i-SENS Continuous Glucose Monitoring Services Privacy Policy

i-SENS Continuous Glucose Monitoring Services Privacy Policy

i-SENS, Inc. (hereinafter referred to as “i-SENS”) has established and is disclosing the following Privacy Policy in accordance with Article 30 of the Personal Information Protection Act of the Republic of Korea in order to protect the Data Subjects’ Personal Information that is collected and used when using i-SENS’ continuous glucose monitoring (hereinafter referred to as “CGM”) services and handle therelated complaints in a swift and smooth manner. “i-SENS CGM Services” or “Services” collectively refers to the services provided through the Sens365 mobile and web applications that manage the blood glucose of users together with health managers based on the mobile app for CareSens Air, i.e., a CGM system offered by i-SENS, and the collected date. “Data Subject” refers to the person identified by the information processed who is the subject of that information, and “Personal Information” refers to information relating to a living individual: that identifies a particular individual by their full name, resident registration number, image, etc.; that, even if it by itself does not identify a particular individual, may be easily combined with other information to identify a particular individual; and any of the above information that is pseudonymized and thereby becomes incapable of identifying a particular individualwithout the use or combination of information for restoration to the original state.

1. General Provisions
2. Purpose of Collection and Use of Personal Information
3. Particulars of Personal Information to Be Collected and Method of Collection
4. Personal Information Retention and Use Period
5. Personal Information Destruction Procedure and Method
6. Measures regarding Destruction, etc., of Non-Users’ Personal Information
7. Provision of Collected Personal Information to Third Parties
8. Outsourced Processing of Collected Personal Information
9. Overseas Transfer of Collected Personal Information
10. Possibility of Disclosure of Sensitive Information and Method of Choosing Non-Disclosure
11. Users’ and Legal Representatives’ Rights and Method of Exercising Them
12. Matters regarding Installation, Operation, and Rejection of Personal Information Auto-CollectionDevices
13. Matters regarding Processing of Pseudonymized Information
14. Other Policies on Personal Information Processing
15. Information on Privacy Officer, etc.
16. Method of Remedying Right Infringements of Data Subjects
17. Policy Amendments

1. General Provisions

i-SENS lawfully processes and safely manages Personal Information in compliance with the provisionsof the Personal Information Protection Act and other related statutes of the Republic of Korea in orderto protect the freedom and rights of Data Subjects.
Therefore, we have established and are disclosing the following Privacy Policy in accordance withArticle 30 of the Personal Information Protection Act in order to protect the Data Subjects’ PersonalInformation and handle the related complaints in a swift and smooth manner.
By disclosing this Privacy Policy on i-SENS’ CGM Service-related website or app menu, i-SENS hasmade it available to the users of the Services at all time.
This Policy is effective from September 1, 2023, and any amendment to this Policy will be publiclynotified to the users through an announcement on our website (or individually notified in writing or by email, text message, etc.).

2. Purpose of Collection and Use of Personal Information

i-SENS processes Personal Information for the following purposes. The processed Personal Information is not used for any other purpose than those set forth below, and in the event of a change in the purpose of use, we will take necessary actions, such as obtaining a separate consent pursuant to Article 18 of the Personal Information Protection Act and other related statutes.

For user identification and membership management

For CGM Service provision

For service improvement

For customer Q&A

For personalized advertising and marketing (with the user’s consent)

Additional Use and Provision

i-SENS may additionally use and provide Personal Information without the Data Subjects’ consent in consideration of the matters provided in Article 14-2 of the Enforcement Decree of the Personal Information Protection Act pursuant to Articles 15(3) and 17(4) of the Personal Information Protection Act. Accordingly, i-SENS has considered the following matters in order to additional use and providePersonal Information without the Data Subjects’ consent:

3. Particulars of Personal Information to Be Collected and Method ofCollection

In the sign-up or service use process, we collect minimum Personal Information that is necessary for us to provide the following Services through our homepage or individual applications, programs, etc.:

Services	Particulars of Personal Information Collected
i-SENS Integrated Member Account Management Site	[Required] Name, email address (ID), password, date of birth, sex, mobile phone number, profile picture, country of residence, language, user validation token information, device management information (device model, device OS information, unique device identifier), access IP information, log data, cookies,usage time
CareSens Air	[Required] Profile picture, connected blood glucose self-monitoring system information, questions, event information (food intake, exercise amount, memo, photo), sensor information (unique sensor identifier, PIN code, hardware version, software version, model number, lot information, etc.), mobile device information(device model, OS information, unique device identifier, ring tone mode, notification activation status, Bluetooth activation status), app settings information (app name, version, package name, installed time and date, permissions, database version, local settings information, etc.), log data, cookies, usage time [Sensitive Information (Required)] Blood glucose (monitored by sensor and selfmonitored for correction), notification information, used event log information,event information (blood glucose, ketone, insulin, oral medications), diabetes type
Sens365	[Required] Name, email address (ID), date of birth, sex, profile picture, mobile phone number, connected sensor and blood glucose monitoring system information, questions, event information (food intake, exercise amount, memo, photo), country of residence, language, roles and permissions, mobile device information (device model, OS information, unique device identifier), log data, cookies, usage time [Sensitive Information (Required)] Blood glucose (monitored by sensor and selfmonitored for correction), diabetes type, event information (blood glucose,ketone, insulin, oral medications)
The following Personal Information may be generated and collected in the course of using the Services: Automatically generated information: app installation and deletion records, etc. While the above automatically generated information is processed with the user’s consent, it may be automatically generated and collected in the course of using the mobile app, computer web, etc.

i-SENS collects the Personal Information above through a user’s consent to the collection and use of such Personal Information during sign-up or login. A user may elect not to consent to the collection and use of such information, but their use of some of the Services may be limited if they do not consent to the collection and use of the required information particulars and sensitive information (required) thatare needed to use the Services.

4. Personal Information Retention and Use Period

i-SENS processes and holds Personal Information within the Personal Information retention and use period as provided in the statutes or the Personal Information retention and use period for which a consent is obtained from the Data Subjects when collecting the Personal Information. The retention and use periods of each type of Personal Information are as follows:

User Identification and Membership Management: Until membership termination

Provided that, in any of the following cases, the period will be until the termination of the relevant case:

Provision/Improvement of CGM Services and Customer Q&A: Until membership termination

Provided that, in any of the following cases, the period will be until the termination of the relevant case:

5. Personal Information Destruction Procedure and Method

In principle, i-SENS destroys users’ Personal Information without delay when such Personal Information becomes unnecessary due to the lapse of its retention period, the achievement of the purpose of processing, etc. However, when Personal Information must be continuously retained under other statutes or at the user’s request (see 4. Personal Information Retention and Use Period above), such Personal Information is moved to a separate database or other storage location. The Personal Information that is moved to a separate database or storage location is not used for any purpose otherthan the purpose for which it is kept unless otherwise provided by law.

Destruction Procedure

i-SENS selects the Personal Information that must be destroyed and destroys the Personal Information after obtaining the approval of i-SENS’ Privacy Officer.

Destruction Metho

Any Personal Information that is saved in electronic file format is deleted using a technical method that renders the records unrecoverable. Any Personal Information that is in written form or printed on paper is destroyed by shredding it with a shredder..

6. Measures regarding Destruction, etc., of Non-Users’ PersonalInformation

i-SENS converts any user who does not use the Services for one (1) year to an inactive account and stores their Personal Information separately. The separately stored Personal Information may be destroyed after storing for one (1) year unless otherwise required by the statutes.
i-SENS notifies users who are expected to be converted to inactive accounts of the fact that theirPersonal Information is to be separately stored, the expected date of inactive conversion, and the Personal Information particulars that are separately stored, using a method of notice that can be used for the users, such as email, text message, etc., no later than thirty (30) days prior to inactive conversion.
If you do not wish to have your account converted to an inactive account, all you need to do is sign into the Services before your account is converted to an inactive account. Also, even after your account is converted to an inactive account, if your Personal Information has not been destroyed, you can use the Services as usual by logging in to your inactive account and consenting to the reactivation of youraccount.

7. Provision of Collected Personal Information to Third Parties

i-SENS provides Personal Information to a third party only in cases corresponding to Articles 17 and 18 of the Personal Information Protection Act with the user’s consent and pursuant to special provisions ofthe law and does not otherwise provide Personal Information to a third party without the user’s consent.
If a user wishes to use the services of an external partner company, i-SENS will provide PersonalInformation to the external partner company to the minimum extent necessary after obtaining the user’s express consent. Clickhere* to see the external partner companies and other third parties to which i-SENS currently provides users’ Personal Information. In the event any third party to which PersonalInformation is provided is added or changed, we will obtain users’ consent to such addition or change and notify you of the same through an announcement on our website (or individually notify you by email, etc.)
-SENS may provide Personal Information to a related agency without the Data Subjects’ consent incase of an emergency, such as a disaster, infectious disease, an event/accident causing imminent danger to life or body, imminent property loss, etc., pursuant to the Rules on the Processing andProtection of Personal Information in Emergencies jointly announced by the related government ministries. For more information, click here* .

8. Outsourced Processing of Collected Personal Information

In order to provide convenient and better Services, i-SENS outsources some of its work to external companies. i-SENS specifies matters regarding the prohibition of the outsourcees’ processing of Personal Information for a purpose other than the purpose of the outsourced work, technical and managerial protection measures, the limitation of re-outsourcing, the management and supervision of the outsourcees, and the outsourcees’ damages and other liability under Article 26 of the Personal Information Protection Act in writing such as in contracts, etc., and supervises whether the outsourceessafely process the Personal Information. If a user does not use the Services related to the work outsourced by i-SENS to an outsourcee, the user’s Personal Information is not provided to the outsourcee.

Outsourcing of Personal Information Processing

The external company to which i-SENS currently outsources the processing of users’ Personal Information is as follows. In the event the description of the outsourced work or the outsourcee changes, we will notify you of such change through an announcement on our website (or individually notify you by email, etc.).

Outsourcee	Description of Outsourced Work
Amazon Web Service Korea LLC	Description of Outsourced Work: infrastructure operation/management, data storage and backup
The Constant Company, LLC	Description of Outsourced Work: infrastructure operation/management, data storage and backup

9. Overseas Transfer of Collected Personal Information (including Outsourced Processing)

In order to perform the Services, i-SENS outsources the processing of Personal Information to a foreign specializing company as set forth below. As mentioned in 8. Outsourced Processing of Collected Personal Information above, when the processing of Personal Information is outsourced, we supervise the outsourcee to ensure the safe processing of Personal Information so that Personal Information can be securely protected.

10. Method of Setting Scope of Sensitive Information Disclosure

-SENS provides users’ sensitive information to the National Health Insurance Service or other third-party service provider only with the users’ separate consent. i-SENS does not disclosure any user’ssensitive information unless the user’s separate consent has been obtained or it is required by the statutes. Therefore, users may choose not to consent to the provision of sensitive information to thirdparties, in which case sensitive information is not disclosed to any third party.
Users may direct any question related to the scope of sensitive information disclosure and any request for a change of the disclosure scope settings or non-disclosure to the department and person in charge of Personal Information protection stated below:

11. Users’ and Legal Representatives’ Rights and Method of Exercising Them

Users and legal representatives may exercise the following rights in connection with the registered Personal Information of the users:

In the event the services of an external account are used by linking them with an i-SENS Services account, the external account can be delinked from ‘Member Information.’ The information collected by us through the external account link can be changed from the page for managing external accounts, such as Google, KakaoTalk, etc., and is deleted when the user terminates their linked i-SENS memberaccount.
Pursuant to Article 41(1) of the Enforcement Decree of the Personal Information Protection Act, a user can exercise the above rights by calling the main telephone number (02-910-0600) or writing, calling, or emailing the Privacy Officer (Tel: 02-910-0687, email: privacy@i-sens.com) anytime.
However, when a user demands the perusal, transmission, or suspension of processing of their Personal Information, their rights may be limited by Articles 35(4), 35-2(6), (7), and 37(2) of the Personal Information Protection Act. When a demand for perusal, a demand for transmission, a demand forcorrection/deletion, or a demand for the suspension of processing is made based on a user’s rights, i-SENS confirms whether the person making the demand for perusal, etc., is the user themselves or a legitimate representative of such user.
If a user requests the correction of an error in Personal Information, such Personal Information is not used or provided to a third party before the correction is completed. Also, in the event the incorrectPersonal Information has already been provided to a third party, we will notify such third party of the correction processing results without delay. However, in the case of a demand for correction and deletion of Personal Information, a user may not demand the deletion of Personal Information if suchPersonal Information is expressly required to be collected by other statutes. .

12. Matters regarding Installation, Operation, and Rejection of Personal Information Auto-Collection Devices

i-SENS uses ‘cookies,’ which save and retrieve users’ information. A cookie is a very small text file thatthe server used to operate i-SENS’ website sends to the user’s browser that is saved in the user’s computer hard disk or mobile device.

Purpose of Using Cookies, etc.

Cookies are used to offer tailored marketing and personalized Services by enabling the auto login feature, analyzing the access frequencies, time of visit, etc., of members and non-members, identifying the preferences and interests of users, tracking their movements, identifying their degree of participationin various events and number of visits, etc.

Method of Rejecting Cookies

Users have the right to select their cookie settings. Therefore, users can choose to allow all cookies,confirm every time cookies are saved, or reject all cookies by setting the options from their webbrowsers.
However, if a user rejects cookies, it may be difficult for us to provide the Services to that user.

As an example, the settings of Microsoft Edge can be set as follows:

13. Matters regarding Processing of Pseudonymized Information

i-SENS processes Personal Information as set forth below by pseudonymizing it so that specific individuals cannot be identified from such information to research and develop better products and services for achieving our business purpose, such as preparing statistics, conducting academic research, preserving records for the public good, conducting market research, etc. When doing so, we save and manage the pseudonymized information separately from any additional information to prevent it from becoming re-identifiable and take the necessary technical and managerial protective measures(see 14. Other Policies on Personal Information Processing below).

Matters regarding Pseudonymized Information Processing

Classification	Purpose of Processing	Particulars Processed	Retention and Use Period
Statistics Preparation	To analyze and study the demographics and usage patterns of users of CareSens Air offered by i-SENS	- De-identified user profile (sex, age, etc.), blood glucose value, measurement time information, used device information, event input information	Until membership termination
Academic Research	To study the blood glucose value improvement effect based on the method of use of users of CareSens Air offered by i-SENS	- De-identified user profile (sex, age, etc.), blood glucose value, measurement timeinformation, used device information, event input information	Until membership termination

14. Other Policies on Personal Information Processing

Technical and Managerial Measures for Securing Safety of Personal Information

i-SENS takes the following measures to secure the safety of Personal Information:

Post Operation Policy

-SENS values users’ posts, and we do our best to protect them so that they are not altered, damaged, or deleted. However, this does not apply to any of the following posts:

In order to promote a desirable posting culture, i-SENS may delete a particular section or redact it usingsymbols, etc., when a user discloses the personal matters of another person without the latter’s consent,and if any post can be moved to another bulletin board with a different topic, we make sure that thereis no misunderstanding by showing where the post was moved to.
In other cases, we can delete posts after giving express or individual warnings.
Basically, all rights and liability related to a post lies with the person who wrote it. Also, it is difficult toprotect any information that is voluntarily disclosed through a post, so please think carefully before disclosing any information.

15. Information on Privacy Officer, etc.

i-SENS has designated the following person as the Privacy Officer to oversee and take charge of the work related to Personal Information processing and to handle the complaints filed and remedy the damage suffered by the Data Subjects in connection with Personal Information processing. Please contact the Privacy Officer or the department-in-charge if you have any question, complaint, advice, etc., related to Personal Information protection while using the homepage, etc.

Privacy Officer

Department and Person in Charge of Personal Information Protection

Demand for Perusal of Personal Information

A user may demand the perusal of Personal Information pursuant to Article 35 of the Personal Information Protection Act from the above department-in-charge. i-SENS will endeavor to handle users’ demands for perusal of Personal Information promptly.

16. Method of Remedying Right Infringements of Data Subjects

A user can file all complaints related to the protection of Personal Information that arise while using the Services of i-SENS with the Privacy Officer or the department-in-charge. i-SENS will respond to users’ complaints. If you need to file a report or get counseling on other breaches of Personal Information,please direct your questions to the following agencies:

17. Policy Amendments

In the event any clause is added to, deleted from, or revised in the above, i-SENS will inform usersthereof through an announcement on our homepage.

Addendum

Effective Date of this Privacy Policy: September 11, 2023