

Article 9(Purpose and Retention Period of Processing Personal Location Information)

The Company does not store real-time GPS location on its servers and destroys it immediately. However, if records confirming the use or provision of location information are generated in accordance with the Act on the Protection and Use of Location Information, such records shall be retained for one year and then destroyed.

Table of Provision of Location-Based Services
Items ProcessedPurpose of ProcessingRetention Period
Location-related information occurring during Bluetooth (BLE) scan and device connectionFitrus device integration and data transmission/receptionReal-time location information: Destroyed immediately upon completion of device connection and data transmission / Records confirming use and provision: Retained for one year and then destroyed

Article 10(Measures to Secure the Safety of Personal Information)

In processing the user's personal information, the Company takes the following technical, administrative, and physical measures to ensure safety so that personal information is not lost, stolen, leaked, altered, or damaged.

Administrative Measures

Establishment and implementation of internal management plans, minimization of employees handling personal information, and conducting regular security training, etc.

Technical Measures

Management of access rights to personal information processing systems, etc., installation of intrusion prevention systems and security programs, etc.

Physical Measures

Access control for server rooms, data storage rooms, etc.

Article 11(Processing of Pseudonymized Information)

The Company may process collected personal information by pseudonymizing it so that specific individuals cannot be identified for preparation of statistics, scientific research, and preservation of records for public interest as follows.

Purpose of Processing Pseudonymized Information

  • Scientific research for service enhancement
  • Preparation of service use statistics and generation of reports
  • Preservation of records for public interest related to healthcare

Processing and Retention Period of Pseudonymized Information

  • Until the purpose of processing the pseudonymized information is achieved (until the end of research)

Items of Personal Information Subject to Pseudonymization

  • Date of birth, gender, physical measurement (height, weight, etc.), health data (step count, heart rate, etc.), service usage records, etc.

Article 12(Chief Privacy Officer)

The Company takes overall responsibility for the work related to personal information processing and has designated a Chief Privacy Officer as follows for grievance handling and damage relief for information subjects related to personal information processing.

Table of Personal Information Management Officer's Information and Contact Details
NameOh-hyun Kwon
PositionCTO
Emailohkwon@onesoftdigm.com

If you need to report or consult about other personal information infringements, please contact the following organizations.

Table of Organizations for Reporting and Consulting Related to Personal Information Infringement
Personal Information Dispute Mediation Committeewww.kopico.go.kr / 1833-6972
Personal Information Infringement Report Centerprivacy.kisa.or.kr / 118
Cyber Crime Investigation Division, Supreme Prosecutors' Officewww.spo.go.kr / 1301
Cyber Bureau, National Police Agencyecrm.cyber.go.kr / 182

Article 13(Duty of Notification)

Announcement and Enforcement

When the Company intends to amend these Terms, it shall announce the effective date and the reason for the amendment along with the current Terms on the site or via the email address registered by the Member from 7 days prior to the effective date until the day before the effective date. However, if the amendment is unfavorable to the Member, a grace period of at least 30 days shall be provided, and notification shall be made via the site or the registered email address.

Revision History

  • Announcement Date: May 23, 2026
  • Effective Date: May 30, 2026