CART BP pro Privacy Policy
Notice Date: January 7, 2026
Sky Labs Co., Ltd. (hereinafter referred to as the “Company”) values users' personal information and strives to comply with relevant laws such as the 「Personal Information Protection Act」.
Through this Privacy Policy (hereinafter referred to as “this Policy”), the Company informs you about how it uses the personal information collected from users during the provision of the CART BP pro App Service (hereinafter referred to as the “Service”), the purposes for which it is used, the methods employed, and the measures taken to protect personal information.
1. Purpose of Personal Information Processing
The Company processes personal information for the following purposes. Personal information being processed will not be used for any purpose other than those listed below. Should the purpose of use change, the Company will implement necessary measures, such as obtaining separate consent in accordance with Article 18 of the Personal Information Protection Act.
1) Hospital Registration and Management
(1) Personal information is processed to confirm the hospital's consent during registration and, after registration, for hospital identification, hospital account creation, and maintaining service eligibility.
2) Service Provision
(1) Personal information is processed for the purpose of providing patients' measurement results.
2. Purpose of Personal Information Processing, Items Processed, Retention/Use Period, and Legal Basis
The Company processes and retains personal information within the period permitted by law or within the period agreed upon by the data subject at the time of collection.
3. Items of Personal Information Processed
The Company processes the following personal information with the user's consent.
Purpose of processing
Hospital Registration and Management
Service Provision
Personal information item
-
Email address
General Personal Information
-
Patient ID
-
Patient Date of Birth
-
Patient Mobile Phone Number
-
CART-Ring information collected from CART-Ring (Device Name, MAC address, firmware version, log information)
Sensitive Information
-
Medical treatment time data
-
PPG measurement biometric information (blood pressure, pulse rate, irregular pulse wave)
-
Accelerometer sensor information collected from CART-Ring
-
Cuff-type blood pressure monitor measurement information (for blood pressure calibration)
-
Sleep time entered by the user
Retention and Use Period and Legal Basis
-
Until the end date of hospital service use
-
Until the end date of hospital service use
4. Matters Concerning the Processing of Personal Information of Children Under the Age of 14
The Company does not collect personal information from minors as a general rule. When it is unavoidable to collect personal information from individuals under the age of 19 (youth weighing 30kg or more) for service use, the Company will obtain prior consent from their legal representative. The information will be destroyed without delay once the relevant business is completed, and the personal information will be strictly managed throughout the business process.
5. Provision of Personal Information to Third Parties
The Company processes the personal information of data subjects only within the scope specified for the purpose of processing personal information. Personal information is provided to third parties only in cases falling under Article 17 and Article 18 of the 「Personal Information Protection Act」, such as with the data subject's consent or under special provisions of law. Personal information is not provided to third parties for any other purposes.
The Company will obtain the data subject's consent and provide personal information only to the minimum necessary extent in the following cases to ensure smooth service provision.
6. Outsourcing of Personal Information Processing
The Company outsources personal information processing tasks to external specialized companies as follows. Outsourcing of personal information processing occurs only when necessary for the implementation of individual services and is conducted with each outsourcing company. Should the content of the outsourced tasks or the outsourcing recipient change, we will disclose this promptly through this Privacy Policy.
Name of the Entrusted Company
MetaM Co., Ltd.
Amazon Web Services, Inc.
NAVER Cloud
Scope of the outsourced work
Customer Service Center CS Response and Handling
Provision of web services, including cloud services, for the company's service delivery
Provision of web services, including cloud services, for the company's service delivery
7. Procedures and Methods for Destroying Personal Information
The Company shall, in principle, promptly destroy personal information when the purpose of its collection and use is achieved or when the user's personal information becomes unnecessary, such as upon withdrawal from membership. However, if personal information must be retained after the purpose is achieved in accordance with relevant laws and regulations, the Company shall store such personal information in a separate database or at a different storage location.
The specific procedures and methods for destroying personal information are as follows.
Disposal Procedure
Disposal Method
Personal information collected during the service usage process will be promptly destroyed once the purpose of processing is achieved or the retention period required by relevant laws and regulations expires.
Personal information stored in electronic file formats is deleted using technical methods that prevent the records from being reproduced. Personal information printed on paper is destroyed by shredding or incineration.
8. User Rights and Obligations, Methods of Exercise, and Related Precautions
Access, Correction, Deletion, and Suspension of Processing of Personal Information
Withdrawal of Consent Regarding Personal Information
Important Notice Regarding User Personal Information
Users may view, correct, delete, or suspend the processing of their personal information collected and used by the Company at any time.
If you wish to view, correct, delete, or suspend the processing of your personal information, charge of personal information protection of the Company please contact the person in in writing, by phone, or by e-mail, and we will take action without delay.
Users may also request to view, correct, delete, or suspend the processing of their personal information through an agent, such as a legal representative or a person authorized by the user. In this case, you must submit a power of attorney in the form of Attachment No. 11 of the "Notice on the Method of Processing Personal Information".
If you request the correction of errors in your personal information, the Company will not use such personal information until the correction is completed.
However, the Company may refuse to view or correct all or part of your personal information in any of the following cases.
-
If there is a risk of significant harm to the life, body, property, or rights and interests of the user or a third party or a third party
-
If it is likely to significantly interfere with the Company's business
-
If it is against the law
Users may withdraw their consent to the collection, use, and provision of personal information at any time.
By contacting the Personal Information Protection Officer in writing, by phone, or via email, we will promptly take necessary measures such as destroying the user's personal information. The company will take necessary measures to ensure that withdrawing consent for personal information collection is easier than the method used to collect the information.
Users have the right to have their personal information protected, along with the obligation to protect themselves and refrain from infringing on others' information.
Users are requested to accurately input their personal information in its most current state to prevent unforeseen accidents. Responsibility for accidents arising from inaccurate information entered by the user lies solely with the user. Inputting false information, such as misappropriating another person's information, may result in disadvantages.
Please be careful not to damage others' personal information, including their posted content.
Failure to fulfill these responsibilities and damaging others' information or dignity may result in penalties under relevant laws and regulations, such as the 「Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.」.
9. Security Measures for Personal Information
1) The company implements the following technical, administrative, and physical measures to ensure the security of users' personal information during processing, preventing loss, theft, leakage, alteration, or damage.
(1) Administrative Measures: Establishing and implementing internal management plans, operating dedicated organizations, conducting regular employee training
(2) Technical Measures: Access rights management for personal information processing systems, installation of access control systems, encryption of personal information,
installation and updating of security programs
(3) Physical Measures: Access control for computer rooms, data storage rooms, etc.
2) To ensure the security of personal information, the company implements the following activities in addition to those required by law.
(1) Acquisition of domestic and international personal information protection certifications: ISO/IEC 27701
10. Installation and operation of automatic personal information collection devices and matters concerning refusal thereof
The company does not operate any automatic information collection devices within the CART BP pro App.
11. Matters Concerning the Processing of Pseudonymized Information
The company may process collected personal information by pseudonymizing it to prevent identification of specific individuals for purposes such as statistical compilation, scientific research, and public interest record preservation. The Company does not outsource the processing of pseudonymized information or provide it to third parties. Pseudonymized information is stored and managed separately to prevent re-identification. Records detailing the processing of pseudonymized information are created and retained. Access to computer rooms, data storage facilities, and other locations where pseudonymized information is stored is controlled. Necessary technical, administrative, and physical protective measures are implemented.
Category
Research for Service Improvement
Purpose of Processing
Purpose of algorithm enhancement for internal service research
Processing Items
Sensitive Information
-
PPG-measured biometric data (blood pressure, pulse rate, irregular pulse wave)
-
Accelerometer data collected from the cart ring
-
Sleep duration entered by the user
Retention and use period
Until the research objectives are achieved
12. Chief Privacy Officer
The company has designated a Personal Information Protection Officer as follows to protect users' personal information and handle complaints related to personal information.
Chief Privacy Officer
Name
Position
Contact
Adress
Minsoo Chang
Executive Director
1599-3402
703, 58, Pangyo-ro 255beon-gil, Bundang-gu, Seongnam-si, Gyeonggi-do
Users may report any privacy-related complaints arising from the use of the Company's services to the Privacy Officer. The Company will provide prompt responses to user reports.
13. Matters Concerning Requests for Access to Personal Information
Data subjects may submit requests to access their personal information pursuant to Article 35 of the Personal Information Protection Act to the department listed below.
The company will endeavor to process data subjects' requests for access to their personal information promptly.
14. Remedies for Violations of Personal Information Rights
Data subjects may apply for dispute resolution or consultation with the Personal Information Dispute Mediation Committee, the Korea Internet & Security Agency's Personal Information Infringement Reporting Center, and other relevant bodies to seek redress for personal information infringements. For reporting or consulting on other personal information infringements, please contact the institutions listed below.
Personal Information Dispute Mediation Committee
Personal Information Infringement Report Center
Supreme Public Prosecutor's Office Online Complaint Center
National Police Agency Cyber Safety Bureau
Website
Contact
Website
Contact
Website
Contact
Website
Contact
1833-6972
118
1301
182
15. Other Policies Related to Personal Information Processing
Link Site Provision Policy
Policy Against Unauthorized Email Collection
Transmission of advertising information
Changes to This Policy
The Company may provide links to websites or materials offered by other companies through its services. In such cases, the Company has no control over external sites or materials and therefore cannot be held responsible for or guarantee the usefulness of any services or materials obtained from them. When you click a link posted on the Company's Service to navigate to another website or page, the personal information on that site is processed according to its own separate privacy policy, which is unrelated to the Company. Please review the policies of such sites.
The company prohibits the unauthorized collection of posted email addresses using email harvesting programs or other technical devices.
The company does not send commercial advertising information contrary to the user's explicit opt-out request. If a user consents to receiving email communications such as product information guides or newsletters, the company ensures that the user can easily recognize this by clearly indicating it in the subject line and body of the email.
This policy was revised on January 7, 2026. Content may be added, deleted, or modified due to changes in laws, policies, or security technologies. Should any additions, deletions, or modifications occur, we will notify users of the reasons for the changes and the details via our website when the revised Privacy Policy takes effect. In the event of significant changes, such as the provision of personal information to third parties, changes to the purpose of collection or use, or changes to the retention period, we will obtain the user's consent in addition to providing notice.
This policy takes effect on January 7, 2026.