Article 1 (Personal Information Items Processed)

The Company collects minimum personal information necessary for service provision. The collection items are as follows:

• Product Inquiries and Consultation via Website: Name, email, country, phone number, job title, institution/company name, inquiry details
• Job Applications and Recruitment Inquiries via Recruitment Website:
  • Required: Name, address, phone number, mobile phone number, email, resume (nationality, veterans and disability status, education, grades, career history, military service, overseas experience and training activities, social activities, language and other qualifications, awards, hobbies, specialties, self-introduction, etc.)
  • Optional: Additional supporting documents (career description, cover letter, portfolio, etc.)
• MADI Service Provision: (Required) Name, email, (Optional) Phone number, institution name, anonymized clinical data (limited to research purposes, separate consent required)
• Product Technical Support: Email, institution name
• Automatically Collected During Internet Service Use: IP address, cookies, MAC address, service usage records, device information, visit records, location information (limited to service improvement purposes)

Article 2 (Purposes of Personal Information Processing)

The Company processes collected personal information for the following purposes:

• Product Inquiries and Consultation via Website: Collection and response to inquiries about MADI platform (AI Digital Twin Clinical Trial Solution)
• Job Applications and Recruitment Inquiries via Recruitment Website: Conducting and managing recruitment processes, providing recruitment information, processing recruitment inquiries, talent pool registration
• MADI Service Provision: Providing AI Digital Twin Clinical Trial Platform services, utilizing virtual patient solutions, research support
• Product Technical Support: MADI product technical support
• Automatically Collected Information: Service improvement, usage statistics analysis, security enhancement

Personal information will not be used beyond the collection purposes, and separate consent will be obtained if new purposes arise.

Article 3 (Processing and Retention Period of Personal Information)

In principle, personal information will be destroyed without delay when the purpose is achieved.

Specific retention periods:

• Product Inquiries and Consultation: Until withdrawal of user consent
• Job Applications and Recruitment Inquiries via Recruitment Website: 2 years
• MADI Service Provision: Until service termination (clinical research data: 1 year after research completion)
• Product Technical Support, Product Education Support: Until withdrawal of user consent

When retention is required by law (Commercial Act, Electronic Commerce Act, etc.), information will be stored separately (e.g., contracts: 5 years, consumer complaints: 3 years).
Minimum information for legal compliance may be retained even after consent withdrawal.

MADI does not use or provide personal information without the data subject's consent in principle. However, when additional use or provision is made without the data subject's consent according to relevant laws, the judgment criteria are as follows:

• Whether it is related to the original collection purpose
• Whether there is predictability of additional use or provision of personal information in light of the circumstances or processing practices
• Whether it unfairly infringes on the interests of the data subject
• Whether necessary measures for security such as pseudonymization or encryption have been taken

Article 4 (Entrustment of Personal Information Processing)

The Company may entrust personal information processing to the following companies. When entrusting, we comply with Article 26 of the Personal Information Protection Act (processing restrictions, re-entrustment restrictions, supervision, etc.). Changes in entrustment details will be announced on our website.

Entrusted companies and tasks:

• Centum Internet: Data storage and infrastructure management
• Recruitment Management System: Recruitment website operation and management

Article 5 (Destruction of Personal Information)

MADI destroys personal information without delay when the retention period expires or the purpose is achieved.

When personal information must be continuously preserved according to other laws despite the expiration of the consented retention period or achievement of processing purposes, such personal information will be transferred to a separate database (DB) or stored in a different location.

• Destruction Procedure: Destruction after approval by the responsible person when destruction reasons occur
• Destruction Method: Electronic files are destroyed using irreversible technology, and records are shredded or incinerated
• When preservation is required by law, stored in a separate DB

Article 6 (Rights and Obligations of Data Subjects and Exercise Methods)

Data subjects may exercise the following rights against MADI at any time: requests for access, correction, deletion, suspension of processing and withdrawal of personal information, refusal of or request for explanation of automated decisions (hereinafter referred to as "exercise of rights").

Requests for access to personal information of children under 14 years of age must be made directly by their legal representatives. Data subjects who are minors aged 14 or older may exercise rights regarding their personal information either by themselves or through their legal representatives.

Exercise of rights may be made to MADI in writing or by email, and MADI will take action without delay. MADI also verifies whether the person requesting access, correction/deletion, or suspension of processing is the data subject themselves or a legitimate representative.
When a data subject requests correction or deletion of personal information errors, MADI will not use or provide the personal information until the correction or deletion is completed.
Exercise of rights under Paragraph 1 may be done through legal representatives or authorized agents.
Data subjects must not infringe on their own or others' personal information and privacy that MADI is processing in violation of the Personal Information Protection Act and other relevant laws.
Requests for access to personal information and suspension of processing may be restricted according to Article 35(4) or Article 37(2) of the Personal Information Protection Act.
Even if deletion of personal information is requested, the personal information may not be deleted if it is specified as a collection target in other laws.
When consent has been obtained for automated decision-making, when notified in advance through contracts, or when clearly specified by law, refusal of automated decisions is not recognized, and only requests for explanation and review are possible.
Additionally, requests for refusal or explanation of automated decisions may be rejected if there are legitimate reasons such as the risk of unfairly infringing on the life, body, property, and other interests of others.
MADI will process requests without delay after confirming that the person exercising rights is the data subject or legitimate representative, and will notify the reasons if refused.

Article 7 (Measures to Ensure Security of Personal Information)

MADI takes the following measures to ensure the security of personal information in accordance with Article 29 of the Personal Information Protection Act:

• Administrative Measures: Establishment of internal management plans, regular training
• Technical Measures: Management of access rights to personal information processing systems, installation of access control systems, encryption of personal information, installation of security programs
• Physical Measures: Locking and access control of places where personal information is stored

Article 8 (Data Protection Officer and Access Requests)

MADI has designated a Data Protection Officer as follows to oversee personal information processing and handle complaints and remedies related to personal information processing:

• Name: Kim Eun-seok
• Position: Data Protection Officer
• Email: eskim@madidt.com

Data subjects may contact the Data Protection Officer and relevant department for all personal information protection inquiries, complaint handling, and damage relief arising from using MADI's services. MADI will respond and process inquiries without delay.

Data subjects may make requests for access to personal information under Article 35 of the Personal Information Protection Act to the above department. MADI will endeavor to process personal information access requests promptly.

Article 9 (Methods for Rights Violation Remedies)

Users may contact not only MADI's personal information protection department but also the following organizations for reporting or consultation regarding personal information infringement:

• Personal Information Dispute Mediation Committee (www.kopico.go.kr / 1833-6972)
• Personal Information Infringement Report Center (privacy.kisa.or.kr / 118)
• Supreme Prosecutors' Office Cybercrime Investigation Unit (www.spo.go.kr / 1301)
• National Police Agency Cyber Safety Bureau (cyberbureau.police.go.kr / 182)

Article 10 (Changes to Privacy Policy)

The privacy policy may be changed due to enactment or amendment of laws, changes in government policies, changes in company internal policies, or changes in security technology. In such cases, changes will be announced on the website 7 days before the change.

• Privacy Policy Version: v0.1.0
• Privacy Policy Effective Date: 2025-09-10