Boryung Co., Ltd. (hereinafter referred to as the "Company") establishes and discloses this Privacy Policy in accordance with Article 30 of the Personal Information Protection Act, in order to protect the personal information and rights of data subjects and to handle related grievances promptly and smoothly.
Through this Privacy Policy, the Company informs you of how your personal information is used and what measures are taken to protect such information.

■ Article 1. Purpose of Processing Personal Information
The Boryung website processes personal information for the following purposes. Personal information processed will not be used for purposes other than the following, and if the purpose of use is changed, necessary measures such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act will be implemented.

1. Provision of Services
- To perform contracts related to service provision, settlement of fees, and provision of contents.
2. Requests for correction or deletion of personal information
- To handle complaints and related civil affairs.
3. Requests for Suspension of Personal Information Processing
- To manage recruitment-related procedures such as application, screening, notification of recruitment results, management of potential candidates, and identification of applicants.

■ Article 2. Retention and Period of Use Personal Information
The retention period of personal information collected through the Boryung website is as follows.
Personal information will be processed and retained within the retention and use period agreed upon by the data subject at the time of collection or as required by law.


1. Provision of Services
- Retained and used from the date of consent to collection and use until 3 years (extended upon information change or renewed consent).
2. Handling of Complaints
- Retained and used for 3 years from the date of consent.
3. Management of Job Applicants
- Retained and used until 2 months after completion of the recruitment process.
4. Management of Drug Safety Information
- Collected in pseudonymized form in the CRScube Safety R3-Safety Database and retained until the purpose is achieved.
5. Management of Home Blood Pressure Monitor Rental Information
- Retained and used for 1 year from the date of consent.

■ Article 3. Provision of Personal Information to Third Parties
In principle, the Company does not provide data subjects' personal information to external parties. However, exceptions apply in the following cases:

1. When separate consent is obtained from the data subject
2. Where required by law
3. Where it is impossible to obtain prior consent due to incapacity or unknown address, and it is deemed necessary to protect the urgent interests of life, body, or property of the data subject or a third party
4. Where provided in a form that makes it impossible to identify specific individuals for purposes such as statistics or academic research
5. Where provision is unavoidable to perform statutory duties, upon deliberation and resolution of the Personal Information Protection Commission
6. Where required for implementing international treaties or agreements
7. Where necessary for investigation, prosecution, and maintenance of criminal cases
8. Where required for court proceedings
9. Where necessary for execution of criminal penalties, protective dispositions, or custodial measures

■ Article 4. Entrustment of Personal Information Processing

The Company entrusts the processing of personal information as follows to ensure the smooth performance of personal information-related tasks.
In accordance with Article 26 of the 「Personal Information Protection Act」, the Company processes personal information under a written agreement that includes the following:
- Prohibition of processing personal information for purposes other than the entrusted task
- Technical and Managerial Protection Measures for Personal Information
- Safe management of personal information: details regarding the purpose and scope of the entrusted task, restrictions on re-entrustment, measures to ensure the security of personal information, supervision such as checking the status of personal information managed in connection with the entrusted task, and liability for damages in case the trustee violates its obligations
If the details of the entrusted tasks or the trustee are changed, the Company will disclose such changes promptly through this Privacy Policy.

■ Article 5. Rights and Obligations of Data Subjects and Legal Representatives, and Methods of Exercise
Data subjects may exercise the following rights at any time under Articles 35, 36, and 37 of the Personal Information Protection Act:

1. Request to access personal information
2. Request correction or deletion of personal information
3. Request suspension of personal information processing
Requests may be submitted in writing, email, or fax using the prescribed form. The Company will take action without delay. Where correction or deletion is requested, the relevant data will not be processed or provided until the request is completed. Access or suspension of processing may be restricted by law (Article 35(4), Article 37(2)). Deletion may not be permitted where the data is required by law. Requests must be verified to ensure that the requester is the data subject or a legitimate representative. For children under 14, their legal guardian may request access, correction, or withdrawal of consent.

■ Article 6. Items of Personal Information Processed
The Company processes the following personal information:

The Company entrusts the processing of personal information as follows to ensure the smooth performance of personal information-related tasks.
In accordance with Article 26 of the 「Personal Information Protection Act」, the Company processes personal information under a written agreement that includes the following:
- Prohibition of processing personal information for purposes other than the entrusted task
- Technical and Managerial Protection Measures for Personal Information
- Safe management of personal information: details regarding the purpose and scope of the entrusted task, restrictions on re-entrustment, measures to ensure the security of personal information, supervision such as checking the status of personal information managed in connection with the entrusted task, and liability for damages in case the trustee violates its obligations
If the details of the entrusted tasks or the trustee are changed, the Company will disclose such changes promptly through this Privacy Policy.

■ Article 7. Procedures and Methods for Destruction of Personal Information
The Company, in principle, destroys personal information without delay once the purpose of collection and use has been achieved. Procedures and methods for destruction are as follows:

Procedure

- Information entered by data subjects is retained for a certain period under internal policies or relevant laws and then destroyed.

- Personal information will not be used for other purposes unless required by law.

Method

- Electronic files: Deleted using technical methods that prevent recovery.

- Paper documents: Destroyed by shredding or incineration.

■ Article 8. Measures to Ensure the Security of Personal Information
The Company takes technical, managerial, and physical measures necessary to ensure the security of personal information in accordance with Article 29 of the Personal Information Protection Act.

1. Establishment and Implementation of Internal Management Plan
The Company establishes and implements an internal management plan in compliance with its internal management guidelines.
2. Minimization and Training of Personal Information Handlers
The Company designates and minimizes the number of employees who handle personal information and implements measures to manage such personal information.
3. Restriction of Access to Personal Information
The Company takes necessary measures to control access to personal information by granting, changing, and deleting access rights to the database system that processes personal information, and prevents unauthorized external access by using intrusion prevention systems.
4. Retention and Prevention of Forgery or Alteration of Access Records
The Company retains and manages records of access to the personal information processing system (such as web logs and summary data) for at least one year and uses security features to prevent access records from being forged, altered, stolen, or lost.
5. Encryption of Personal Information
Users' personal information is encrypted and stored/managed. In addition, important data is encrypted during storage and transmission, and other security features are applied.
6. Technical Measures Against Hacking, etc.
To prevent the leakage or damage of personal information caused by hacking or computer viruses, the Company installs and regularly updates/inspects security programs, installs systems in areas with restricted external access, and monitors and blocks unauthorized access both technically and physically. The Company also monitors network traffic and detects attempts to illegally alter information.
7. Access Control for Unauthorized Persons
The Company maintains a separate physical storage location for the personal information system that stores personal information and establishes and operates access control procedures for such locations.

■ Article 9. Installation, Operation, and Refusal of Automated Personal Information Collection Tools
The Company's website does not use cookies to store or retrieve user information.

■ Article 10. Remedies for Infringement of Rights
Data subjects may contact the following agencies for consultation or remedies regarding infringement of personal information:

- Personal Information Infringement Report Center (http://privacy.kisa.or.kr / 118)
- Personal Information Dispute Mediation Committee (http://www.kopico.go.kr / 1833-6972)
- Supreme Prosecutors' Office Cyber Crime Investigation Division (http://www.spo.go.kr / 1301)
- National Police Agency Cyber Bureau (https://cyberbureau.police.go.kr / 182)

■ Article 11. Chief Privacy Officer (CPO) and Related Matters

Chief Privacy Officer (CPO)

Privacy Officer

■ Article 12. Revision History of Privacy Policy

This Privacy Policy was revised on August 25, 2025.

If there are additions, deletions, or modifications due to changes in laws, government policies, internal policies, or security technologies, such changes will be announced through the Company's website.