NEED PRIVACY POLICY

Effective as of: July 4, 2024

INTRODUCTION

Need approaches its collection, use, and sharing of your Personal Information with tremendous respect and care.

Please read our Privacy Policy (“Privacy Policy”). By accessing or using the Services provided by Need Korea LLC (“Need”, “we”, “us”, and/or “our”), you understand that your Personal Information will be treated in the ways described herein. We have tried to make the Privacy Policy simple to understand, but if you ever have any questions, you may contact us at the address listed below.

This Privacy Policy provides you with specific details about how we collect, use, disclose and store your Personal Information, which includes your Personal Health Information, when you use the Need Services or otherwise interact with us. This Privacy Policy reflects the requirements of the law of the Republic of Korea, and our own commitments to privacy.

Please note that this Privacy Policy applies to any use of the Services, whether or not that use is connected to your purchase of a qualifying insurance policy.

CONTENTS

  1. Data Controller
  2. Our Commitments
  3. Definitions
  4. Collection and Use of Personal Information
  5. Sharing and Disclosure of Personal Information    
  6. Retention and Destruction
  7. Safeguards    
  8. Your Rights
  9. Department in Charge of the Protection of Personal Information
  10. Changes to Privacy Policy

DATA CONTROLLER

You should be aware that Need Korea LLC is the data controller of the Personal Information collected by and provided to us.

OUR COMMITMENTS

We commit to treating your Personal Information lawfully and fairly; to not processing it in an inappropriate manner or beyond the purposes for which we collected it; to work with you in ensuring the accuracy of your Personal Information; to secure your data to avoid the risk of infringing upon your rights; to inform you of our privacy practices and of your rights with respect to your Personal Information held by us; to use processes such as anonymization and pseudonymization wherever reasonably practicable in order to further protect your privacy; to comply with all applicable privacy laws; and to destroy your Personal Information when it is no longer necessary for the purposes for which it was collected.

DEFINITIONS

The following definitions apply to this Privacy Policy:

Healthcare Providers – Institutions and providers that are or have been involved with providing you with healthcare but are unaffiliated with us. Such Healthcare Providers may include but are not limited to hospitals, clinics, physicians, nurse practitioners, registered nurses, pharmacies, oncologists, pathologists, and radiologists.    

Contractors – Individuals or institutions that act as service providers to Need in providing the Need Services. Such Contractors do not have a direct relationship to you.

Personal Health Information - Any Personal Information related to your health or healthcare, including information that relates to your physical or mental health and healthcare including health history, the provision of healthcare to you, screening assessments, payments or eligibility for healthcare, healthcare provider, substitute decision-maker, national health card number or other healthcare-related personal identification numbers, including resident registration numbers (subject to any applicable legal restrictions), or any other information that is collected in the course of your receiving health services from Healthcare Providers. Such information may include any of the following:

  • The name(s) of Healthcare Providers(s);
  • Patient identification (i.e., name, address, phone number, national health insurance number, insurance policy number, contact person in case of emergencies, copy of identification) and a medical history;              
  • Records of examinations carried out by Healthcare Providers and clinical notes for each patient encounter;
  • Requisitions for treatment or investigation;
  • Consents to treatment obtained in writing;
  • Records of healthcare appointments, including missed or canceled appointments;
  • Records of treatment you receive from Healthcare Providers;
  • Reports of investigative procedures and reports of the results of laboratory, pathology, consultations, diagnostic imaging examinations or tests; and
  • Diagnoses.      

Personal Information - Any information about an identifiable individual, including any “personal information” as regulated under the Personal Information Protection Act and any other applicable data privacy laws. Personal Information includes the Policyholder App account profile and Personal Health Information.

Policyholder App - The “Need” app provided by us to individuals who have purchased a cancer insurance policy that includes the Services.

Services – All together, the information technology tools we provide to you, including the Policyholder App and the Need website, and all the tools and services offered within the Policyholder Apps or website, including, but not limited to, assessments, recommendations, appointment-scheduling, and customer support. The Services may include the following:

(a) Supporting users to conveniently receive the most up-to-date, guideline-based cancer screening. Through this service, you will be able to receive information on medical institutions providing screening, information based on international guidelines (NHIS screening guidelines and Korea’s National Cancer Center screening project recommendations) and information from a support team if you have any questions (however, specific examinations and recommendations related to cancer screening are not included in the services, and you should separately consult with a medical institution or professional for such matters).

(b) Need Customer Support Team providing assistance in collecting your medical information and alerting your providers about how to use the separate provider-focused application.

(c) Facilitating users to receive the most up-to-date, international guideline-based cancer treatment from their providers through the following activities, systems, and feature sets: case activation; provider onboarding; data collection and digitization; data validation; and access to the Need customer support team for care navigation.

The decision to use the above service is entirely based on the personal judgment of the attending physician. While Need provides support for the use of this service, it does not require or force the attending physician to use this service, nor does it guarantee the attending physician's use of this service. The user fully understands the above and explicitly acknowledges that this service may not be used based on the attending physician's judgment.

(d) Facilitating users to receive the most up-to-date, guidelines-based follow-up care from their providers and screening, aimed at assisting your provider in optimizing treatment-related symptoms, as well as enabling the detection of cancer recurrence or new cancers. This service incorporates personalized guidelines-based survivorship plans, symptoms monitoring and reporting, as well as support from the Need customer support team.

(e) Other services that Need may provide to the user through the Policyholder App.

COLLECTION AND USE OF PERSONAL INFORMATION

Overview

We collect Personal Information to establish and maintain a relationship with you, to provide you our Services, to develop and enhance our products and services, and to maintain and improve the security and functionality of the Need website and Policyholder App.‬ We may also use your Personal Information, where permitted by law, to facilitate your Healthcare Providers’ care of you and our Contractors’ services to us and to your Healthcare Providers; for alerting you and third parties of opportunities for your health; and for communicating to you opportunities to participate in clinical trials. To the extent permissible under applicable laws, we may also use any of your Personal Information necessary to enforce our agreements, terms and policies, to comply with legal obligations, and for safety or security purposes.

We receive your Personal Information from three main sources: You, when you provide it to us directly in the Policyholder App or via other means; Your Use of the App, when you use the Policyholder App, we collect information about how you use the Policyholder App, information about the device you use to access the Policyholder App, and information from third-party apps you may connect to your account; and Third Parties, those entities or individuals who are involved in your healthcare who provide us, with your consent, your Personal Information (by the means and to the extent permissible under law) to assist in your use of the Need Services.    

We do not accept registrations for the Service by, and will not knowingly collect Personal Information of, individuals under the age of 14.

Details

We collect and use the following categories of Personal Information from you directly and for the purposes specified:

Name and Contact Information. We may collect information when you create an account or use our Services, such as first and last name, birthdate, gender, email address, postal address, phone number, and other similar contact data. We collect this category of information to establish and maintain a relationship with you and to provide you with access to the Services you request. We may use your contact information to send you electronic messages related to the Services, e.g., notify you that you are eligible for certain Services. If you have consented to receive marketing messages, we may send you marketing messages related to products or services we think you may be interested in. You may withdraw your consent to receive marketing messages at any time. Such withdrawal of consent will not impact your receipt of purely service-related electronic messages.

Credentials. We may collect passwords, password hints, and similar security information used for authentication and account access if you create an online account. We collect this information for security, authentication, and verification purposes.

Your Communications with Us. We may collect Personal Information, such as email address, phone number, or mailing address, along with the content of your communications, including, in some instances, Personal Health Information, when you request information about our Services, request customer or technical support, or otherwise communicate with us, including online chats on the Need Platform.

Personal Health Information. We may collect your Personal Health Information for the purpose of providing you the Services you request, including in-app assessments to provide support for your Healthcare Providers in assessing health risks and planning your healthcare, and for such other purposes as described in this Privacy Policy, such as for alerting you and third parties of opportunities for your health; and for communicating to you opportunities to participate in clinical trials.

We collect the following categories of Personal Information when you use the Policyholder App or our website and for the purposes specified:    

Automatic Data Collection. We may collect certain information automatically when you use our Services, such as your Internet protocol (IP) address, user settings, MAC address, cookie identifiers, mobile carrier, unique identifiers, browser or device information (see below), location information (data processed within your smartphone, or approximate location derived from IP address), and Internet service provider. Your UserID, which is a number assigned to your account for internal purposes, may also be collected automatically when you use the Services. This information is used to maintain and improve the security, performance and functionality of the Need website and Policyholder App. Some automatically collected Personal Information may be combined with other information to help improve the Services we offer.

Data From Connected Applications. We may collect Personal Information from third-party applications if you have connected your Need account with those applications for the purpose of providing you the service or tool you have requested. For example, if you choose to connect your Apple Health app to your account in the Policyholder App, we will collect the data from that application and use it to provide you the Services you request, including analyzing the Personal Information to better provide you the Services. Such data may include “behavioral data”, such as information about the links you click, the types of content you interact with, the frequency and duration of your activities, and other information about how you use that application.

Usage Information. We may also collect information regarding your use of our Services, such as information about the links you click, the types of content you interact with, the frequency and duration of your activities, and other information about how you use our Services. This information is collected for the purposes of developing and enhancing our products and services, including to understand what Services you may be interested in, as well as for administrative purposes. We may also use this information for research purposes. We may aggregate and de-identify the data if we share it with third parties. We also use this information for security purposes and to improve the functionality of the Need Policyholder App and website.

Device Information. Certain limited technical data is required for the Policyholder App to function on your device. The information we collect includes information about your device and operating system, such as the type of device hardware and operating system, unique device identifier, IP address, language settings, and the date and time the Policyholder App accesses our servers. This information is used for the purposes of delivering content appropriate for your device’s capabilities, for delivering push notifications and helping to ensure a secure experience and to detect anomalous behavior in order to protect Personal Information from unauthorized access. In addition, in the event the Policyholder App crashes on your mobile device, we may receive information about your mobile device model software version and device carrier, which allows us to identify and fix bugs and otherwise improve the performance of the Policyholder App.

We collect the following categories of Personal Information from third parties for the purposes specified:

Personal Health Information. In accordance with required procedures under applicable law, we collect your Personal Health Information from third parties such as Healthcare Providers that may be or have been involved in your healthcare. We collect this information to provide you with the Services. We may also collect information that constitutes Personal Health Information from your health insurance provider to help us with the provision of Services to you.

Insurance-Related Information. We collect information related to your health insurance policy from your health insurance provider. This information may include information considered to be Personal Health Information, as well as contact information, policy information, credit information, claims submitted, risk assessments, and other Personal Information insurance providers have used in their decision to provide you a policy or provide coverage under your policy.  

We may also use your Personal Information in the following other ways:

Consent. We may use your Personal Information for other purposes with your additional consent.          

Contract. We may use your Personal Information where this is unavoidably necessary, for the purpose of entering into and performing a contract that we have with you.    

Deidentified. We may deidentify your Personal Information and use it for the purposes of improving and developing our Services, to enter into partnerships, to conduct data analysis, to develop new products and services in the future, and other such uses as permitted by law.

Cookies

Our website and Policyholder App use cookies. Cookies are small text files that are saved on your device when you visit our website that help us in particular to provide you with a good experience when you browse our website and also allow us to improve it. Cookies may contain information about your use of our website or enable us to recognize you and your device the next time you visit our website.

There are various ways to configure and manage cookies. You can deactivate Need or third-party cookies using your browser settings.

For example, the following hyperlinks tell you how to disable the use of cookies in some browsers and/or how to delete cookies:

SHARING AND DISCLOSURE OF PERSONAL INFORMATION

Overview

We may share Personal Information with Healthcare Providers, Contractors, and others who assist in the provision of Services to you or to us.

We will not disclose your Personal Information for any purpose other than what has been outlined in this Privacy Policy or as permitted under applicable law, unless we obtain your express consent. We disclose only the limited amount of Personal Information necessary to meet these purposes.

We may share your Personal Information with our service providers, including Contractors, who are contracted by us to perform services or functions on our behalf where they require the information to assist us in providing the Services. In all instances in which we share your Personal Information with third parties providing the Services, we use contractual controls to protect this information and limit its use to what is necessary for the service provider to perform the service. Further details are set out in the Entrustment section below.

We may share your Personal Information with third parties as permitted and in the manner required by law. Further details are set out in the Third-Party Provision section below.      

Details

Entrustment

Whenever we share information outside of Korea, we ensure that the transfer complies with applicable laws so that your Personal Information is adequately protected.

The following are recipients of all categories of Personal Information in the Privacy Policy, their location, the purpose of the transfer, the retention period by the recipient, and the timing and method of transfer to entities outside of Korea:

  • Google Cloud Services in Korea, which provides data storage services, and which retains data as long as necessary to provide the Services or until the end of the contract.
  • Need Inc. in the U.S.A. (Privacy Officer, privacy@getneed.com), which provides administrative and customer support, and which retains data as long as necessary to provide the support, and is transferred at the time of transmission of information and through the network whenever a service is used that requires transfer.
  • Channel.io in Korea. (Privacy Officer, Contact: privacy@channel.io, Phone: +82.2.1644.4052), which provides a customer support platform, and which retains the data as long as necessary to provide you the Need Services or until end of contract, and is transferred at the time of transmission of information and through the network whenever a service is used that requires transfer.
  • Typeform, S.L. in Spain (Contact details for Data Protection Officer: gdpr@typeform.com), which provides customer support forms, and which retains the data as long as necessary to provide you the Need Services or until end of contract, and is transferred at the time of transmission of information and through the network whenever a service is used that requires transfer.
  • Contractors, global, to provide the Services, and who retain the data as long as is necessary to provide you the Need Services, and the data is transferred at the time of transmission, when the Consultant accesses the Personal Information through Need-supplied apps or websites.
  • Yugabyte in the U.S. (Privacy Office, privacy@yugabyte.com), which provides data storage services, and which retains the data as long as necessary to provide you the Need Services or until end of contract, and is transferred at the time of transmission of information and through the network whenever a service is used that requires transfer.
  • Sejong Telecom in Korea (Privacy Officer: privacy@sejongtelecom.net, +82.2.1688.1000), which provides an internet phone and call management service, and which retains the data as long as necessary to provide you the Need Services or until end of contract, and is transferred at the time of transmission of information and through the network whenever a service is used that requires transfer.
  • Elastic Search in Korea (Privacy Officer: +1.650.458.2620 or via the form provided at https://www.elastic.co/legal/privacy-statement#contact), which provides search and analytics services, and which retains data as long as necessary to provide you the Need Services or until end of contract, and is transferred at the time of transmission of information and through the network whenever a service is used that requires transfer.
  • Sentry in the U.S. (Privacy Officer: compliance@sentry.io), which provides error debugging services, and which retains data for up to 90 days, and is transferred at the time of transmission of information and through the network whenever a service is used that requires transfer.
  • Medical Records Issuance Agency in Korea (Representative Dongsik Kim, Privacy Officer, mrpass88@naver.com), which provides services for viewing and issuing copies of medical records, which is transferred at the time of transmission of information and through the network whenever a service is used that requires transfer.
  • Hecto Data Co., Ltd. in Korea (Personal Information Protection Officer: privacy@hectodata.co.kr), which provides services for relaying personal (credit) information using your authentication information, saving request/response data using your authentication information to improve API service quality and respond to business, and processing requests for access, correction, deletion, and suspension of processing of your personal information; and which retains data as long as necessary to provide you the Need Services or until end of contract, and is transferred at the time of transmission of information and through the network whenever a service is used that requires transfer.

We and our entrustee Need Inc. may entrust Personal Information to service providers specified above, for the following purposes:

Contractors. To provide our Services, we may disclose your Personal Information to Contractors, who are involved in providing the Services.

Your Personal Health Information will be accessible to Contractors who provide or assist in the provision of the Services.

Service Providers. We may share Personal Information with our suppliers, agents or other organizations or individuals who are contracted to perform services or functions on our behalf, where they require the information to assist us in serving you. For example, we may use service providers for internal administrative purposes, e.g., a customer service platform, to host our website and to store and dispose of information on our behalf. In addition, we may use service providers for our internal processes (such as internal communications platforms and customer support platforms). We strive to minimize the amount of Personal Information that we share with our service providers and partners and ensure that appropriate contractual clauses restrict what they are able to access or do with the Personal Information.

Third-party data provision

In order for your Healthcare Providers who are providing medical services to you to obtain information on optimum clinical or treatment methods, or obtain reference material from Contractors, we may provide Personal Health Information, or allow access thereto, to them in accordance with the Terms of Service for the Services and applicable laws.

Insurance Companies. We may share limited Personal Information, e.g., your policy number and your cancer diagnosis information, as well as information related to your use of the Need Services, with the insurance company through which you purchased a Need-integrated cancer insurance policy in the event you tell us you have received a cancer diagnosis. Disclosure of this personal information is subject to a privacy and security agreement that ensures the insurance company will use your data only for the purposes of administering your Need-integrated policy and will be subject to security required under the law.

Third-Party Partners. We may provide, where permitted by law and/or with your further consent, your Personal Information to third-party partners who may be conducting research, clinical trials, or studies, or may be developing healthcare-related software, programs, or products. We may share your Personal Information if we partner with a third party for the purposes of conducting research or clinical trials. We may provide your Personal Information to third-party partners that have products or services that may be of interest to you. If we do, we will add their names to this Privacy Policy.

Disclosures required or permitted by law or regulation. We may disclose Personal Information to the extent necessary where we are required or permitted under applicable law, such as in the event of an emergency that threatens the life, health or security of an individual. We or our service providers will also share Personal Information with law enforcement, courts, other government agencies or other parties if we are required to do so to meet our legal and regulatory requirements in the jurisdictions in which we or our service providers operate; for example, we are required to provide records to law enforcement in response to a valid court order.

Business Transfers. If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of all or a portion of our assets, or transition of service to another provider, your Personal Information may be transferred to a successor or affiliate as part of that transaction along with other assets, subject to all requirements under applicable laws.

You may refuse the overseas transfer of Personal Information by providing written notice of such refusal (including notice by e-mail). However, consent for overseas transfer of your Personal Information is essential for Need to provide its services to you; therefore, if you refuse to provide or revoke this consent, your access to the Services may be restricted.

RETENTION AND DESTRUCTION

In general, we retain Personal Information only for as long as reasonably necessary to fulfill the purposes described in this Privacy Policy or in a separate consent we have obtained from you or as required to meet legal or regulatory requirements.    

Personal Information may be retained for a period of time mandated by law, including as specified below:

Act on Consumer Protection in Electronic Commerce

  • Records relating to your cancellation of, or payment for, a transaction, and our supply of a good/service: 5 years
  • Records of handling of complaint, or dispute: 3 years

Protection of Communications Secrets Act

  • Records/logs of your visits to our website: 3 months

When we destroy your Personal Information, we will take commercially reasonable and technically feasible measures to ensure it is permanently deleted.

We delete Personal Information stored in the form of electronic files by using technical methods that render it impossible to restore the data. Personal information printed on paper is shredded or incinerated. Other types of Personal Information, if any, are permanently destroyed, in accordance with any applicable requirements under law.

SAFEGUARDS

We understand that data security is a critical issue and we are committed to safeguarding the Personal Information in our custody or control. We have implemented a comprehensive information security program in accordance with applicable law that includes written policies and procedures, and security controls, as well as reasonable administrative, technical and physical safeguards, in an effort to protect against unauthorized access, use, loss, modification, and disclosure of Personal Information in our custody or control as follows:    

  1. Organizational measures: Establishment and implementation of internal management plans, provision of regular employee training, etc.
  2. Technical measures: Management of access rights to the Personal Information processing systems, installation of access control systems, encryption of uniquely identifiable information, installation of security programs, etc.
  3. Physical measures: Access control of IT rooms, data storage rooms, etc.

Please keep in mind that no internet or email transmission is ever fully secure or error free and no security system is impenetrable. We cannot fully guarantee the confidentiality of any information that you provide to us but we can assure you that we will use reasonable and appropriate security controls, reflective of the sensitive nature of Personal Health Information.

It is important for you to play an active role in the protection and safeguarding of your Personal Information, and to guard your privacy when you are online. If the Policyholder App or our website contains links to other websites, apps, or platforms, this Privacy Policy does not govern those websites. You should read their privacy policies and make an informed decision about whether you want to use them or their services.

YOUR RIGHTS

Access: You have the right of access to your Personal Information. For any Personal Information that is not available to you directly in your account, you may request access by contacting us at the address below.

Correction: You have the right to correct incorrect Personal Information. For any Personal Information that you cannot directly correct in your account, you may request correction by contacting us at the address below.

Deletion: You may request deletion of your Personal Information. For any Personal Information that you cannot directly delete in your account, you may request deletion by contacting us at the address below.

Suspension of Processing: You have the right to request that we stop processing your Personal Information. To make such a request, you may contact us at the address below.

We rely on you to ensure that the Personal Information in your account is accurate, complete and up-to-date.

Please be aware that we will take reasonable steps, as permissible under law, to verify your or your legal representative’s identity before providing you with access to your Personal Information or making corrections or deletions to it. In addition, your right to access, correct, or delete your Personal Information is subject to certain legal restrictions.

You and your legal representative/guardian may make requests by contacting us at the address listed in the next section.

DEPARTMENT IN CHARGE OF THE PROTECTION OF PERSONAL DATA

Please contact us at the address below if:

  • you have any questions related to the collection, use or disclosure of your Personal Information;
  • you need to report any privacy or security violations, including any suspected or actual unauthorized access, use, disclosure or loss of Personal Information;
  • you wish to withdraw your consent to the collection, use or disclosure of Personal Information;
  • you wish to access, update, and/or correct inaccuracies in your Personal Information;
  • you have any questions or comments about this Privacy Policy; or
  • you otherwise have a question or complaint about the manner in which we or our service providers treat your Personal Information, including our policies and practices with respect to the use of service providers outside of the Republic of Korea.

Need has designated a chief privacy officer, to oversee processing of Personal Information and for purposes of addressing requests and issues regarding such processing. Need’s chief privacy officer is the following:

CHANGES TO PRIVACY POLICY

This Privacy Policy may be updated from time to time to reflect changes to our practices. Any notices regarding modifications to this Privacy Policy will be in written form and provided to you on the Policyholder App and on our website.

If any changes to this Privacy Policy are significant, we will provide a more prominent notice (including email notification, if appropriate).

We encourage you to periodically review this Privacy Policy for the latest information on our privacy practices and to contact us if you have any questions or concerns.