Privacy Policy

Version 1.0.0 • sha256:1812472cceb2

Privacy Policy

Version: 1.0.0

Effective date: 2026-04-11

Authoritative language: Korean. In case of conflict, the Korean version governs.

Data Protection Officer (CPO): Kang In Wook / privacy@concourse.to / [PLACEHOLDER: CPO 전화번호]

⚠️ This is a draft document. Final review by a Korean medical law and data protection attorney is required before production use. The STRUCTURE of this document (sections, cross-border table, CPO block, intermediary disclaimer, retention periods) reflects PIPA §30 and GDPR Art. 13 requirements.

1. Information We Collect

[PLACEHOLDER: Concourse Inc.] ("Concourse", "we", "our") collects the following categories of information:

1.1 Required data

Account information: name, email, phone number, nationality, password (hashed)
Payment information: billing address, PortOne payment token (no full card number stored)
Usage data: access logs, device information, IP address, cookies

1.2 Sensitive medical data (PIPA §23)

Concourse processes the following sensitive medical data for cross-border dental care matching. Separate explicit consent is required.

Dental condition and subjective symptoms
Dental treatment history
X-ray, CBCT, panoramic imaging
Intraoral photos
Medical history, current medications, allergies

1.3 Users under 14

Personal data of users under 14 is collected only with verifiable parental/guardian consent (PIPA §22(6)).

2. Purposes

1.Cross-border patient solicitation intermediation — matching with Korean dental clinics, quote delivery, booking facilitation
2.Service fee billing, settlement, and refunds
3.Concierge services — airport pickup, accommodation guidance, visit coordination
4.Patient-clinic communication via in-app chat
5.Platform safety — fraud prevention, dispute resolution, legal obligations

3. Retention

CategoryPeriodBasis
Account dataUntil account deletionUser consent
Medical images (X-ray, intraoral)**10 years**Korean Medical Act §22, §23
Treatment records10 yearsKorean Medical Act §22
Payment & transaction records5 yearsE-commerce Act §6
Dispute resolution records3 yearsE-commerce Act §6
Access & audit logs3 yearsPIPA Enforcement Decree §48-2
Marketing records6 monthsE-commerce Act §6

After the retention period expires, data is auto-destroyed (encryption key destruction + DB soft delete → physical deletion). Destruction events are written to the audit log.

4. Data Sharing

Concourse does not share personal data with third parties except as follows:

Matched Korean dental clinics: sensitive medical data necessary for consultation, quoting, and treatment
Legal obligations (law enforcement warrants, court orders)
With explicit prior user consent

5. Cross-Border Data Transfer

Concourse transfers personal data to the following non-Korean processors. Separate consent is required under PIPA §28-8.

ProcessorCountryPurposeData Categories
Railway (PaaS)미국 / United StatesApplication + database hostingAll application data (encrypted at rest)
Cloudinary미국 / United StatesImage storage + deliveryMedical images (X-rays, dental photos) — AES-256-GCM encrypted
Resend미국 / United StatesTransactional email deliveryEmail address, name, transaction details
Sentry미국 / United StatesError monitoring (PII scrubbed)Error payloads, stack traces (no medical content after Phase 5 scrubbing)
DeepL독일 / Germany (EU)Chat message translationChat message text (ephemeral)
Transfer method: Real-time transfers over encrypted channels (TLS 1.2 or higher).
Processor contacts: Available on each processor's official website; Concourse will provide on request.
Right to refuse: You may refuse cross-border transfer. However, because core services (payments, email, translation) all go through US-based processors, refusing blocks account creation. Existing users may withdraw cross-border consent at any time via "My Data > Withdraw Consent"; some services (email alerts, international payments, auto-translation) will stop.

6. Data Subject Rights

You may exercise the following rights at any time (PIPA §35-39, GDPR Art. 15-22):

1.Right of access — view the personal data we hold about you
2.Right to rectification — correct inaccurate information
3.Right to erasure — request deletion (subject to statutory retention for medical records)
4.Right to restrict processing — pause processing for specific purposes
5.Right to data portability — export in machine-readable format (JSON, PDF)

Exercise these rights via the in-app "My Data" menu or by emailing privacy@concourse.to. We will respond within 30 days (GDPR) or 10 days (PIPA).

7. Security Measures

Encryption: AES-256-GCM for sensitive data at rest; TLS 1.2+ for data in transit
Access control: Role-based access, medical files visible only to the patient and matched doctor
Audit logging: PHI read events retained for 3 years (PIPA §29, Enforcement Decree §48-2)
Regular security reviews: Quarterly internal security audits
Designated Data Protection Officer: Kang In Wook

8. Data Breach Notification

In the event of a personal data breach, Concourse will:

Within 24 hours: Detect, assess scope, notify the CPO
Within 72 hours: Notify the Personal Information Protection Commission and KISA (PIPA §34)
Without undue delay: Notify affected users (categories affected, time, response, contact)
Public disclosure: Post notice on the website

9. Cookies

Concourse uses cookies and similar storage technologies to maintain your session. Essential cookies cannot be refused; analytics cookies can be opted out in settings.

10. Data Protection Officer

Name: Kang In Wook
Email: privacy@concourse.to
Phone: [PLACEHOLDER: CPO 전화번호]

You may also report complaints to:

Personal Information Infringement Report Center (privacy.kisa.or.kr, 118)
Personal Information Dispute Mediation Committee (kopico.go.kr, 1833-6972)

11. Changes to this Policy

Material changes will be announced in-app and via email at least 7 days before they take effect. Continued use after the effective date constitutes acceptance.

Effective date: 2026-04-11

Business information: [PLACEHOLDER: Concourse Inc.] | CEO: Jun Soo Kwon | Address: [PLACEHOLDER: Seoul, South Korea] | Business Number: [PLACEHOLDER: 사업자등록번호] | E-commerce Registration: [PLACEHOLDER: 통신판매업신고번호] | Medical Tourism License: [PLACEHOLDER: 외국인환자 유치업자 등록번호 — 등록 진행 중]