• V1.0
    2025/11/24
Medical AI Privacy Policy

Medical AI Privacy Policy

MedicalAI (“We”, “our” or “Company”) complies with the Personal Information Protection Act of the Republic of Korea and all applicable laws and regulations to protect the rights and freedoms of data subjects. We lawfully process personal information and manage it safely.
Pursuant to Article 30 of the 『Personal Information Protection Act』, the Company establishes and discloses this Privacy Policy to inform data subjects of the procedures and standards regarding the processing and protection of personal information, and to ensure that any inquiries or complaints related to personal information are handled promptly and effectively.


1. Purpose and items for processing personal information

The Company collects and uses personal information only to the minimum extent necessary for providing its services, in accordance with the 『Personal Information Protection Act』.


(1) Personal Information Processed Without the Data Subject’s Consent

The Company processes the following personal information without obtaining the data subject’s consent.

Legal Basis Category Purpose of Processing Personal Information Processed
『Personal Information Protection Act』 Article 15(1)(4) (Conclusion and Performance of Contract) Account Creation (HS-Public, Provider, AET, AEC, AiTiA Series, DEMO) Account creation, service provision, user identification Affiliated organization, ID, password
『Personal Information Protection Act』 Article 15(1)(4) (Conclusion and Performance of Contract) Account Creation (HS-Private) Account creation, service provision, user identification Affiliated organization, patient number or phone number, ID, password, name
『Personal Information Protection Act』 Article 15(1)(4) (Conclusion and Performance of Contract) HS-Provider ECG Analysis User identification Name, date of birth, gender, mobile phone number or patient number
『Personal Information Protection Act』 Article 15(1)(4) (Conclusion and Performance of Contract) HS-Private ECG Analysis User identification Date of birth, gender
『Personal Information Protection Act』 Article 15(1)(4) (Conclusion and Performance of Contract) HS-Private ECG Result Viewing Identity verification (NICE Credit Information) Name, date of birth, gender, mobile phone number
『Personal Information Protection Act』 Article 15(1)(4) (Conclusion and Performance of Contract) HS-Private ECG Result Viewing Identity verification and viewing ECG analysis results PIN number
『Personal Information Protection Act』 Article 15(1)(4) (Conclusion and Performance of Contract) AiTiA LVSD-1L Account Creation User registration, service provision, user identification Email address, password, name, date of birth, gender
『Personal Information Protection Act』 Article 15(1)(6) (Publicly Available Data) Internet(Pseudonymized-Open Data) Medical group research PID, hospital name, age, gender, height, weight, ECG, past medical history, disease history, clinical information (test results, disease codes, etc.)
『Personal Information Protection Act』 Article 15(1)(6) (Publicly Available Data) Internet(Pseudonymized-Open Data) AI training PID, hospital name, name, age, gender, height, weight, ECG
『Personal Information Protection Act』 Article 15(1)(4) (Conclusion and Performance of Contract) User Suitability (Usability) Evaluation Participant Selection Selection of usability evaluation participants Name, gender, date of birth, contact information, occupation (industry)
『Personal Information Protection Act』 Article 15(1)(4) (Conclusion and Performance of Contract) User Suitability (Usability) Evaluation Participation in usability evaluation, data analysis, payment of compensation Name, gender, date of birth, contact information, occupation (industry), career (specialty), and depending on qualifications: medical license, nursing license, national technical certificate (health manager), ID card, bank account, evaluation videos, evaluation photos, audio recordings
『Personal Information Protection Act』 Article 15(1)(2) (Where Special Provisions Exist in Other Laws), 『Income Tax Act』 Article 145 (Issuance of Tax Withholding Receipt for Other Income), 『Enforcement Decree of the Framework Act on National Taxes』 Article 68 (Processing of Unique Identifiers) Compensation for Usability Evaluation Issuance of withholding tax receipt ID card (Resident Registration Number)
『Personal Information Protection Act』 Article 15(1)(4) (Conclusion and Performance of Contract) Recruitment Recruitment application Resume and career statement
『Personal Information Protection Act』 Article 15(1)(4) (Conclusion and Performance of Contract) CS Inquiry Customer identification and inquiry response Affiliation, name, (If necessary) contact information
『Personal Information Protection Act』 Article 15(1)(4) (Conclusion and Performance of Contract) Innovative Medical Technology Reporting Reporting use of innovative medical technology to NECA Representative name, department, specialty, position, name, license number, mobile phone number, email address
『Personal Information Protection Act』 Article 15(1)(4) (Conclusion and Performance of Contract) Academic Conferences & Seminars Visitor log (sign-in) Affiliated hospital, name, and depending on the situation, mobile phone number and email address
『Personal Information Protection Act』 Article 15(1)(4) (Conclusion and Performance of Contract) Advisory Contract Service provision and payment, tax and accounting processing, compliance with fair competition regulations Name, date of birth, address, affiliated (medical) institution and address, medical specialty/department, email address, bank account number, business registration number (if self-employed)


(2) Personal Information Processed With the Data Subject’s Consent

The Company processes the following categories of personal information with the data subject’s consent.

Legal Basis Category Purpose of Processing Personal Information
『Personal Information Protection Act』 Article 15(1)(1) (Consent), HS-Public (Health Screening Center Mode) – ECG Analysis Service provision and user identification Mobile phone number or patient number
『Personal Information Protection Act』 Article 15(1)(1) (Consent), Article 23(1)(1) (Processing of Sensitive Information) HS-Public, HS-Provider – ECG Analysis ECG analysis, AI model training required for ECG analysis, and medical group research purposes ECG data
『Personal Information Protection Act』 Article 15(1)(1) (Consent), Article 23(1)(1) (Processing of Sensitive Information) HS-Private, AiTiA LVSD-1L ECG Analysis ECG analysis, AI training required for ECG analysis, medical research for the Medical Group ECG data, past medical history
「『Personal Information Protection Act』 Article 15(1)(1) (Consent) Customer Satisfaction Survey Verification of survey participants and provision of survey compensation Name, contact information, affiliation
『Personal Information Protection Act』 Article 15(1)(1) (Consent) Academic Conferences & Seminars Surveys for conference/seminar participants Name, affiliation, country, email address, and depending on the survey type: mobile phone number, occupation, medical specialty, clinical experience, hospital name, hospital’s country, hospital type (e.g., primary hospital, etc.)


(3) Information That May Be Collected During Service Use

Access logs, IP address, browser/OS user agent information. For mobile users: device model, device language settings, mobile operating system information, and push notification status


2. Retention and Processing Period of Personal Information

The Company retains and processes personal information only for the period permitted under applicable laws or within the retention period consented to by the data subject at the time of collecting.


(1) Retention and Processing Period by Purpose

The retention and processing period for each category of personal information is as follows.

Category Retention Period
Account Creation (HS-Public, Provider, AET, AEC, AiTiA Series, DEMO) Until the contract between the affiliated hospital/organization and MedicalAI is terminated
Account Creation (HS-Private) Until the contract for the use of MedicalAI HeartSafe between the affiliated hospital/organization and MedicalAI is terminated
HS-Public ECG Analysis Until the contract for the use of MedicalAI HeartSafe between the affiliated hospital/organization and MedicalAI is terminated
HS-Provider ECG Analysis Until the contract for the use of MedicalAI HeartSafe between the affiliated hospital/organization and MedicalAI is terminated
HS-Private ECG Analysis Until the contract for the use of MedicalAI HeartSafe between the affiliated hospital/organization and MedicalAI is terminated
HS-Private ECG Result Viewing Until the contract for the use of MedicalAI HeartSafe between the affiliated hospital/organization and MedicalAI is terminated
AiTiA LVSD-1L Account Creation Deleted upon account withdrawal
AiTiA LVSD-1L ECG Analysis Deleted upon account withdrawal
Internet (Public Data) Deleted upon completion of the research
Internet (Public Data) Deleted upon completion of AI training
Usability Evaluation Participant Selection Deleted 6 months after the application date
Usability Evaluation Retained for 3 years from the evaluation completion date
Customer Satisfaction Survey Retained for 1 year from the date of collection
Recruitment – Rejected Applicants Retained for 6 months from the notification of the recruitment result
Recruitment - Final successful applicants (appointed applicants) Retained for 3 years after the date of resignation or the date the application was submitted
CS Inquiry Retained until the inquiry is resolved
Innovative Medical Technology Reporting Retained until the completion of the reporting process
Academic Conferences & Seminar Visitor Log Retained for 1 year after the seminar ends
Academic Conferences & Seminar Survey Retained for 1 year after the survey is completed
Advisory Contracts Retained for 5 years from the completion date of the lecture/consulting service


(2) Retention and Processing of Personal Information in Accordance With Relevant Laws

If retention of personal information is required under applicable laws and regulations, the Company retains the relevant information for the period specified by those laws. In such cases, the Company uses the stored information solely for the purposes prescribed by the applicable legislation, and the statutory retention periods are as follows.

Category Legal Basis Retention Peroid Personal Information Retained
Computer communication and internet log records, access trace data 『Protection of Communications Secrets Act』 Article 15-2 3 months Access logs; for mobile device users: device model, device language settings, mobile OS information, push notification status
Issuance of withholding tax receipts for usability evaluation compensation 『Framework Act on National Taxes』 Article 85-3(2) 5 years Name, address, resident registration number, bank account number
Usability evaluation analysis 『Bioethics and Safety Act』 Enforcement Rule Article 15 3 years from the completion of the evaluation Name, gender, date of birth, contact information, occupation (industry), career (specialty), and depending on the qualifications or job category: medical license, nursing license, national technical certificate (health manager); evaluation videos, evaluation photos, audio recordings


3. Provision of Personal Information to Third Parties

The Company may provide personal information to third parties only to the minimum extent necessary and only with the data subject’s consent, in accordance with Article 17(1)(1) of the 『Personal Information Protection Act』, for the purpose of providing seamless service

Recipeint Purpose of Provision Personal Information Provided Retention Period
Korea Research-based Pharma Industry Association (KRPIA) Or Korea Medical Devices Industry Association (KMDIA) Fulfillment of reporting obligations under the Fair Competition Code and verification of compliance with the Code’s upper limit standards for lecture and consulting fees Lectures: lecturer’s name and affiliation, lecture fee paid, lecture date, lecture venue, event name and purpose, lecture content Consulting: consultant’s name and affiliation, consulting fee paid, consulting date or period, event name and purpose, consulting content Retained and used for 5 years from the completion date of the lecture/consulting service

The Company may provide personal information to relevant authorities without the data subject’s consent in the following cases.

Legal Basis Recipient Purpose of Provision Personal Information Provided
『Medical Service Act』 Article 53 (Evaluation of New Health Technologies), 『Regulation on the Evaluation of New Health Technologies』 Article 2(1) NECA (National Evidence-based Healthcare Collaborating Agency) Reporting the use of new health technologies Representative’s name, clinical department, subspecialty, position, name, license number, mobile phone number, email address


4. Entrusted Processors (Outsourced Service Providers)

The Company outsources certain personal information processing tasks to external service providers to ensure the smooth and efficient handling of personal information.

Processor (Entrusted Party) Task
NICE Information Service Identity verification
Microsoft Azure Cloud server operation and management
AWS(Amazon Web Services Inc.) Cloud server operation and management

In addition, when entering outsourcing contracts, the Company clearly stipulates the obligations of the entrusted parties, including compliance with relevant personal information protection laws, prohibition of unauthorized third-party provision, and liability for incidents, to ensure the safe management of personal information. If there are any changes to the outsourced tasks or the entrusted service providers, the Company will promptly disclose such changes through this Privacy Policy. Information regarding the cross-border transfer of personal information to overseas service providers is provided in Section 5. Cross-Border Transfer of Personal Information.


5. Cross-Border Transfer of Personal Information

The Company stores and outsources personal information overseas as necessary for the conclusion and performance of contracts, in accordance with Article 28-8(1)(3) of the Personal Information Protection Act. Users may refuse the cross-border transfer of their personal information by contacting the Data Protection Officer or the Customer Service team. However, refusal may result in limitations on the use of services that require such cross-border transfers.


  • Recipient of Personal Information: AWS(Amazon Web Services Inc)
  • Personal Information Transferred: Date of birth, gender, ECG data
  • Destination Country: Japan (Tokyo Region)
  • Time and Method of Transfer: Transmitted over the network at the time-of-service use
  • Purpose of Use: Cloud server operation and management
  • Retention and Use Period: Deleted upon deletion of the user’s account

6. Deletion of Personal Information (Procedures and Methods)

When personal information becomes unnecessary-such as upon expiration of the retention period or achievement of the processing purpose-the Company promptly deletes the relevant personal information without delay. The procedures and methods for deletion are as follows:


(1) Time of Deletion

The Company deletes personal information immediately after the purpose of collection has been fulfilled. However, if the retention of personal information is required under other applicable laws, the Company stores and manages such information separately from the personal information of other users. After the statutory retention period expires, the information is deleted without delay.


(2) Methods of Deletion

  1. Paper documents containing personal information are destroyed by shredding or incineration.
  2. Personal information stored in electronic file format is deleted using technical methods that prevent the recovery or reconstruction of the data.

7. Automated Decision-Making

The Company uses a fully automated system that processes personal information using artificial intelligence technologies to make certain determinations (“Automated Decisions”). In accordance with Article 37-2 of the 『Personal Information Protection Act』, the Company provides the following information regarding automated decision-making.


<Notice of Automated Decision-Making, Its Purpose, and the Scope of Data Subjects>

The Company uses an AI-based automated ECG analysis system when predicting the likelihood of certain medical conditions—such as left ventricular systolic dysfunction, acute myocardial infarction, and aortic stenosis—for users of the AiTiA Series (LVSD/MI/AS) and AiTiA LVSD-1L.


<Categories of Personal Information Used for Automated Decisions and Their Relation to the Decision>

In the process of analyzing electrocardiograms (ECG) to predict the probability of diseases, the Company uses the following personal information: ECG analysis - ECG data


<Considerations and Procedures for Processing Personal Information in Automated Decisions>

During the automated process that generates scores and risk levels for left ventricular systolic dysfunction, acute myocardial infarction, and aortic stenosis, the system analyzes the user’s ECG based on publicly available ECG datasets and hospital-collected data linked to those datasets. These analyses are used to produce predictive results regarding the likelihood of the above-mentioned medical conditions.


<Processing of Personal Information of Children Under the Age of 14>

The Company does not process personal information of children under the age of 14 in connection with automated decision-making.


<Rights of Data Subjects Regarding Automated Decisions>

The Company conducts ECG analysis through automated decision-making. Data subjects may exercise the following rights with respect to such automated decisions:

  1. Request to object to the automated decision
  2. Request an explanation of the automated decision
  3. Submit opinions or objections and request a review
    • Method and Procedure for Submitting Requests
    • To object to an automated decision, request an explanation, or request a review through the submission of opinions, the subject of data may submit the relevant request form using the following contact information:
      • Department: Information Security Team
      • Contact: 02-2058-0521
      • Email: jskim@medicalai.com
      • Address: 13F, 38 Yeongdong-daero 85-gil, Gangnam-gu, Seoul, MedicalAI
    • Procedure: Request submission → Review of request → Notification of results
    • If the request falls under a reason for refusal, the Company will respond within 10 days of the date of receipt.
    • If the request requires action, the Company will respond within 30 days (with separate notice provided if an extension is necessary).

※ If the data subject has already consented to automated decision-making, has been notified in advance through a contract, or if automated decision-making is explicitly required by law, the data subject’s right to object to the automated decision does not apply. In such cases, only the right to request an explanation or request a review may be exercised. Furthermore, a request to object to, explain, or review an automated decision may be refused if granting the request is likely to unfairly infringe upon the life, body, property, or other rights and interests of another individual, or if other legitimate grounds for refusal exist.

8. Processing of Pseudonymized Information

The Company pseudonymises collected personal information so that individuals cannot be identified and uses such pseudonymised information for scientific research purposes in accordance with Article 28-2 of the Personal Information Protection Act.
Use and Provision of Pseudonymised Information

Category Purpose of Use Pseudonymized Information Used Retention Period
Scientific Research AI training and research to improve the ECG analysis performance of MedicalAI products PID, name (collected from contracted hospitals and institutions) For the duration specified in the contract
PID, name (collected from hospitals using AiTiA DEMO) For the duration specified in the contract
Scientific Research Scientific research within the MedicalAI Group for product development PID, name (collected from contracted hospitals and institutions) For the duration specified in the contract
PID, name (collected from hospitals using AiTiA DEMO) For the duration specified in the contract

The Company takes the following measures to ensure the security of pseudonymized information:
  • Administrative Measures:
    • Establishment and implementation of internal management plans for pseudonymized information
    • Regular employee training
  • Technical Measures:
    • Separate storage of pseudonymized information and additional information
    • Destruction of additional information when no longer necessary
    • Access control measures ensuring separate access permissions for pseudonymized information and additional information
    • Installation of access control systems and other protective measures
    • Storage and review of processing records and access logs
    • Installation of security programs
  • Physical Measures:
    • Access control for computer rooms
    • data storage rooms, and other locations where pseudonymized information is stored

9. Rights of Data Subjects

Users may, at any time, exercise their rights to access, rectify, delete, suspend processing of, or withdraw consent to their personal information through the “Edit My Information” or “Delete Account” functions within the service. Users may also submit such requests to the MedicalAI Information Security Team or through CS inquiries.

The Company will verify that the requester is the subject of data or a legally authorized representative and will act without delay.

Requests for access or suspension of processing may be restricted if such access or suspension is limited by other laws, or if fulfilling the request is likely to harm the life or body of another person or unfairly infringe upon another person’s property or rights. Requests for correction or deletion may be restricted if the personal information is designated for collection under other applicable laws.


10. Measures to Ensure the Security of Personal Information

The Company takes the following measures to ensure the security of personal information:

  1. Administrative Measures:
    • Establishment and implementation of internal management plans
    • Regular employee training
    • Operation of dedicated personnel/teams
  2. Technical Measures:
    • Management of access rights to personal information processing systems
    • Installation of access control systems and implementation of related security controls
    • Encryption of personal information
    • Storage and monitoring of access logs
    • Installation and updates of security programs
    • Regular vulnerability assessments and remediation for personal information processing systems
  3. Physical Measures:
    • Access control for computer rooms and data storage rooms
    • Secure storage of documents and storage media in locked facilities
    • Disaster and emergency preparedness measures
    • Control of the entry/exit of storage media


11. Personal Information Protection Officer (DPO) and Access Request Contact

To protect users’ personal information and handle related inquiries or complaints, the Company designates the following Personal Information Protection Officer and department:

Chief Privacy Officer
  • Name: Han Yoon
  • Position: Team Leader
  • Contact: <02-2058-0521>, <castman@medicalai.com>
 Department of Personal Information Protection
  • Department: Information Security Team
  • Contact: <02-2058-0521>, <jskim@medicalai.com>

For all privacy-related inquiries or requests for access to personal information arising from the use of the Company’s services, please contact the Personal Information Protection Officer or the department responsible. The Company will respond promptly and adequately to users’ inquiries


12. Remedies for Personal Information Infringement

If you need to seek dispute resolution or consultation regarding personal information infringement, you may contact the following organizations:

  1. Personal Information Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr)
  2. Personal Information Infringement Reporting Center (KISA): 118 (privacy.kisa.or.kr)
  3. Supreme Prosecutors’ Office : 1301 (www.spo.go.kr)
  4. Korean National Police Agency: 182 (ecrm.police.go.kr)


13. Changes to This Privacy Policy

This Privacy Policy is effective as of November 24, 2025. Previous versions of the Privacy Policy can be found below: