CataScan
Privacy Policy

Updated: July 24, 2025

LabSD Inc. (the “Company”) hereby establishes and discloses this Privacy Policy regarding the services (the “Service”) provided through the CataScan application (the “Application”).

Article 1 (Purpose of Processing and Items of Personal Information Collected)

  1. The Company collects the following minimum necessary personal information from users who belong to institutions separately partnered with the Company (the “Affiliated Users”) to provide the Service to them.


Category

Items Collected

Purpose of Collection

Collected upon initial use of the Application

ID, password, name (or identifiable account name), email, name of the affiliated institution

Account creation and management, access authentication, Service operation

  1. In the case of general Application users who are not Affiliated Users (the “General Users”), all information related to the use of the Application is stored and processed only on the General User's mobile device and is not transmitted to the Company under any circumstances. Therefore, the Company does not collect, store, or process any personal information of the General Users.

  2. The Company automatically collects only the access logs of the Application users (e.g., access time, user endpoint token) in a form that is not combined with any other information and therefore cannot be used to identify an individual and therefore does not constitute personal information under applicable laws.

  3. Partner institutions shall bear full responsibility for ensuring that Affiliated Users lawfully collect and use any information obtained from third parties through the Application (the “Information Collected by Partner Institutions”). The Company does not act as a personal information controller in relation to such information and disclaims all liability in any form.


Article 2 (Period of Retention and Use of Personal Information)

  1. The Company retains the personal information of Affiliated Users while they use the Service and for three (3) years following their termination of use of the Service. However, if a reason for destroying personal information arises, including discontinuation of the Service by the Company or withdrawal of consent, the information will be securely destroyed without undue delay.

  2. Notwithstanding the foregoing, the retention period may be extended where required by applicable laws or pursuant to a separate agreement with the data subject.


Article 3 (Entrustment of Personal Information Processing)

The Company entrusts some of the tasks necessary for providing the Service to external companies as follows. If a user does not use the services associated with the entrusted tasks, their personal information will not be transferred to the processor.


Processor

Entrusted Task

Sub-processor and Entrusted Task Details

Amazon Web Services

Server provision (Indian Region)

  • Use of servers in India

  • Data storage and management

  • Data security


Article 4 (Procedure and Method of Destroying Personal Information)

  1. When the retention period for personal information for which consent was obtained expires, or the purpose of collecting and processing personal information is achieved, such as such as upon the discontinuation of the Service by the Company, the Company will promptly and securely destroy the personal information.

  2. Notwithstanding Paragraph 1, if personal information must be retained in accordance with other laws, the relevant personal information will be transferred to a separate database or stored in a different location.

  3. The procedure and method for destroying personal information are as follows:

    • Destruction Procedure: The Company identifies the personal information for which a reason for destruction has occurred and destroys the personal information upon approval of the Company’s Data Protection Officer.

    • Destruction Method: The Company destroys personal information recorded and stored in electronic file format rendered irretrievable. Personal information recorded and stored on paper documents is shredded or incinerated.

Article 5 (Rights and Obligations of Users and Their Legal Representatives, and Method of Exercising Rights)

  1. Affiliated Users may exercise their rights to request access, rectification, deletion, and suspension of processing of their personal information from the Company at any time.

  2. Such rights may be exercised via email to the Company, and the Company will respond without undue delay and within a reasonable time frame in accordance with applicable laws.

  3. The exercise of rights can also be done through a legal representative or an authorized agent. In this case, a power of attorney proving the agent's authority must be submitted.

  4. Users’ rights to access or suspend the processing of their personal information may be restricted as required under applicable laws, such as where retention is mandated by statute. Furthermore, if specific personal information is specified as a collection target in other laws, the deletion of that personal information cannot be requested.

  5. The Company does not collect or use the personal information of children under the age of 14 in connection with the provision of the Service.

Article 6 (Measures to Ensure the Security of Personal Information)

The Company takes the following measures to ensure the security of personal information:

  1. Administrative measures: Establishment and implementation of an internal management plan, employee training, etc.

  2. Technical measures: Management of access rights to personal information processing systems, installation of security software and intrusion prevention systems.

  3. Physical measures: Physical access control to facilities and storage areas containing personal information.

Article 7 (Data Protection Officer and Responsible Department)

The Company has designated a Data Protection Officer to handle inquiries, complaints, and remedies related to personal information. For any inquires or concerns regarding the processing of your personal information, please contact the Data Protection Officer and the responsible department below.

Article 8 (Cross-border Transfer of Personal Information)

Personal information is initially stored on servers located in India and may be accessed from the Republic of Korea for service operation purposes (i.e., collected in India and accessed outside of India). As the cross-border transfer of personal information is essential to the provision of the Service, those who do not consent to such transfer may not be able to use the Service.

  • Items of personal information to be transferred: ID, password, name (or identifiable account name), email, name of the affiliated institution

  • Country to which information is transferred: Republic of Korea

  • Date, time, and method of transfer: Transmitted via network at the time of using the Application

  • Information of the recipient: LabSD Inc.

  • Purpose of use of personal information by the recipient: Provision and operation of the Application Service

  • Period of retention and use of personal information by the recipient: Same as the period of retention and use of personal information.

Article 9 (Changes to the Privacy Policy)

  1. This Privacy Policy shall take on the effective date stated below.

  2. If this Privacy Policy is added to, deleted, or amended in accordance with laws and the Company’s policies, the Company will announce the changes and the revised Privacy Policy on its official website and through in-app notifications at least 7 days prior to the effective date of such changes.

  • Date of Announcement: [Month] [Day], 2025

  • Effective Date: [Month] [Day], 2025s

LabSD Inc. (the “Company”) hereby establishes and discloses this Privacy Policy regarding the services (the “Service”) provided through the CataScan application (the “Application”).

Article 1 (Purpose of Processing and Items of Personal Information Collected)

  1. The Company collects the following minimum necessary personal information from users who belong to institutions separately partnered with the Company (the “Affiliated Users”) to provide the Service to them.


Category

Items Collected

Purpose of Collection

Collected upon initial use of the Application

ID, password, name (or identifiable account name), email, name of the affiliated institution

Account creation and management, access authentication, Service operation

  1. In the case of general Application users who are not Affiliated Users (the “General Users”), all information related to the use of the Application is stored and processed only on the General User's mobile device and is not transmitted to the Company under any circumstances. Therefore, the Company does not collect, store, or process any personal information of the General Users.

  2. The Company automatically collects only the access logs of the Application users (e.g., access time, user endpoint token) in a form that is not combined with any other information and therefore cannot be used to identify an individual and therefore does not constitute personal information under applicable laws.

  3. Partner institutions shall bear full responsibility for ensuring that Affiliated Users lawfully collect and use any information obtained from third parties through the Application (the “Information Collected by Partner Institutions”). The Company does not act as a personal information controller in relation to such information and disclaims all liability in any form.


Article 2 (Period of Retention and Use of Personal Information)

  1. The Company retains the personal information of Affiliated Users while they use the Service and for three (3) years following their termination of use of the Service. However, if a reason for destroying personal information arises, including discontinuation of the Service by the Company or withdrawal of consent, the information will be securely destroyed without undue delay.

  2. Notwithstanding the foregoing, the retention period may be extended where required by applicable laws or pursuant to a separate agreement with the data subject.


Article 3 (Entrustment of Personal Information Processing)

The Company entrusts some of the tasks necessary for providing the Service to external companies as follows. If a user does not use the services associated with the entrusted tasks, their personal information will not be transferred to the processor.


Processor

Entrusted Task

Sub-processor and Entrusted Task Details

Amazon Web Services

Server provision (Indian Region)

  • Use of servers in India

  • Data storage and management

  • Data security


Article 4 (Procedure and Method of Destroying Personal Information)

  1. When the retention period for personal information for which consent was obtained expires, or the purpose of collecting and processing personal information is achieved, such as such as upon the discontinuation of the Service by the Company, the Company will promptly and securely destroy the personal information.

  2. Notwithstanding Paragraph 1, if personal information must be retained in accordance with other laws, the relevant personal information will be transferred to a separate database or stored in a different location.

  3. The procedure and method for destroying personal information are as follows:

    • Destruction Procedure: The Company identifies the personal information for which a reason for destruction has occurred and destroys the personal information upon approval of the Company’s Data Protection Officer.

    • Destruction Method: The Company destroys personal information recorded and stored in electronic file format rendered irretrievable. Personal information recorded and stored on paper documents is shredded or incinerated.

Article 5 (Rights and Obligations of Users and Their Legal Representatives, and Method of Exercising Rights)

  1. Affiliated Users may exercise their rights to request access, rectification, deletion, and suspension of processing of their personal information from the Company at any time.

  2. Such rights may be exercised via email to the Company, and the Company will respond without undue delay and within a reasonable time frame in accordance with applicable laws.

  3. The exercise of rights can also be done through a legal representative or an authorized agent. In this case, a power of attorney proving the agent's authority must be submitted.

  4. Users’ rights to access or suspend the processing of their personal information may be restricted as required under applicable laws, such as where retention is mandated by statute. Furthermore, if specific personal information is specified as a collection target in other laws, the deletion of that personal information cannot be requested.

  5. The Company does not collect or use the personal information of children under the age of 14 in connection with the provision of the Service.

Article 6 (Measures to Ensure the Security of Personal Information)

The Company takes the following measures to ensure the security of personal information:

  1. Administrative measures: Establishment and implementation of an internal management plan, employee training, etc.

  2. Technical measures: Management of access rights to personal information processing systems, installation of security software and intrusion prevention systems.

  3. Physical measures: Physical access control to facilities and storage areas containing personal information.

Article 7 (Data Protection Officer and Responsible Department)

The Company has designated a Data Protection Officer to handle inquiries, complaints, and remedies related to personal information. For any inquires or concerns regarding the processing of your personal information, please contact the Data Protection Officer and the responsible department below.

Article 8 (Cross-border Transfer of Personal Information)

Personal information is initially stored on servers located in India and may be accessed from the Republic of Korea for service operation purposes (i.e., collected in India and accessed outside of India). As the cross-border transfer of personal information is essential to the provision of the Service, those who do not consent to such transfer may not be able to use the Service.

  • Items of personal information to be transferred: ID, password, name (or identifiable account name), email, name of the affiliated institution

  • Country to which information is transferred: Republic of Korea

  • Date, time, and method of transfer: Transmitted via network at the time of using the Application

  • Information of the recipient: LabSD Inc.

  • Purpose of use of personal information by the recipient: Provision and operation of the Application Service

  • Period of retention and use of personal information by the recipient: Same as the period of retention and use of personal information.

Article 9 (Changes to the Privacy Policy)

  1. This Privacy Policy shall take on the effective date stated below.

  2. If this Privacy Policy is added to, deleted, or amended in accordance with laws and the Company’s policies, the Company will announce the changes and the revised Privacy Policy on its official website and through in-app notifications at least 7 days prior to the effective date of such changes.

  • Date of Announcement: [Month] [Day], 2025

  • Effective Date: [Month] [Day], 2025s

LabSD Inc. (the “Company”) hereby establishes and discloses this Privacy Policy regarding the services (the “Service”) provided through the CataScan application (the “Application”).

Article 1 (Purpose of Processing and Items of Personal Information Collected)

  1. The Company collects the following minimum necessary personal information from users who belong to institutions separately partnered with the Company (the “Affiliated Users”) to provide the Service to them.


Category

Items Collected

Purpose of Collection

Collected upon initial use of the Application

ID, password, name (or identifiable account name), email, name of the affiliated institution

Account creation and management, access authentication, Service operation

  1. In the case of general Application users who are not Affiliated Users (the “General Users”), all information related to the use of the Application is stored and processed only on the General User's mobile device and is not transmitted to the Company under any circumstances. Therefore, the Company does not collect, store, or process any personal information of the General Users.

  2. The Company automatically collects only the access logs of the Application users (e.g., access time, user endpoint token) in a form that is not combined with any other information and therefore cannot be used to identify an individual and therefore does not constitute personal information under applicable laws.

  3. Partner institutions shall bear full responsibility for ensuring that Affiliated Users lawfully collect and use any information obtained from third parties through the Application (the “Information Collected by Partner Institutions”). The Company does not act as a personal information controller in relation to such information and disclaims all liability in any form.


Article 2 (Period of Retention and Use of Personal Information)

  1. The Company retains the personal information of Affiliated Users while they use the Service and for three (3) years following their termination of use of the Service. However, if a reason for destroying personal information arises, including discontinuation of the Service by the Company or withdrawal of consent, the information will be securely destroyed without undue delay.

  2. Notwithstanding the foregoing, the retention period may be extended where required by applicable laws or pursuant to a separate agreement with the data subject.


Article 3 (Entrustment of Personal Information Processing)

The Company entrusts some of the tasks necessary for providing the Service to external companies as follows. If a user does not use the services associated with the entrusted tasks, their personal information will not be transferred to the processor.


Processor

Entrusted Task

Sub-processor and Entrusted Task Details

Amazon Web Services

Server provision (Indian Region)

  • Use of servers in India

  • Data storage and management

  • Data security


Article 4 (Procedure and Method of Destroying Personal Information)

  1. When the retention period for personal information for which consent was obtained expires, or the purpose of collecting and processing personal information is achieved, such as such as upon the discontinuation of the Service by the Company, the Company will promptly and securely destroy the personal information.

  2. Notwithstanding Paragraph 1, if personal information must be retained in accordance with other laws, the relevant personal information will be transferred to a separate database or stored in a different location.

  3. The procedure and method for destroying personal information are as follows:

    • Destruction Procedure: The Company identifies the personal information for which a reason for destruction has occurred and destroys the personal information upon approval of the Company’s Data Protection Officer.

    • Destruction Method: The Company destroys personal information recorded and stored in electronic file format rendered irretrievable. Personal information recorded and stored on paper documents is shredded or incinerated.

Article 5 (Rights and Obligations of Users and Their Legal Representatives, and Method of Exercising Rights)

  1. Affiliated Users may exercise their rights to request access, rectification, deletion, and suspension of processing of their personal information from the Company at any time.

  2. Such rights may be exercised via email to the Company, and the Company will respond without undue delay and within a reasonable time frame in accordance with applicable laws.

  3. The exercise of rights can also be done through a legal representative or an authorized agent. In this case, a power of attorney proving the agent's authority must be submitted.

  4. Users’ rights to access or suspend the processing of their personal information may be restricted as required under applicable laws, such as where retention is mandated by statute. Furthermore, if specific personal information is specified as a collection target in other laws, the deletion of that personal information cannot be requested.

  5. The Company does not collect or use the personal information of children under the age of 14 in connection with the provision of the Service.

Article 6 (Measures to Ensure the Security of Personal Information)

The Company takes the following measures to ensure the security of personal information:

  1. Administrative measures: Establishment and implementation of an internal management plan, employee training, etc.

  2. Technical measures: Management of access rights to personal information processing systems, installation of security software and intrusion prevention systems.

  3. Physical measures: Physical access control to facilities and storage areas containing personal information.

Article 7 (Data Protection Officer and Responsible Department)

The Company has designated a Data Protection Officer to handle inquiries, complaints, and remedies related to personal information. For any inquires or concerns regarding the processing of your personal information, please contact the Data Protection Officer and the responsible department below.

Article 8 (Cross-border Transfer of Personal Information)

Personal information is initially stored on servers located in India and may be accessed from the Republic of Korea for service operation purposes (i.e., collected in India and accessed outside of India). As the cross-border transfer of personal information is essential to the provision of the Service, those who do not consent to such transfer may not be able to use the Service.

  • Items of personal information to be transferred: ID, password, name (or identifiable account name), email, name of the affiliated institution

  • Country to which information is transferred: Republic of Korea

  • Date, time, and method of transfer: Transmitted via network at the time of using the Application

  • Information of the recipient: LabSD Inc.

  • Purpose of use of personal information by the recipient: Provision and operation of the Application Service

  • Period of retention and use of personal information by the recipient: Same as the period of retention and use of personal information.

Article 9 (Changes to the Privacy Policy)

  1. This Privacy Policy shall take on the effective date stated below.

  2. If this Privacy Policy is added to, deleted, or amended in accordance with laws and the Company’s policies, the Company will announce the changes and the revised Privacy Policy on its official website and through in-app notifications at least 7 days prior to the effective date of such changes.

  • Date of Announcement: [Month] [Day], 2025

  • Effective Date: [Month] [Day], 2025s

Discover the simplest solution for cataract screening with CataScan.

Copyright 2025 a-eye-lab

This service was developed with support from kakaoimpact Foundation and contributions from the Tech for Impact community

Features

Tech for Impact

AI Model

Service for Center

Our Lab

Blog

Contact

Support

Term of Use (Universal)

Terms of Use (Institution)

Privacy Policy

Discover the simplest solution for cataract screening with CataScan.

Copyright 2025 a-eye-lab

This service was developed with support from kakaoimpact Foundation and contributions from the Tech for Impact community

Features

Tech for Impact

AI Model

Service for Center

Our Lab

Blog

Contact

Support

Term of Use (Universal)

Terms of Use (Institution)

Privacy Policy

Discover the simplest solution for cataract screening with CataScan.

Copyright 2025 a-eye-lab

This service was developed with support from kakaoimpact Foundation and contributions from the Tech for Impact community

Features

Tech for Impact

AI Model

Service for Center

Our Lab

Blog

Contact

Support

Term of Use (Universal)

Terms of Use (Institution)

Privacy Policy